Don’t Become a Ransomware Target

Don’t Become a Ransomware Target - Secure Your RDP Access Responsibly

Most businesses assume they are too small to be targeted by hackers. How would a hacker even find the digital footprint of a small company with only a few IP addresses? Since vast majority of ransomware attacks exploit Remote Desktop Protocol (RDP), the answer is clear: it does not matter how large or small you are, if you are using RDP and not securing it properly, you are being actively targeted.

RDP is a common protocol used by businesses of all sizes, and if you are not employing a multi-layered approach to securing RDP access, then it is only a matter of time before the resilience of your backups is tested via a ransomware attack that encrypts your entire network.  If you are not using 2FA and least privilege principles to access critical security systems like AV, Endpoint and your backups, then you are truly playing roulette with ransomware.

What Is RDP and Why Is It a Popular Attack Vector for Ransomware?

The release of Windows NT in the early 1990s popularized the convenience of remote IT service providers, allowing them to point & click through on any system from their own location (via Remote Desktop Protocol) rather than being on site. RDP dramatically lowered the cost and complexity of troubleshooting support issues and helped the modern Managed Service Provider industry grow, evolve, and avoid costly on-site client visits.

Like most conveniences, however, RDP had shortcomings - the most serious being that it created a new cyber security vulnerability. Since it’s release, RDP has become a common attack vector as it allows a hacker to sidestep endpoint protection and makes lateral proliferation between partitioned networks (and backup systems) simple, the perfect access point for planting ransomware.

How Do Ransomware Hackers Breach a Company via RDP?

Attackers generally breach RDP by:

  • Port scanning and brute-forcing RDP credentials with sites like Shodan.

  • Purchasing leaked credentials on sites like XDedic.

  • Phishing an employee of the company to gain access and control of their machine. Then brute-forcing RDP access from inside the network via the compromised machine.

There are tens of thousands of corporate RDP credentials available for sale for as little as $3 on dark web marketplaces. The wide availability of hacked RDP credentials is low-hanging fruit for cyber criminals looking to launch ransomware attacks. If ransomware like Dharma or SamSam strikes, it's likely not the initial breach. The first breach likely led to the compromise of RDP access credentials that were subsequently sold to the ransomware hacker. Under certain regulatory frameworks, both of these breaches would be reportable events.

What Happens After a Hacker Gains Access via RDP?

Once in the network, the hacker will use tools like  mimikatz to harvest administrative credentials and elevate access privileges across the domain. The administrative privileges can be used to disable anti-virus, two-factor authentication, or wipe/encrypt backups.

The hacker will typically take network notes so that they understand the topography of the network that they are about to cripple with ransomware. These notes help the hacker understand how the company will respond, and how they can most effectively curtail that response and increase the odds receiving a  ransom payment.

The hacker then waits for an optimal time before pushing the ransomware executables into the most valuable portions of your network. Nights, weekends or holidays are common, as are important periods of time for your business.  The executables encrypt PCs, servers, databases, applications and any backups that the hackers discovered. Once complete, the ransomware executables generally delete themselves and leave nothing behind but encrypted files and ransom notes.

What Are Best Practices for Securing RDP from Ransomware?

To begin, RDP should only be used if absolutely necessary. If RDP is being used out of convenience, then it should be disabled for a more secure solution. However, if RDP must be used, then it should be secured with the following measures:

  • Limit RDP Access: Limit access by requiring a VPN to access RDP. The default port number should be changed as well. Access should be granted to a select whitelist of IP ranges and lockout provisions enacted so that brute forcing attempts trigger lock out or admin alerts.

  • Two-factor authentication (2FA): The vast majority of corporate ransomware attacks could be thwarted by enabling two-factor authentication on remote sessions and all remotely-accessible accounts.

  • Endpoint & alternative solutions: Today’s endpoint solutions can detect anomalies in network usage (such as an in-office workstation attempting opening a RDP session) and stop them before damage is done. Additionally, several new products offer alternatives for remote access that are more secure than RDP.

  • Least Privilege: Users that do not need to service important internal services should not have access to them. Double check your permissions and make sure employees have the minimum access required to complete their job. Accounts that can access critical systems, including backups, should have 2FA on them.

  • Disaster Recovery: Should RDP configurations become compromised, it’s critical that a company’s BCDR plans be codified and up to date. Backup systems should have up-to-date, on-site and off-site versions of all critical data. IR firms should be kept on retainer to minimize costs and time to recover in the event of a breach.

What Will Happen If I Don't Secure My RDP Access?

In short, you ARE being actively targeted if you continue to use RDP access. How well your defense efforts will hold up to an RDP based attack is the only question.

As of Q4 2018, over 90% of ransomware attacks occured due to RDP exploits, making it the most common attack vector by an order of magnitude. Ransomware attacks typically cause at least 4 days of downtime. Organizations like No More Ransom (Coveware is a partner), that seek to educate the public about ransomware and provide free tools to help companies recover. These free tools can be helpful, but they are not a solution that companies can rely on to recover if they are attacked. Unfortunately, most current ransomware attacks use encryption malware that is not commercially decryptable. In lieu of functional backups, victims of ransomware have not choice but to consider paying the hacker, or face data loss.

If you would like to bolster your disaster recovery and incident response plan, contact us for more ideas.

Bill Siegel