No cybersecurity set up is perfectly secure, but a few simple measures can yield outsized benefits. When analyzing the anatomy of ransomware attacks targeting software vulnerabilities, a few common ransomware ports account for the vast majority of breaches. That means, if you can secure those ports, you can greatly reduce your chances of a ransomware infection.
Remote Desktop Protocol – Port 3389
According to some estimates, attacks over open RDP ports accounted for over half of ransomware attacks in 2021. RDP ports are very useful for remotely accessing a system, but this also makes them a dream for hackers.
The most common method of targeting ransomware attack ports is brute force attacks. Attackers can scan the entire internet for open RDP ports. When they find one, they use a simple brute force tool like Burp Suite to gain access. A shocking number of RDP clients use weak passwords, so this tactic works way more often than it should.
This phase of the attack is often carried out by an initial access broker. These hackers are specialized in getting their “foot in the door” of corporate networks. They then sell access to other specialized teams that actually conduct the attack.
Way too many organizations keep RDP ports open, even if they don’t need them. Your cybersecurity team should make sure every machine connected to a network has port 3389 closed unless it absolutely needs to have it open. If you do need it, whitelisting approved IP addresses is a must.
Even then, you can’t assume that the whitelisted machines using the RDP port will not be compromised. Access should be protected with a strong password and rate limiting at minimum. Rate limiting makes it so that it’s not possible to make more than a few incorrect password guesses before access shuts down for a limited number of time. This effectively makes brute force attacks impossible.
Two-factor authentication is also a good measure for RDP ports.
Secure Shell Protocol (SSH) – Port 22
SSH is a protocol designed to give secure access to a computer over an unsecured network. For example, it can allow two computers on the internet to establish encrypted communications with each other. Unfortunately, it is also one of the more common ransomware ports.
Port 22, like port 3389, is frequently subject to brute force attacks, so using strong passwords is essential. You can also configure your SSH sessions so that they time out automatically, rather than leaving the port open when not in use.
SSH sometimes has root login enabled by default. This can allow hackers to escalate their privileges and spread through a network quickly. Disable root login to prevent this from happening.
Make sure to use SSH 2, the newer version of the protocol, since it has higher security than SSH 1. You can also make things more difficult for hackers by using a different port for your SSH, since hackers will be looking for it on port 22. And as always, 2-factor authentication is very much worth enabling.
Server Message Block (SMB) – Port 445
The Server Message Block protocol allows computers on a network to communicate with each other over TCP/IP. It’s typically used for file sharing, but Port 445 is now infamous for its role in the WannaCry ransomware epidemic.
The port is often left open to allow computers to communicate with printers, and hackers took advantage of it, which is how ransomware spread in this particular case.
Ideally, you should block all inbound traffic on port 445. It may be necessary to keep it open to some inbound traffic, but you should still segment your network by blocking most internal inbound traffic.
NetBios – Port 139
Port 139, like port 445, is an SMB port, but it is typically found on Windows systems and runs NetBios. WannaCry as well as other variants like Ryuk and NotPetya have all been observed to use port 139. Both ports 139 and 445 are among the most important ransomware ports to block.
The guidelines for securing port 139 are more or less the same as with port 445— the best option is to close the port completely. If you absolutely do need it, running all traffic through a MAC address filter can be a good precaution. It’s important to keep your MAC address filter up to date, however, to make sure that the system can communicate with whatever it needs to.
Keeping your Guard Up
It’s really worth taking the time to keep up to date with the ransomware threat landscape and configure your ports accordingly. It only takes a few minutes to do, but can block a huge number of potential ransomware attacks. With all open ports, it’s ideal to have some kind of endpoint monitoring and response practices in place.
If you do get hit, we can help, and we can also advise on how to avoid getting hit again.