How to Protect RDP from Ransomware

Working remotely is a trend here to stay, and many remote workers rely on Remote Desktop Protocol (RDP) to connect to office computers. Attackers have taken note.

A Hot Target in the Remote Work Era

The 2020 pandemic changed the way we work by revealing how easily, efficiently, and productively many people can work from home. All signs point to this trend outliving the pandemic. For example, during 2021, LinkedIn reported that job postings offering remote work rose 357%; meanwhile, by April 2020, RDP usage had already increased 62%.

Attackers found opportunity in this sea change. RDP is particularly attractive because of its long history of vulnerabilities, paired with its often-reckless use. For example, Shodan (a device search engine) reported an uptick in devices exposing RDP to the Internet in May 2019 (following a Microsoft bulletin on the BlueKeep vulnerability) and again in early 2020. In 2021, hackers leaked 1.3 million Windows Server RDP logins over the black market.

How Malware Deploys over RDP

RDP is a unique attack vector because of the multiple doors it opens once compromised. Once an attacker gains a foothold via RDP, they can deploy attacks such as:

• Point-of-sale (POS) malware to harvest credit card data
• Backdoors to further elevate system access
• Brute force attacks to steal RDP logins
• Cyrptominers that turn your server into the attacker’s personal cryptocurrency mill
• Reverse RDP attacks to deliver ransomware to client computers

Ransomware is especially prevalent; in fact, the FBI reports that RDP accounts for 70%-80% of the attack vectors leveraged to deliver ransomware.

Top 3 Ways to Protect Your Organization

There are multiple ways to harden your RDP infrastructure. Let’s focus on the three most important defenses.

1. Keep your RDP servers up to date. For example, once news broke of reverse RDP attacks, Microsoft quickly provided a patch to RDP services.
2. Disable bi-directional clipboard sharing. That clipboard supports transferring multiple files in multiple data formats, which an attacker can leverage to deliver malicious payloads free of detection. If you don’t disable it, you’re left relying on the user’s human judgment–a high risk given that the clipboard does not require the user to verify files.
3. A robust suite of security tools is critical. Consider employing an intrusion detection system (IDS) to keep a watchful eye on your network’s gates and compliment it with endpoint protection deployed to every device connected to your network. A threat emulation solution is worth exploring as well, which can pre-empt zero-day attacks that may otherwise slip past your other defenses.

These steps may require a change in culture. Understandably, many IT teams prefer to delay installing patches to ensure a new patch doesn’t introduce new problems. It is likewise common for IT to rely on “security by obscurity,” such as running RDP on nonstandard ports, to avoid notice. Attackers have caught on to these old ways of thinking, but if you start with these tips to harden RDP infrastructure, your remote staff can continue working safely and securely.