Part of our work is doing forensic analysis to determine the cause of ransomware attacks. This is an important part of making sure that ransomware attacks don’t happen again. One issue that comes up frequently in this process is the use of remote desktop protocols (RDP) by ransomware attackers.
RDP compromise is not just an issue for our clients; RDP was also mentioned as a top threat by research into possible threats to the US election. It’s one of the most common attack vectors both for ransomware and other types of malware. The other most common attack vectors last year were email phishing and exploits of VPN software.
Why are attacks on RDP so common?
RDP is used for many purposes by many different organizations. It basically allows someone to use a Windows computer as if they were sitting right in front of it, even if they are on the other side of the planet. This has a number of benefits; for example, you can deploy a solution on a computer that doesn’t have enough processing power to do it alone. This can really help cut down on costs, since it effectively allows computers to share resources. This allows an entire organization to work directly from the cloud, which brings major efficiency gains.
Unfortunately, this convenience and efficiency comes with a price. RDP servers often have many exposed ports online, and malicious actors can use them to hijack machines. Once an attacker takes control over an RDP client, they can control a computer as effectively as they could if they physically broke into your office.
One of the reasons so many of these attacks happen is the existence of “RDP Shops.” This is part of a growing trend of professionalization among hackers. This is enabled partly by the rise of cryptocurrencies like Bitcoin, which allow bad actors to do business anonymously over the internet. Some hackers specialize in scanning for open RDP port across the entire internet. When they find them, they initiate brute force attacks. This means that they try random username and password combinations millions of times until something works. This usually only happens on systems with weak passwords.
RDP hackers automate many of these processes, so they may be scanning and attempting to break into thousands of systems at the same time. As they find username and password combinations that work, they post these for sale in an “RDP shop.” In recent years, ransomware attackers have become some of the main customers of RDP shops. The problem has reached a level where some RDP shop owners have partnered exclusively with ransomware attackers or ransomware-as-a-service operations.
RDP Security – More than just strong passwords
So if RDP hacks are behind so much ransomware, how can you protect yourself. There’s several steps you can take which can make life more difficult for hackers and ransomware attackers.
- Use Strong Passwords. The number one action which can prevent hackers from taking over your RDP is using strong passwords. Most RDP hacks take place via RDP credentials purchased from RDP shops. Hackers usually obtain these credentials through brute force attacks. This can be prevented by using strong passwords including upper and lower case letters, numbers, and symbols.
- Use Network Level Authentication. There are two authentication modes with RDP; legacy mode and Network Level Authentication (NLA). NLA has more features and is more difficult for hackers to exploit.
- Use a Security Layer. It’s possible to secure RDP sessions with security layers. The strongest security layer compatible with RDP is SSL (secure sockets layer). SSL requires verification of the identity of the person signing on for a remote session and encryption of all communications between the server and client. Security layers are not compatible with NLA, however.
- Enable Encryption. Newer versions of RDP have encryption enabled by default, but some legacy versions don’t. If you have an older version, you can enable encryption manually.
- Enable User Restrictions. It’s always important to apply the principle of least privilege. This means that no user should have more privileges than they absolutely need. Administrator level accounts on a computer don’t always need access to RDP, so it’s better to disable these permissions unless they are necessary.
- IP Address Restrictions. Limiting which IP addresses can access RDP can stop many ransomware attacks dead in their tracks. You can do this by “scoping” the RDP port to only accept IP addresses within a certain scope.
- Customize Firewalls. Placing your remote desktop server behind a firewall also makes it possible to limit incoming requests so that your server only listens to legitimate requests.
- Use Multi-Factor Authentication. Enabling MFA also makes things much more difficult for hackers. Use a regular username and password along with a one time password (OTP).
- Watch for Suspicious Activity. Most RDP credential are compromised via brute force attacks. These usually take place via the 3389 port. If you detect a lot of failed sign in attempts on this port, it could mean that attackers are attempting to steal your credentials.
- Update, update, update. Always keep up to date with the latest patches and updates.
It’s Never Too Late to Improve Security
If you do get hit by a ransomware attack, it’s not the end of the world. There can be considerable losses, but for many organizations it’s a wake up call to improve their security practices. In the long run, adopting better security practices can prevent worse attacks. Ransomware attacks are getting worse all the time, and data exfiltration is becoming increasingly common. In many cases, smaller attacks motivate organizations to beef up IT security. This can avert larger attacks that result in more data loss and more reputational damage.
If you do fall victim to a ransomware attack, our team is standing by 24/7 to help get you back in business. We handle every aspect of ransomware recovery, including walking our clients through new security best practices. You can contact us any time for a free consultation. We’ve also compiled some resources for ransomware response. You are welcome to browse them to learn more about the steps that need to be taken in the aftermath of a ransomware attack.