Unsecured RDP Endpoints Attract Ransomware Gangs

RDP tops the charts

• According to Recorded Future, RDP is the most common intrusion method used by threat actors—to gain access to Windows computers and install malware—for most ransomware attacks in 2020.
• Cybercriminals scan the internet for RDP endpoints and then conduct brute-force attacks against several systems, trying to crack user credentials. Systems using weak usernames and passwords are impacted and put up for sale on RDP shops—websites where access to hacked systems is sold to attackers.

The traditional recipe

• At first, they use open source port-scanning tools to scan for exposed RDP ports online and then try gaining access to a system using brute-force tools or stolen credentials purchased from black markets.
• Once the attackers gain access to the target system, they make the network vulnerable by deleting backups, disabling antivirus software, or changing configuration settings.
• After disabling the security systems and making the network vulnerable, attackers deliver malware payloads. The process involves installing ransomware, using infected machines to distribute spam, deploying keyloggers, or installing backdoors to be used for future attacks.

Recent RDP attacks

• Researchers at Group-IB have identified Iran-based low-skilled hackers that find victims by scanning IP addresses on the internet for exposed RDP connections. These hackers were found deploying Dharma ransomware to target companies in China, Russia, Japan, and India.
• Recently, Nuspire spotted an attacker, dubbed TrueFighter, that has resurfaced and is known to steal RDP credentials or access and then sell them on the dark web. Active in various underground communities, TrueFighter specializes in selling compromised RDP accounts that provide remote administrative access to the networks of victim organizations.

Be ready with a plan