September Scam of the Month: RDP Servers Hit with Ransomware

September 27, 2017 | By

About once a quarter, we see an attack of ransomware on a server. Originally, we thought this was just another human error (someone clicking on a phish), and we warned people not to read email or use a web browser on a server. However, what we found after helping to clean a few of these infections up was that it wasn’t human error at the root of this problem—it was basic security hygiene.

CRYSIS is a strain of ransomware that scans the internet for insecure RDP servers. The ransomware probes for weak administrator passwords on servers, and if it succeeds at finding weak credentials and logging in, it then encrypts data and spreads to any attached network drive. Here is what we know about these attacks and some simple steps you can take to keep your company safe.

What RDP Server Ransomware Looks Like

Ransomware such as CRYSIS is constantly scanning the Internet for open RDP servers. If you have a server exposed, it’s highly likely this or something like it will find eventually find that server.

When the ransomware does find an RDP server, it will attempt to guess a number of common passwords such as “password” or “administrator” in order to gain access. If you have set your administrator password as one of these weak passwords, boom! The ransomware will be in… as an admin. Yikes.

Just like any other ransomware, it will make quick work of encrypting all of the data on the server. If the server is connected to a network device, the ransomware will traverse it and encrypt network storage, mounted application server shares, and more. The ransomware will find everything the server has access to and make cleanup a real nightmare, especially for small businesses.

Sometimes these attacks hit test servers, other times they hit real servers, and we have even seen this ransomware make its way into a managed service provider’s infrastructure, where it can do major damage.

Here is how to protect yourself.

5 Steps to Protect Against RDP-Based Ransomware

There are a few things you can do to protect your organization against these types of attacks.

Turn Off RDP If You Don’t Need It

If you don’t need remote access via RDP, turn it off. That stops this attack in its tracks.

Use Strong Administrator Passwords

Weak passwords are the main reason why this attack is successful. A simple way to prevent this attack is to never allow weak or reused passwords in your organization. For some hints on how to do this, see our best practices here.

In addition to strong passwords, we suggest deploying two-factor if your RDP service supports it.

Provision Individual Admin Accounts

Only use your Administrator account on your server to provision individual Local or Group administrator accounts. Once you’ve provisioned the individual accounts, change the Administrator user password to something long and random, write it down, and lock it somewhere secure.

Disallow Email and Web Browsing On Servers

Servers shouldn’t be used to browse or read email. These are some of the most dangerous activities on the Internet, because they expose you to phishing and other types of attacks. Don’t expose your server infrastructure unnecessarily. Even if you don’t have a technical way to enforce this, write it in the security policy for your company.

Restrict Remote Access

Restrict where it is possible to access remote desktops from, using a firewall or other security control. This way, it’s not the case that anything or anyone (including attackers) on the internet can talk to your servers.

With these five simple steps, you can keep your infrastructure free of ransomware. Concerned about how your security program measures up against different types of attacks? Download our security grader to find out!

Security Grader Download