Ransomware attacks via RDP on the rise

Remote Desktop Protocol (RDP)

RDP stands for Remote Desktop Protocol, which is a proprietary network protocol developed by Microsoft in the 90s, which can be used to login to a system remotely and control the resources and data of the system as a remote administration tool. And is being used by the cyber attackers as a primary attack vector to exploit windows systems and spread ransomware.

How you get infected

In order to authenticate users to establish the remote desktop connection a username and a password should be provided. So, vulnerabilities like

  • weak passwords,
  • outdated versions of RDP
  • Allowing unlimited login attempts to users
  • Allowing unrestricted access to the default RDP port (TCP 3389) will attract cyber attackers and sooner or later.

An attacker will also use social engineering techniques such as phishing and you will be tricked to download and open office documents in macro enabled mode or user will be tricked to install a trojan.


  • CryptON also known as Nemesis or X3M ransomware targets Windows servers and uses RDP brute-forcing to gain access. An attacker will manually launch the ransomware inside the system after gaining the access. It will encrypt all types of files excluding C:\Windows, C:\Program Files, and the user profile folder to avoid impacting the boot operation. And they keep producing new versions like Cry9 in 4/4/2017, Cry128 in 5/1/2017.
  • Crisis ransomware uses the same brute-forcing and dictionary-based techniques through open RDP ports and also malicious spam emails and trojans. When a system is infected, it will encrypt all the files on fixed, removable and network storages except system files and files related to the ransomware and modify the registry logs.
  • Samsam ransomware also uses RDP to exploit systems. In July 2018, Samsam threat actors used a brute-force attack on RDP login credentials to infiltrate a healthcare company. The ransomware was able to encrypt thousands of machines before detection. [3]
  • Stolen RDP credentials will be sold in the deep dark web.

And these cyber criminals will demand you a ransom in bitcoins as payments for the decryption and there is no guarantee that paying the ransom will give your data back.

How to protect your RDP

  • Public IP’s of cloud-based instances should not have open RDP ports especially port 3389 and if you must have it place it behind a firewall and access it using a Virtual Private Network (VPN) through the firewall.
  • make sure all your RDP hosts are enforcing Network Layer Authentication (NLA) so attackers can’t get a full GUI windows connection until they provide credentials.
  • Disable the service if you don’t use it [2] or never skip the security patches and software updates regularly so you can detect malicious activities.
  • To defend against brute-force and dictionary attacks enable strong passwords, two factor authentication and account lockout policies.
  • Limit access to specific IP’s [4] and change the RDP port [5], so port scanners looking for open RDP ports won’t see you.
  • Keep logs about RDP logins and review them regularly.
  • Ensure third parties that require RDP access are required to follow internal policies on remote access.
  • Do not expose critical network devices of your organization to public and reduce it as much as possible and they must not have RDP enabled.
  • Always keep backups of your critical data.
  • You can use Remote Desktop Gateway (RDG), which is encrypted using SSL too [6]. And implementing a 2-factor authentication solution is highly recommended, regardless of whether you use RDG or a VPN to mitigate brute-forcing.


  1. https://www.ic3.gov/media/2018/180927.aspx
  2. https://blog.malwarebytes.com/security-world/business-security-world/2018/08/protect-rdp-access-ransomware-attacks/
  3. https://www.cyber.nj.gov/threat-profiles/ransomware-variants/
  4. https://support.managed.com/kb/a2499/restrict-rdp-access-by-ip-address.aspx
  5. https://tunecomp.net/change-remote-desktop-port-windows-10/
  6. https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd983941(v=ws.10)
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.