Remote Desktop Protocol Use in Ransomware Attacks

Increased remote work during the pandemic has led to a rise in RDP attacks. Here’s how you can safely ensure remote access.
Gears with technology icons for Remote Desktop Protocol

According to the 2020 Unit 42 Incident Response and Data Breach Report, remote desktop protocol (RDP) services were the initial attack vector in 50% of ransomware deployment cases. RDP services have been a popular attack vector for years, particularly for use on small enterprises where phishing emails may not be as successful. However, the COVID-19 pandemic and the subsequent work-from-home shift, have made RDP attacks even more prevalent.

Remote desktop protocol is used to provide remote access to a system. A common use case is when a remote IT company takes control of your computer to troubleshoot an issue. That is a legitimate use of RDP, but as you might imagine, that access in the hands of a threat actor can be extremely damaging. They would have the same amount of access as the user whose machine they have taken over. Even if that user’s access is limited, once inside the network, the hacker can use other methods to escalate their access, with potentially disastrous consequences.


How Does an RDP Attack Work?

Remote Desktop Protocol uses port 3389 as its default listening port. Attackers know this and can run a script to scan for 3389 ports that have been left open to the internet. Once an exposed port is found, the threat actor has to get ahold of the login credentials. They can do this through any of the typical methods of obtaining credentials such as social engineering, or often brute force attacks. Once inside they can leave backdoors for future access or deploy ransomware.

How Can you Prevent an RDP Attack?

There are plenty of ways you can protect yourself from an RDP attack.

  • Secure Your RDP Ports: The best way to ensure your organization is not the victim of an RDP attack is to make sure your RDP ports are not left open to the internet. Often this is accomplished by the use of a virtual private network (VPN) which acts as an encrypted tunnel to provide secure access. This has been the fix for many organizations who began working remotely during the pandemic, but VPNs do have the major downside of providing general access to the network once inside. The alternative to a VPN is the use of Remote Desktop Gateway, which puts RDP access behind a secure gateway that allows for limited access to network resources instead of granting access to the entire network, AKA least privilege.
  • Limit access: Not every device in your network may need RDP access. Ensuring RDP access is turned off and blocked for those that don’t need it will limit your exposure. You can also use an allow-list to only allow approved IP addresses to connect to the RDP server. Create a rule in your network firewall to deny RDP from any system behind the firewall from being accessible to the Internet.
  • Make it harder to log in with stolen credentials. All of the best practices for password protection apply here too. Implement multi-factor authentication and limit failed logins attempts to prevent a brute force attack. You can also use network-level authentication to approve attempts to connect to a remote device.

Learn more ways to protect your organization from ransomware attacks with the resources available exclusively to members on RH-ISAC’s Member Exchange.

Not a member? See what RH-ISAC membership can do for you!

Ransomware Resilience Planning Guide

Get actionable strategies to reduce your organization's ransomware risk.

More Recent Blog Posts