Remote desktop attack – Ransom viruses! A US Trend we could well do without

It sounds like a ‘movie coming to a cinema near you soon’ when you hear that the FBI is now sufficiently concerned regarding cybercrime targeted at small to medium sized businesses to actually issue a word (or a hundred) of warning about the necessary protocols that must be recognised to ensure protection from this form of cyber-attack.

Remote desktop attacks – It’s not fiction.

It’s real and it’s coming to a desk top near you soon, unless you make sure your Remote Desktop Security Protocols (RDP) are suitably enforced. The notice said RDP attacks have been on the rise since 2016, with attackers using open RDP ports to take over machines or intercept RDP sessions. Their end game is to inject various types of malware into the system being remotely accessed. In other cases, computers with remote desktop protocol software on board have been victimised when attackers used brute-force techniques to gain usernames and passwords.

In a nutshell

What was a ‘bit’ of an issue in 2016 is now something of global concern regardless of who or where you are. Attackers use open RDP ports to take control of machines and/or intercept RDP sessions. To make matters worse – attackers are now deploying brute-force techniques to gain usernames and passwords and steal your Remote Desktop identity. In all cases particularly nasty malware is injected in to your system – encrypting your data which is shortly followed by a kind invitation from the attackers to pay them lots of cash to reverse the infection.

Whatever way these hackers compromise your Remote Desktop facility – it’s bad news all round!
CrySIS, Crypto and SamSam ransomware have all been spread through RDP attacks.
For those hackers with less talent – there is an opportunity to purchase stolen RDP credentials on the Dark Web from the more talented criminals who clearly want to get as much coin as possible from their theft!

Qi has had recent and close up experiences of Ransomware which used the brute-force method to gain access to RDP sessions which then allowed attackers to manually execute malicious programs on the compromised machine of one of our clients.

Back-ups enabled data to be restored (excepting 24 hours worth) – which is the best case scenario a small to medium sized business could expect when deploying what is deemed to be a reasonable spend on back up protocols. Qi always recommends a suitably robust strategy to include a UTM which increasingly not a nicety but a necessity.
No ransom was paid but the virus disrupted business for a day and caused sweaty palms all round.
Firewalls/UTM’s are a given – they have to be – but there is more to be done to increase protection levels.

Recommendations to protect a system against a remote desktop attack

  • Enable strong passwords and account lockout policies to defend against brute-force attacks.
  • Apply two-factor authentication, where possible.
  • Apply system and software updates regularly.
  • Maintain a good back-up strategy.
  • Disable the service if unneeded or install available patches.
  • Enable logging and ensure logging mechanisms capture RDP logins.
  • Minimize network exposure for all control system devices. Where possible, critical devices should not have RDP enabled.

In conclusion

Many companies, notably small businesses, outsource their IT to, or pay for lots of help from, outside contractors. Qi – for example is one of those contractors.

These contractors might live in another part of town, or elsewhere in the country, or even on the other side of the world. Our customers are based around the UK.

RDP connections should only be accessible from the physical building of your support company. This ensures that random login pages cannot be called up unless you are inside the building which means dirty hackers can’t spend hours of their lives trying to brute-force passwords until they strike gold. Gold which they will be wanting to take from your account in exchange for removing the encryption virus they have so generously shared with you.

Qi has already deployed maximum security protocol where possible for all of its hardware and network support customers since encountering RDP attacks.

Thought For the Day

If you’re using a third-party IT company and they haven’t already suggested the precautions we’ve listed above, why not ask them why, and ask yourself if they’re the right people to be looking after your network?