04:15 PM
Connect Directly

Crooks Turn to Delivering Ransomware via RDP

In a new twist to an old attack, threats actors are increasingly using the remote access protocol to install ransomware, Sophos says

In a new twist to an old attack technique, some threat actors have begun installing ransomware on Windows networks by breaking into them via weakly protected Microsoft Remote Desktop Protocol (RDP) services.

Security vendor Sophos says it has seen a spate of such attacks recently with the victims in most cases being small companies with 30 or fewer staff members that rely on external parties to manage their Windows networks remotely.

Unlike typical ransomware campaigns in which the malware is mass distributed via phishing and other means, the crooks in these attacks are breaking into Windows systems one at a time and running ransomware on them manually using RDP access.

The trend highlights the need for organizations to ensure that RDP is turned off on all computers on the network on which it is not needed, to use VPNs for external connections and to implement strong authentication where possible, Sophos said.

"For a small business, RDP is often the only way to get IT support at all," says Paul Ducklin, senior technologist at Sophos. It allows a third party located across town, in another state, or overseas to remotely access a Windows network and administer it with nearly same level of control over it as a local user. RDP can be handy, but if the service is left open to the Internet as businesses sometimes do, attackers can try and brute force their way into your network, Ducklin says. 

"When an [RDP] server is open to the Internet, it means that you'll accept incoming connections from anywhere, including users on computers in other companies, other cities, other states, other countries," Ducklin says. "Loosely speaking, any computer, or mobile device, that can send packets outwards on the Internet can connect inward to your server and get a response of some sort."

Recently, Sophos has seen evidence that attackers have begun using scanning services such as Shodan and Censys to search for systems with RDP open to the Internet. They have then been using the NLBrute tool to try and guess RDP passwords and brute force their way into such systems.

"Many small businesses have a dedicated computer to handle RDP connections, or will just let RDP users connect directly to the main server," Ducklin says. "Shodan is looking for open ports visible somewhere, anywhere, that lead to RDP somewhere inside the network."

Attacks against RDP are certainly not new. The difference is that attackers increasingly have begun using their RDP access to then install ransomware on systems. In several of the cases that Sophos has investigated, attackers have first initiated a series of measures to disable and disarm security settings on the network to which they have gained access, before running ransomware on them.

Some of the measures have included killing off processes that disallow shutdown, deleting locked files, changing configuration settings, disabling anti-malware tools, turning off database services, and deleting backup files. Because the systems have been rigged to become as insecure as possible, the threat actors are then able to run old and even free variants of ransomware on them until something works. "In several cases, we've found cryptocurrency mining software that had been around for a while," Ducklin says.

Gartner analyst Avivah Litan says hackers have been using NLBrute for years to brute force their way into systems via RDP. In fact there are even YouTube videos on how to use the tool, she says.

However, the increase in RDP attacks to drop ransomware is a new twist, Litan says. "It reminds me of what happened with online banking attacks," she notes. "As banks implemented more controls that prevented fully automated and mass attacks, criminals started using RDP to manually attack one user at a time."

Attacks via RDP are big threats to organizations, Litan cautions. Endpoint security controls are not very effective at dealing with these attacks because the tools are typically looking for malicious files and fully automated attacks, rather than human-executed manual attacks, she says.

Organizations that want to enable RDP should first ask themselves if they require that access, adds Tyler Reguly, manager of Tripwire's Vulnerability and Exposure Research Team. "Enabling RDP access to a Windows computer is no different than providing SSH access to a Linux server, so there's definitely justification for doing it and businesses with a need should not be afraid to run RDP."

But it is important to ensure strong passwords and two-factor authentication at a minimum when enabling the service, Reguly says. If possible, require a VPN connection to access the service and avoid direct Internet access.

Also, set a lockout policy to limit password-guessing attacks, Ducklin says. Simply by enforcing a five-minute lockout after three failed guesses you can ensure that crooks can at most try 48 passwords an hour, making a brute force attack impractical, he says.

The Sophos warning is the second in recent weeks involving RDP. In October, Flashpoint warned about Dark Web marketplaces selling access to tens of thousands of brute-forced RDPs around the world. Ultimate Anonymity Services, one of the outfits selling such access, alone had over 35,000 brute-forced RDPs for sale, Forcepoint noted in its report.

Threat actors can use such compromised RDP servers for a variety of reasons in addition to installing ransomware on systems, says Flashpoint cybercrime analyst Olivia Rowley.

"For some cybercriminals, it may be more advantageous to use a compromised RDP as a staging ground for conducting other fraud, such as making a fraudulent purchase," Rowley says. "Cybercriminals may also find that the compromised RDP contains sensitive files or other proprietary information, thus making the RDP a tool for conducting data breaches."

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry's most knowledgeable IT security experts. Check out the INsecurity agenda here.


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Researchers Offer a 'VirusTotal for ICS'
Kelly Jackson Higgins, Executive Editor at Dark Reading,  1/16/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.