Ransomware: The many dangers of Remote Desktop Protocol

30 May 2022

    In the first part of this series, we gave a basic overview of ransomware and how it works. Now, we are delving deeper into the specific ways in which ransomware operators infiltrate your systems, starting with Remote Desktop Protocol.

    Read more articles from the series:

    PART 1: Ransomware: What SMBs should know  

    PART 3: Ransomware: How to provide a valuable layer of protection to email

    PART 4: Ransomware: The need to protect your supply chain

    PART 5: Ransomware: A game of cat and mouse

    PART 6: Ransomware: How to protect your company against attacks


    Due to the pandemic, the proportion of people working from home has more than doubled. It is a trend that shows no sign of abating; more than half (54%) of employees say they would prefer to continue working from home even when restrictions fully end.


    Unfortunately, while it has become a necessity during the pandemic, employees working remotely and using remote access tools like Remote Desktop Protocol (RDP) to access company data are at high risk. Between May and August in 2021, ESET detected 55 billion new brute-force attacks against networks with public-facing RDP services. This was up 104% compared to the period from January to April, and up sixfold when comparing H1 2020 to H1 2021.


    RDP’s rising popularity

    RDP has been included with every version of Microsoft Windows from Windows XP onward. However, its popularity rose substantially during the pandemic as a way for staff forced to work from home to access company servers remotely via their laptops, phones and tablets. While it has undoubtably been useful to allow remote access to corporate systems, RDP has become open to abuse by those with criminal intentions because:


    • Vulnerable RDP systems are easy to find
    • It is easy for attackers to obtain a foothold on RDP systems to plant ransomware if they have poor configuration
    • Many RDP systems have weak configuration and attackers can exploit the default RDP port 3389, which is commonly used for connection
    • Tools and techniques for escalating privilege and obtaining admin rights on compromised RDP systems are widely known and available


    A twofold responsibility

    The rise in ransomware attacks seen via RDP demonstrates how critical robust security practices are when configuring and using collaboration tools and other business systems.  Remember that security is a twofold responsibility within the business, first for the IT admins who set the rules and monitor activity, and second for all staff who use the tools. Whether they like it or not, all staff – from consultants to the CEO – who use tools such as RDP to undertake their work remotely have signed up for a role in securing their environment. It is not something to take lightly.


    To defend systems running RDP against unauthorized access, businesses should:


    • Have policies in place to address remote access security, such as requiring RDP to only be accessed over a VPN (virtual private network) or with the use of MFA (multifactor authentication)
    • Make sure everyone is complying with the rules, while also being prepared for the possibility of an attack succeeding despite these rules
    • Not allow staff to connect the server running RDP to both the organization’s network and the internet until it is securely configured
    • Make an inventory of all internet-facing assets and decide which need remote access. If access really is necessary, require long passwords and insist upon access only from a secure VPN
    • Harden and patch all remotely accessible devices. Make sure that all nonessential services and components have been removed or disabled, and that settings are configured for maximum security


    Layers of protection are required

    RDP has become a critical component of today’s hybrid workplace. However, it has provided a pathway for bad guys wanting to infiltrate corporate systems and implant ransomware. Deep-reaching IT admin skills, enhanced system settings and an improved security culture are all critical to addressing the security demands brought by both hybrid work and the large uptick in collaboration and productivity platforms such as RDP.


    All of this needs to be underpinned by robust, award-winning cybersecurity solutions that protect your company endpoints, data and users.


    Banner referring to ESET PROTECT Advanced security solution

    Read also

    Ransomware: What SMBs should know

    Ransomware: What SMBs should know

    Ransomware is one of the biggest threats to businesses today, and with new attacks hitting the news on a daily basis, the risk can seem overwhelming. But what actually is ransomware, and how can businesses protect themselves? In this series, we will take an in-depth look at ransomware, highlighting specific methods of attack such as email compromise, vulnerabilities and the Remote Desktop Protocol, delving into supply chain attacks, and giving advice on how businesses can mitigate the risk .

    Ransomware: How to provide a valuable layer of protection to email

    Ransomware: How to provide a valuable layer of protection to email

    As we discussed in our blog exploring Remote Desktop Protocol, ransomware is on the rise, and has been exacerbated by the current work-from-home trend. While the bad guys use many attack vectors to attempt to infiltrate your systems and plant ransomware, the most popular – by far – remains email.

    Ransomware: The need to protect the weakest link, your supply chain

    Ransomware: The need to protect the weakest link, your supply chain

    So far in our ransomware series, we have looked at the basics of ransomware, Remote Desktop Protocol and email compromises. In this blog, we take a look at how businesses can be attacked through their supply chains.

    Ransomware: A game of cat and mouse

    Ransomware: A game of cat and mouse

    In previous blogs we focused on how cybercriminals utilize vulnerabilities in Remote Desktop Protocol (RDP), email and supply chains to drop ransomware onto an organization’s systems. Although these are popular methods, they are by no means the only techniques used by those with malicious intent.

    Ransomware: How to protect your company against attacks

    Ransomware: How to protect your company against attacks

    Ransomware is one of the most potent threats to modern business, targeting organizations both large and small. To conclude our series exploring the various techniques used by cybercriminals to drop ransomware on corporate networks, we'll explore what organizations can do to ensure they can mitigate the risk.

    A vector that can be misused by cybercriminals:  How to protect your company from the risks related to RDP

    A vector that can be misused by cybercriminals: How to protect your company from the risks related to RDP

    Remote Desktop Protocol (RDP) has become an important tool for managing company networks in an era of hybrid workspaces. However, an unsecured RDP endpoint makes a vector that offers cybercriminals significant benefits when they attempt to attack your systems. What malicious activities might threat actors perform via RDP, and how do you prevent them from doing so?

    How to Create a Secure and Productive Remote Office

    How to Create a Secure and Productive Remote Office

    When a crisis hits, be ready to switch to teleworking. That is just one of the lessons COVID-19 has taught companies all around the world. Remote working should go hand in hand with extra cybersecurity measures – here’s how to achieve them.