Ransomware enters companies through RDP servers

Attackers wielding ransomware are targeting enterprises through an often-found hole in the corporate network: Internet facing, poorly secured remote desktop servers.

According to Wouter Jansen, Senior Forensic IT Expert at Fox-IT, the company has lately been called in by a number of firms that have been hit with ransomware, and a subset of those has let attackers and the ransomware in through that channel (click on the screenshot to enlarge it):

Ransomware attack path via compromised remote desktop servers

“Entries in the log files show the attackers got access to the servers by brute forcing usernames and passwords on remote desktop servers that are accessible from the internet. Day in, day out, failed login attempts are recorded coming from hundreds of unique IP-addresses trying hundreds of unique usernames,” Jansen noted.

“After brute forcing credentials to gain access to a remote desktop server, the attackers can do whatever the user account has permissions to on the server and network.”

In the past that usually meant attackers attempting to exfiltrate data that can be sold on underground markets, adding the compromised system to a botnet, or using it to send out spam emails.

But some of the attackers have switched to deploying ransomware, in an effort to get paid quickly and avoid further complications.

“Depending on the segmentation and segregation of the network, the impact of ransomware being executed from a workstation in a client LAN might be limited to the network segments and file shares the workstation and affected user account can reach. From a server though, an attacker might be able to find and reach other servers and encrypt more critical company data to increase the impact,” Jansen pointed out.

The attackers can also try to discover when back-ups are made in order to decide when to execute the ransomware for maximum effectiveness. They are usually successful in keeping their presence in the corporate network secret until they trigger the malware.

This type of attack definitely requires more work when compared to the usual ransomware flinging via exploit kits and phishing emails, but the pay-off is potentially much, much bigger, and therefore worth the extra effort.

Even the ransom demand is not one-size-fits-all – the attackers leave an email address through which they can be contacted, urging victims to enter in a negotiation about the sum to be paid to get the files back.

Luckily, this type of attack can be easily foiled by admins. If making the remote desktop server remotely inaccessible is not possible, user accounts with remote access should have a complex, hard to guess password and two-factor authentication or two-step verification enabled, and the remote connection should be encrypted.

Don't miss