In the era of cloud computing and the continuing trend of work-from-home employees, the ability to connect remotely to servers is central to being able to get almost anything done on a computer. This is often done through Remote Desktop Protocol, or RDP, which means in turn that knowing how to protect RDP has become of central importance for admins concerned about ransomware attacks.
RDP was initially developed by Microsoft, and clients are available for Windows, Linux, MacOS, and Unix as well as Apple’s iOS and Google’s Android. Basically, RDP works with everything.
A user or admin uses RDP client software to connect to the remote computer—PC, server, mobile device—and open applications and files for editing as if they’re in front of their computer. RDP provides access via a dedicated network channel. This makes it a perfect avenue for installing ransomware on a remote computer or server.
Given the danger of RDP attacks, Ransomware.org has published numerous articles that deal with the topic, helping you recognize and protect yourself from RDP ransomware. What follows is a listing and short description of each article, allowing you to find what you need quickly. Armed with this information, you’ll have a solid understanding of how to protect RDP throughout your infrastructure.
This is a great place to start. It covers why RDP is such a juicy ransomware target, and discusses the popular “reverse RDP attack” and how it’s done. In short, the reverse attack is a two-way attack that can start at either the remote computer or the server, and infect the computer at the other end.
There are also great hints on how to secure RDP, including what you should be locking down first.
This article does a deep dive into RDP attacks, including a thorough history of how we got here. It also has this important nugget of information: “Depending on which ransomware groups are active and who’s doing the reporting, either phishing or RDP are the most commonly used initial access vectors for ransomware attacks.” That still holds true today.
This is an overview of some of most popular types of attacks, including the aforementioned “reverse RDP attack.” And even though ransomware attacks are getting more sophisticated all the time, the tried-and-true “brute force” method remains popular. From the blog:
“… the attacker scans the Internet until they find an RDP server. Next, they use a program to guess passwords, often beginning with lists of the most common passwords. The program will repeatedly attempt to login with each password, waging a war of attrition until it either finds the right password or exhausts guesses. Once a password succeeds, the attacker simply logs on and deploys their ransomware.”
Of course, we’d never just point out a vulnerability without showing you how to fix it. This article does that, listing the top 3 methods, including:
- Keeping your RDP servers up to date
- Disabling bi-directional clipboard sharing
- A robust suite of security tools is critical
The blog digs into the details of each of these.
Going through these articles is a crucial first step in learning how to protect RDP from the ransomware criminals. So, as Thomas Jefferson says in Hamilton: If you don’t know, now you know.