Is VDI susceptible to ransomware threats?

by Brien Posey

@BrienPosey Check out Brien’s new book “Conversational Rocket Science”, available for free download at

  • “Virtual Desktop Infrastructure”, for example Microsoft Remote Desktop, Citrix  

VDI environments are in danger of ransomware attacks. They can encrypt personal and professional data that cannot be decoded once the user’s session ends.

Given the seriousness of what ransomware can do, it is important to consider the degree to which ransomware threats can affect a VDI environment.

One of the desktop security problems that seems to receive the most attention lately is ransomware. Ransomware attacks encrypt users’ data and attempt to extort money from them to get their data back.

Historically, nonpersistent virtual desktops have provided a degree of immunity to malware. Consider what would happen if a virtual desktop user were to encounter a malicious webpage and become infected with a more traditional form of malware. The malware would likely infect the virtual desktop operating system. At the end of the user’s session, however, the virtual desktop would be rolled back to a pristine state, thereby eliminating the infection. Depending on the type of malware, it is possible that some of the user’s files could become infected, but antimalware software should detect and remove the infection during the next scan.

Ransomware is a super virus

The same idea should seemingly apply to ransomware, but the virtual desktop environment does not provide the same degree of protection against ransomware as other forms of malware. In fact, ransomware may actually be more damaging in VDI than in a physical desktop environment.

The goal of ransomware is to encrypt data for the purpose of extorting a ransom payment. With that in mind, imagine that a VDI user encounters a malicious website and becomes infected with ransomware. With a ransomware infection, the operating system is infected, and the malicious script will begin encrypting the user’s data.

Ransomware threats come in many different forms, and some ransomware scripts are more sophisticated than others. Depending on which form of ransomware the user has contracted, it may attack the contents of the user’s profile folder — documents, photos and so on — or it could end up encrypting any data found on mapped network drives. In either case, the user’s data has been encrypted, and the virtual desktop operating system is infected with ransomware.

The reason ransomware threats could potentially do more damage to virtual desktops than physical desktops is what happens at the end of the user’s session. When the session ends, the virtual desktop is reset to a pristine state. This eliminates the ransomware infection. The problem is that the user’s data is still encrypted. In at least some, maybe even most cases, removing the ransomware eliminates any possibility of decrypting the data. The only option at that point is to restore the user’s data from backup.

There is one situation where virtual desktops can protect a user against ransomware threats. If the person is using a PC as a thin client device, and the PC’s local operating system became infected with ransomware, then the infection should not be able to jump from the computer’s local operating system to the virtual desktop. Hence, the organization’s data would only be at risk if the thin client’s local operating system contained network drives that were mapped to the organization’s servers.

Inject VDI best practices

Because VDI does not provide any significant protection against ransomware threats, there are three best practices that organizations should adhere to in

  1. Use a continuous data protection tool to back up user data. This will make it possible to roll files back to their pre-encryption state.
  2. Users should only have permission to access data that is absolutely necessary for them to do their jobs. Ransomware cannot encrypt data residing in locations that the user cannot access.
  3. If possible, configure the user’s web browsers as sandboxed virtual applications. That way, a malware infection will be confined to the sandboxed environment and will not be able to access the user’s data.
By | 2017-05-15T21:46:37+00:00 May 15th, 2017|Uncategorized|0 Comments