RDP Ransomware: Everything You Need to Know

THE AUTHOR

James Panetti
January 31, 2022

RDP Ransomware: Everything You Need to Know

When we think of ransomware, we often imagine a single user’s desktop suddenly hijacked by a ransom message threatening to lock away their hard drive data. The landscape is evolving, however; today, ransomware variants such as Maze and Ryuk attack the victim’s entire network, often via a “back door” opened by exploiting remote desktop protocol (RDP).

RDP, in the simplest of terms, is the most popular communication method by which many users remotely connect to an organization’s servers to conduct work from afar.

An Ideal Attack Vector

RDP is a prime target because attackers keep finding new, subtle, and little-known exploits each day. For example, researchers discovered 25 vulnerabilities in RDP clients during 2020. Even the FreeRDP client packaged with Kali Linux—regarded as one of the most secure Linux variants—fell victim.

Anatomy of a Reverse RDP Attack

A popular method for exploiting RDP is via a “reverse” RDP attack, which was dissected by Check Point Research in 2019. This is best explained via example (see Figure 1):

  1. An offsite employee connects to an onsite server via RDP.
  2. For whatever reason (perhaps the admin slacked on patching), the server is secretly infected with malware.
  3. Once the user’s offsite computer connects to the infected onsite server, the attacker gains access to the offsite computer by traversing the RDP connection.
  4. With access granted, the ransomware attack commences.

Figure 1 demonstrates why it’s called a reverse RDP attack: instead of the traditional infected client attacking the server, the infected server attacks the client. In fact, an infected RDP server can take over any and every client that connects to it.

Figure 1. How a reverse RDP attack happens

Can You Afford the Risk?

Can you afford to get by continuing RDP usage as-is?

Absolutely not. Due to the COVID-19 pandemic spurring a work-from-home trend that will long outlast the pandemic that bore it, RDP has become one of the most popular solutions for connecting staffers to enterprise servers.

Note also that reverse RDP attacks are not the only threat; far from it. Attacks that simply brute-force RDP services are on the rise as well.

Securing RDP

Take immediate steps to lock down your systems. First, always keep your RDP servers and clients up to date; never connect to an RDP server that is not both fully updated and secured. For example, Microsoft released a patch to address reverse RDP attacks following the aforementioned study.

Second, disable bi-directional clipboard sharing to close off any potential vulnerability related to cutting and pasting data between client and server.  

Lastly, monitor and secure RDP with security tools such as an intrusion detection system (IDS), endpoint protection solution, and threat emulation (solutions designed to preempt zero-day attacks).

Sign Up For Our Newsletter

Don't worry, we hate spam too!

Other Articles You May Be Interested In:

Get Help Preparing For; Preventing;

Or Recovering From Ransomware Now

Get The Latest On Ransomware 
Right In Your Inbox

Sign Up To Receive Our 
Monthly Ransomware Newsletter

envelope
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram
Share via
Copy link
Powered by Social Snap