Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:15 PM
Connect Directly

Crooks Turn to Delivering Ransomware via RDP

In a new twist to an old attack, threats actors are increasingly using the remote access protocol to install ransomware, Sophos says

In a new twist to an old attack technique, some threat actors have begun installing ransomware on Windows networks by breaking into them via weakly protected Microsoft Remote Desktop Protocol (RDP) services.

Security vendor Sophos says it has seen a spate of such attacks recently with the victims in most cases being small companies with 30 or fewer staff members that rely on external parties to manage their Windows networks remotely.

Unlike typical ransomware campaigns in which the malware is mass distributed via phishing and other means, the crooks in these attacks are breaking into Windows systems one at a time and running ransomware on them manually using RDP access.

The trend highlights the need for organizations to ensure that RDP is turned off on all computers on the network on which it is not needed, to use VPNs for external connections and to implement strong authentication where possible, Sophos said.

"For a small business, RDP is often the only way to get IT support at all," says Paul Ducklin, senior technologist at Sophos. It allows a third party located across town, in another state, or overseas to remotely access a Windows network and administer it with nearly same level of control over it as a local user. RDP can be handy, but if the service is left open to the Internet as businesses sometimes do, attackers can try and brute force their way into your network, Ducklin says. 

"When an [RDP] server is open to the Internet, it means that you'll accept incoming connections from anywhere, including users on computers in other companies, other cities, other states, other countries," Ducklin says. "Loosely speaking, any computer, or mobile device, that can send packets outwards on the Internet can connect inward to your server and get a response of some sort."

Recently, Sophos has seen evidence that attackers have begun using scanning services such as Shodan and Censys to search for systems with RDP open to the Internet. They have then been using the NLBrute tool to try and guess RDP passwords and brute force their way into such systems.

"Many small businesses have a dedicated computer to handle RDP connections, or will just let RDP users connect directly to the main server," Ducklin says. "Shodan is looking for open ports visible somewhere, anywhere, that lead to RDP somewhere inside the network."

Attacks against RDP are certainly not new. The difference is that attackers increasingly have begun using their RDP access to then install ransomware on systems. In several of the cases that Sophos has investigated, attackers have first initiated a series of measures to disable and disarm security settings on the network to which they have gained access, before running ransomware on them.

Some of the measures have included killing off processes that disallow shutdown, deleting locked files, changing configuration settings, disabling anti-malware tools, turning off database services, and deleting backup files. Because the systems have been rigged to become as insecure as possible, the threat actors are then able to run old and even free variants of ransomware on them until something works. "In several cases, we've found cryptocurrency mining software that had been around for a while," Ducklin says.

Gartner analyst Avivah Litan says hackers have been using NLBrute for years to brute force their way into systems via RDP. In fact there are even YouTube videos on how to use the tool, she says.

However, the increase in RDP attacks to drop ransomware is a new twist, Litan says. "It reminds me of what happened with online banking attacks," she notes. "As banks implemented more controls that prevented fully automated and mass attacks, criminals started using RDP to manually attack one user at a time."

Attacks via RDP are big threats to organizations, Litan cautions. Endpoint security controls are not very effective at dealing with these attacks because the tools are typically looking for malicious files and fully automated attacks, rather than human-executed manual attacks, she says.

Organizations that want to enable RDP should first ask themselves if they require that access, adds Tyler Reguly, manager of Tripwire's Vulnerability and Exposure Research Team. "Enabling RDP access to a Windows computer is no different than providing SSH access to a Linux server, so there's definitely justification for doing it and businesses with a need should not be afraid to run RDP."

But it is important to ensure strong passwords and two-factor authentication at a minimum when enabling the service, Reguly says. If possible, require a VPN connection to access the service and avoid direct Internet access.

Also, set a lockout policy to limit password-guessing attacks, Ducklin says. Simply by enforcing a five-minute lockout after three failed guesses you can ensure that crooks can at most try 48 passwords an hour, making a brute force attack impractical, he says.

The Sophos warning is the second in recent weeks involving RDP. In October, Flashpoint warned about Dark Web marketplaces selling access to tens of thousands of brute-forced RDPs around the world. Ultimate Anonymity Services, one of the outfits selling such access, alone had over 35,000 brute-forced RDPs for sale, Forcepoint noted in its report.

Threat actors can use such compromised RDP servers for a variety of reasons in addition to installing ransomware on systems, says Flashpoint cybercrime analyst Olivia Rowley.

"For some cybercriminals, it may be more advantageous to use a compromised RDP as a staging ground for conducting other fraud, such as making a fraudulent purchase," Rowley says. "Cybercriminals may also find that the compromised RDP contains sensitive files or other proprietary information, thus making the RDP a tool for conducting data breaches."

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry's most knowledgeable IT security experts. Check out the INsecurity agenda here.


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
HackerOne Drops Mobile Voting App Vendor Voatz
Dark Reading Staff 3/30/2020
Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-04-06
In Hydra (an OAuth2 Server and OpenID Certifiedâ„¢ OpenID Connect Provider written in Go), before version 1.4.0+oryOS.17, when using client authentication method 'private_key_jwt' [1], OpenId specification says the following about assertion `jti`: "A unique identifier for the t...
PUBLISHED: 2020-04-06
There is Authenticated remote code execution in Centreon Infrastructure Monitoring Software through 19.10 via Pollers misconfiguration, leading to system compromise via apache crontab misconfiguration, This allows the apache user to modify an executable file executed by root at 22:30 every day. To e...
PUBLISHED: 2020-04-06
hw/net/tulip.c in QEMU 4.2.0 has a buffer overflow during the copying of tx/rx buffers because the frame size is not validated against the r/w data length.
PUBLISHED: 2020-04-06
An Untrusted Search Path vulnerability in Malwarebytes AdwCleaner 8.0.3 could cause arbitrary code execution with SYSTEM privileges when a malicious DLL library is loaded.
PUBLISHED: 2020-04-06
An issue was discovered in Project Worlds Official Car Rental System 1. It allows the admin user to run commands on the server with their account because the upload section on the file-manager page contains an arbitrary file upload vulnerability via add_cars.php. There are no upload restrictions for...