RDP is an increasingly attractive target for ransomware groups. Although phishing continues to be effective, it can be expensive to get a phishing campaign up and running, especially for new IABs or ransomware affiliates. Renting space from phishing botnets is costly and the returns are often dismal.
On the other hand, an attacker who manages to gain access to an RDP server has already achieved success. They’ve managed to infiltrate a victim’s network, and they can turn around and sell that access, or possibly use it to deploy ransomware directly. In addition to having almost no startup costs (a laptop + Internet access + some searching/forum time), RDP scanning and exploitation provides almost instant gratification.
RDP access operations make a great entry point for many IABs and ransomware affiliates, but RDP is not the only type of remote access for which IABs are looking. As IABs and ransomware affiliates gain experience, they expand the types of remote access tools that they can exploit, looking for systems exposed to the Internet such as Citrix, TeamViewer, VNC, and any and all VPN connections they can find. If an exposed system provides access to a victim’s network, most likely there are IABs or ransomware affiliates scanning for it.
Ransomware attacks against RDP and other remote access systems were already increasing prior to the COVID-19 pandemic. According to a report from F-Secure, in the second half of 2019, remote access “manually installed” ransomware accounted for 28% of all ransomware attacks it observed. This was the largest percentage, followed by phishing at 24%.
This trend was accelerated by the rapid shift to remote work during the pandemic. Many organizations that had limited or no remote workforce suddenly had to accommodate a fully remote (or close to fully remote) workforce, and they had to do it with the tools and systems to which they already had access. Most organizations initially thought they would switch to remote work for four to six weeks, then return to normal. If that was actually the case, it would be OK to “MacGyver” together a remote access solution. Little thought was given to security because IT and security teams had very little time to get a work-from-home solution up and running and assumed it would be temporary.
Employees like the freedom and flexibility that working remotely affords them, and while many miss the office, most employees appear to want a hybrid solution: being able to work in the office some days and remotely on others. Given that reality, organizations need to decide how they’re going to provide remote access in a way that’s convenient and secure.
The question organizations have to ask themselves is: “Is RDP the best solution?” Whether the question is for remote work or remote administration, the answer is almost always no. RDP is challenging to set up securely, difficult to manage, and—as discussed—an easy target for cybercriminals looking to gain access. Organizations, large and small, should be looking to migrate to another solution sooner rather than later (see “Alternatives to RDP” farther down the page). Yes, a more secure access solution entails an additional cost, but setting it up still costs less than paying a ransom.
… tend to give VPN access to more employees. This increases the chances of a successful credential reuse attack on top of the standard credential stuffing attacks. This threat can be mitigated by requiring multifactor authentication on the VPN.
Along with regular patching and multifactor authentication, organizations can improve the security of their VPN by taking the following precautions:
It’s the ransomware resource you can’t afford to be without. 437 Pages of ransomware know-how. Stay ahead of the cybercriminals: get your copy now!