Let’s take a look at the ways an RDP ransomware attack occurs, from the most obvious to the more subtle.
The Brute Force Attack: Ransomware via Attrition
First, the attacker scans the Internet until they find an RDP server. Next, they use a program to guess passwords, often beginning with lists of the most common passwords. The program will repeatedly attempt to login with each password, waging a war of attrition until it either finds the right password or exhausts guesses. Once a password succeeds, the attacker simply logs on and deploys their ransomware.
Malwarebytes Labs reported a 2019 study in which a few Windows computers were connected to the Internet with the RDP service running. Brute force attacks were launched against the computers within a mere 90 seconds, testing random passwords roughly 600 times per hour.
The Reverse RDP Attack: Ransomware Through a Backdoor
A Reverse RDP Attack is all about opening a backdoor through which to deliver ransomware. It plays out as follows:
- A user remotely connects to an infected server.
- Malware traverses the RDP connection from the server to the client.
- Ransomware deploys to the client.
This attack is especially dangerous because it can spread exponentially. All it takes is one infected server to deliver ransomware to every unsuspecting client that connects to it.
How is the server infected to begin with? In one case, researchers demonstrated two methods:
- Target IT staff to gain elevated permissions to a workstation. Once that foothold is gained, the attacker can traverse the network to reach its true target.
- Target a malware researcher in order to gain remote access to a virtual machine within their sandbox, then escape the sandbox to reach the rest of the organization’s network.
There are many more possibilities, but the point is that an attacker need only trick the right staff member to get a foot in the door.
How to Prevent RDP Attacks
Now that we understand how they play out, how do we defend against them?
Brute force attacks are relatively simple in nature, as is preventing them. The first defense is to simply not be detected by the attackers’ scans. Some IT staff commonly believe the “security through obscurity” is enough to secure RDP, and simply run RDP over an uncommon port in hopes that attackers are only scanning common ports.
But it’s better to be invisible than obscure. A firewall, intrusion detection system (IDS), and endpoint security all serve to make your systems harder to detect and harder to crack.
Even if you are caught by a scan, a sufficiently strong password should defend you from brute force programs. Enforce a strict password complexity policy with strong minimum requirements, such as those recommended by Microsoft.
Reverse RDP attacks are a different animal because of how they flip the script: instead of an infected client attacking servers, an infected server attacks all clients. In this case, server hardening is key. Any computer running RDP services must be kept up to date with the latest patches oh, and must have sufficient security solutions in place (e.g., IDS, endpoint security, and so on).