Ransomware Attacks (Via RDP)
Remote Desktop Protocol (RDP) are a fast-increasing attack vector to enterprise networks, due to the fact that corona made employees move their workstations from their offices to their home, which decreased the security normally implemented.
Windows uses Remote Desktop Protocol (RPD) for remote connection to a server, as when employees are working from different locations, such as their homes. The RDP client on the user’s computer communicates (encrypted) with the RPD component on the server.
RDP has, since it originated in 1998, been a weak link since the remote endpoints are vulnerable to hackers. Over the years there have been countless attacks by different malware types, brute-force attacks etc. Today, we see an increasing amount of ransomware attacks via RDP.
The Windows Server does have some built-in defenses for hacking attempts, and if configured correctly, often it amounts to locking out the user. But it does nothing to stop the attack or protect the network from the intrusion attempt.
By using a Host-based Intrusion Detection and Prevention System (HIDPS), like Syspeace, to defend against brute-force attack, and to identify, block, and protect you from the intrusion attempt.
How Cybercriminals Hack Your RDP
The attack often starts with cybercriminals hacking into the RDP and log in as a user or, in the worst case: an administrator.
They often hack the RDP connection via a brute-force attack or via an RDP port with open access to the internet.
In the brute-force attack the cybercriminals automatically try password combinations until the right one is found, acting as the user.
This is usually done when the RDP port is accessible through the internet, often via port 3389 (default port). When the security settings are not tightly configured, it becomes a vulnerable access point to the system. (As with any online system with login possibilities.)
Hacker’s scan connected devices for open ports, and through those, gain access to the endpoints. The endpoints, being connected to the company network, thus making them accessible to the cybercriminal.
VPN can expose the company’s internal network
In the era of Covid, we have seen more people work from home now than ever. These people’s computers usually have a VPN connection that connects their computer at home to the company internal servers.
The security of the company’s internal network are now extended to the employees computer at home and that computer might not alway be up to date with patches and shields like anti-virus.
Cyber crime within the company
There is also a challenge with internal systems. IBM’s Cyber Security Intelligence Index has found that more than 60 percent of all breaches are done within the company, by current or former employees.
Guessing the password is either done manually or automatically by any of the many tools available to brute force a RDP-connection.
When Your RDP Is Hacked, Then …
When the connection is hacked, the cybercriminal can use the system for its own benefits. A lot of times, he or she will disable the installed antivirus and other security products, and simply upload and run the ransomware (or virus or malware).
This might include:
- Delete all original documents as well as all backups.
- Encrypt documents into the RAR archive and delete the original, forcing you to pay for decryption.
- Lock the login screen for all users and demand a ransom fee to unlock it.
- Prevent you from booting in safe mode, by disable the F8 startup key.
- Change system configuration settings, in a way that will serve the criminals interests.
How To Protect Your RDP Connection
Your best protection is to be proactive in your defense strategy against hacking and brute force attacks. We have listed some must-have security methods beneath:
- Use a Host-based Intrusion Detection and Prevention System (HIDPS), like Syspeace, to identify, block, and protect you from intrusion attempts.
- Do not let your RDP connection be open to the internet. The connections should only be accessible through your internal network. Block traffic in the default ports at the firewall level.
- Change your RDP port to a number above 10000. The hackers are well aware that the default port for RDP is 3389. By changing it to a number above 10000 you are making it more difficult for them.
- Disable RDP if not used. If your business is not using RDP, make sure to disable it. And even more so when it comes to control system devices.
- Use strong authentication. Enable strong passwords and account lockout policies to defend against brute-force attacks, especially on administrator accounts.Apply two-factor authentication, where possible. And change the default name of your Administrator account.