Remote Desktop Protocol Being Used to Install Ransomware

What Is It?

Remote Desktop Protocol (RDP) is used by Microsoft Windows Remote Desktop services to provide a full graphical interface to systems located on the network.

RDP is commonly used by IT administrators and IT support teams to access systems, particularly those in different geographical locations. As RDP comes with Windows, it is easy to utilize for this purpose and requires no additional hardware or software costs.

Though there are security considerations when using RDP inside a corporate network given it provides administrator level access to systems, having RDP running on internet facing systems is a significant security issue. The Shodan search engine, which allows various aspects of internet facing systems and devices to be used as search criteria, shows there are currently over 3.1 million internet facing systems with RDP running on its default TCP port of 3389. Too often RDP passwords are weak – or non-existent – allowing attackers to brute-force the password and providing them with a golden attack vector.

In recent months there have been numerous reports of attackers installing and executing ransomware on systems after gaining access to them via RDP. In a recent report, Bleeping Computer described two new variants of Matrix ransomware being installed via RDP. One strong indication the attackers designed these variants to be installed via RDP is that while executing, the ransomware opens two windows to display the status of the file encryption and the network shares scanning processes, not the stealthy approach that most malware takes. The second variant also executes the built-in Windows command cipher.exe to overwrite free space on the C: drive in order to stop restoration of encrypted files using file recovery tools.

Leaving systems running RDP connected directly to the internet offers attackers a potentially devastating attack vector, not restricted merely to the installation of ransomware. Systems running RDP should only be accessible from outside the corporate network via VPNs and should use strong passwords and ensure lockout policies are in use to stop brute-force attacks from succeeding.

How Does It Propagate?

The malware does not self-propagate.

As described, the attack vector for this ransomware is internet facing systems running RDP with poor security controls in place, allowing them to be compromised by brute-force password attacks.

When/How Did BluVector Detect It?

Both variants were detected by BluVector’s patented Machine Learning Engine (MLE). Regression testing has shown both variants would have been detected by all previous MLE models, resulting in detection 52 months prior to their release into the wild.

All Threat Reports