Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:15 PM
Connect Directly

Crooks Turn to Delivering Ransomware via RDP

In a new twist to an old attack, threats actors are increasingly using the remote access protocol to install ransomware, Sophos says

In a new twist to an old attack technique, some threat actors have begun installing ransomware on Windows networks by breaking into them via weakly protected Microsoft Remote Desktop Protocol (RDP) services.

Security vendor Sophos says it has seen a spate of such attacks recently with the victims in most cases being small companies with 30 or fewer staff members that rely on external parties to manage their Windows networks remotely.

Unlike typical ransomware campaigns in which the malware is mass distributed via phishing and other means, the crooks in these attacks are breaking into Windows systems one at a time and running ransomware on them manually using RDP access.

The trend highlights the need for organizations to ensure that RDP is turned off on all computers on the network on which it is not needed, to use VPNs for external connections and to implement strong authentication where possible, Sophos said.

"For a small business, RDP is often the only way to get IT support at all," says Paul Ducklin, senior technologist at Sophos. It allows a third party located across town, in another state, or overseas to remotely access a Windows network and administer it with nearly same level of control over it as a local user. RDP can be handy, but if the service is left open to the Internet as businesses sometimes do, attackers can try and brute force their way into your network, Ducklin says. 

"When an [RDP] server is open to the Internet, it means that you'll accept incoming connections from anywhere, including users on computers in other companies, other cities, other states, other countries," Ducklin says. "Loosely speaking, any computer, or mobile device, that can send packets outwards on the Internet can connect inward to your server and get a response of some sort."

Recently, Sophos has seen evidence that attackers have begun using scanning services such as Shodan and Censys to search for systems with RDP open to the Internet. They have then been using the NLBrute tool to try and guess RDP passwords and brute force their way into such systems.

"Many small businesses have a dedicated computer to handle RDP connections, or will just let RDP users connect directly to the main server," Ducklin says. "Shodan is looking for open ports visible somewhere, anywhere, that lead to RDP somewhere inside the network."

Attacks against RDP are certainly not new. The difference is that attackers increasingly have begun using their RDP access to then install ransomware on systems. In several of the cases that Sophos has investigated, attackers have first initiated a series of measures to disable and disarm security settings on the network to which they have gained access, before running ransomware on them.

Some of the measures have included killing off processes that disallow shutdown, deleting locked files, changing configuration settings, disabling anti-malware tools, turning off database services, and deleting backup files. Because the systems have been rigged to become as insecure as possible, the threat actors are then able to run old and even free variants of ransomware on them until something works. "In several cases, we've found cryptocurrency mining software that had been around for a while," Ducklin says.

Gartner analyst Avivah Litan says hackers have been using NLBrute for years to brute force their way into systems via RDP. In fact there are even YouTube videos on how to use the tool, she says.

However, the increase in RDP attacks to drop ransomware is a new twist, Litan says. "It reminds me of what happened with online banking attacks," she notes. "As banks implemented more controls that prevented fully automated and mass attacks, criminals started using RDP to manually attack one user at a time."

Attacks via RDP are big threats to organizations, Litan cautions. Endpoint security controls are not very effective at dealing with these attacks because the tools are typically looking for malicious files and fully automated attacks, rather than human-executed manual attacks, she says.

Organizations that want to enable RDP should first ask themselves if they require that access, adds Tyler Reguly, manager of Tripwire's Vulnerability and Exposure Research Team. "Enabling RDP access to a Windows computer is no different than providing SSH access to a Linux server, so there's definitely justification for doing it and businesses with a need should not be afraid to run RDP."

But it is important to ensure strong passwords and two-factor authentication at a minimum when enabling the service, Reguly says. If possible, require a VPN connection to access the service and avoid direct Internet access.

Also, set a lockout policy to limit password-guessing attacks, Ducklin says. Simply by enforcing a five-minute lockout after three failed guesses you can ensure that crooks can at most try 48 passwords an hour, making a brute force attack impractical, he says.

The Sophos warning is the second in recent weeks involving RDP. In October, Flashpoint warned about Dark Web marketplaces selling access to tens of thousands of brute-forced RDPs around the world. Ultimate Anonymity Services, one of the outfits selling such access, alone had over 35,000 brute-forced RDPs for sale, Forcepoint noted in its report.

Threat actors can use such compromised RDP servers for a variety of reasons in addition to installing ransomware on systems, says Flashpoint cybercrime analyst Olivia Rowley.

"For some cybercriminals, it may be more advantageous to use a compromised RDP as a staging ground for conducting other fraud, such as making a fraudulent purchase," Rowley says. "Cybercriminals may also find that the compromised RDP contains sensitive files or other proprietary information, thus making the RDP a tool for conducting data breaches."

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry's most knowledgeable IT security experts. Check out the INsecurity agenda here.


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-07-21
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2002-0639. Reason: This candidate is a reservation duplicate of CVE-2002-0639. Notes: All CVE users should reference CVE-2002-0639 instead of this candidate. All references and descriptions in this candidate have been removed to prevent ...
PUBLISHED: 2019-07-20
An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
PUBLISHED: 2019-07-20
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
PUBLISHED: 2019-07-20
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address allows attackers in the local network to access multiple quagga VTYs. Attackers can...
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.