Ransomware Attacks (Via RDP)

Remote Desktop Protocol (RDP) is a fast-increasing attack vector to enterprise networks. Due to the recent pandemic, employees had to move their workstations from their offices to their homes, which decreased the usual security implemented.

Windows uses Remote Desktop Protocol (RPD) for remote connection to a server, as when employees are working from different locations, such as their homes. The RDP client on the user’s computer communicates (encrypted) with the RPD component on the server.

Since it originated in 1998, RDP has been a weak link since the remote endpoints are vulnerable to hackers. Over the years there have been countless attacks by different malware types, brute-force attacks, etc. Researchers are continuously finding new exploits that can put RDP users at risk.

The Windows Server does have some built-in defenses for hacking attempts, and if configured correctly, often it amounts to locking out the user. But it does nothing to stop the attack or protect the network from the intrusion attempt.

By using a Host-based Intrusion Detection and Prevention System (HIDPS), like Syspeace, to defend against brute-force attacks, and to identify, block, and protect you from the intrusion attempt.

How Cybercriminals Hack Your RDP

The attack often starts with cybercriminals hacking into the RDP and logging in as a user or, in the worst case: an administrator.

They often hack the RDP connection via a brute-force attack or via an RDP port with open access to the internet.

In the brute-force attack the cybercriminals automatically try password combinations until the right one is found, acting as the user.

This is usually done when the RDP port is accessible through the internet, often via port 3389 (default port). When the security settings are not tightly configured, it becomes a vulnerable access point to the system.  (As with any online system with login possibilities.)

Hackers scan connected devices for open ports, and through those, gain access to the endpoints. The endpoints, being connected to the company network, thus making them accessible to the cybercriminal.

VPN can expose the company’s internal network

In the era of Covid, we have seen more people work from home now than ever. These people’s computers usually have a VPN connection that connects their computer at home to the company’s internal servers.

The security of the company’s internal network is now extended to the employee’s computer at home and that computer might not always be up to date with patches and shields like anti-virus.

Cybercrime within the company

There is also a challenge with internal systems. Research from the Ponemon Institute found that the insider threat, attacks within the company done by employees, increased by 47% between 2018 and 2020.

Guessing the password is either done manually or automatically by any of the many tools available to brute force a RDP-connection.

When Your RDP Is Hacked, Then …

When the connection is hacked, the cybercriminal can use the system for its own benefits. A lot of times, they will disable the installed antivirus and other security products, and simply upload and run the ransomware (or virus or malware).

This might include:

• Delete all original documents as well as all backups.
• Encrypt documents into the RAR archive and delete the original, forcing you to pay for decryption.
• Lock the login screen for all users and demand a ransom fee to unlock it.
• Prevent you from booting in safe mode, by disabling the F8 startup key.
• Change system configuration settings, in a way that will serve the criminals’ interests.

How To Protect Your RDP Connection

Your best protection is to be proactive in your defense strategy against hacking and brute force attacks. We have listed some must-have security methods beneath:

1.  Use a Host-based Intrusion Detection and Prevention System (HIDPS), like Syspeace, to identify, block, and protect you from intrusion attempts.
2. Do not let your RDP connection be open to the internet. The connections should only be accessible through your internal network. Block traffic in the default ports at the firewall level.
3. Change your RDP port to a number above 10000. The hackers are well aware that the default port for RDP is 3389. By changing it to a number above 10000 you are making it more difficult for them.
4. Disable RDP if not used. If your business is not using RDP, make sure to disable it. And even more so when it comes to controlling system devices.
5. Use strong authentication. Enable strong passwords and account lockout policies to defend against brute-force attacks, especially on administrator accounts. Apply two-factor authentication, where possible. And change the default name of your Administrator account.