Many businesses have been forced to pivot to remote work environments in the wake of the COVID-19 pandemic. Unfortunately, this change may have increased exposure potential for remote desktop protocol (RDP) attacks.
When global lockdowns were initiated in early 2020, most organizations prioritized business continuity and remote access capabilities to the detriment of server, network and workstation security. The pandemic became a prime opportunity for attackers to launch RDP attacks by identifying public-facing servers with open ports and unpatched vulnerabilities, and working to exploit those weaknesses. Attackers then used common intrusion techniques, like brute force password attacks, to gain access to these organizations’ vulnerable infrastructure and data.
What is RDP?
Remote desk protocol (RDP) is a network communications protocol developed by Microsoft and consists of a digital interface that allows users to connect remotely to other servers or devices. Through RDP ports, users can easily access and operate these servers or devices from any location. RDP has become an increasingly useful business tool—permitting employees to retrieve files and applications stored on their organization’s network while working from home, as well as giving IT departments the ability to identify and fix employees’ technical problems remotely.
Unfortunately, RDP ports are also frequently being leveraged as a vector for launching ransomware attacks, which entail a cybercriminal deploying malicious software to compromise a device (or multiple devices) and demand a large payment be made before restoring the technology for the victim. In fact, a recent report from Kaspersky found that nearly 1.3 million RDP-based cyberattacks occur each day, with RDP reigning as the top attack vector for ransomware incidents.
Don’t let RDP contribute to a costly ransomware incident for your organization. Review the following guidance to learn more about how ransomware attacks can occur via RDP and best practices for minimizing the likelihood of such an incident.
Ransomware attacks via RDP
RDP-based ransomware attacks usually stem from organizations leaving their RDP ports exposed to the internet. Although doing so can seem more convenient for employers in the scope of remote work operations, internet-exposed RDP ports are easy for cybercriminals to identify and offer a clear access point for deploying harmful attacks.
The typical process of an RDP-based ransomware attack is as follows:
- Scanning—First, a cybercriminal utilizes a port-scanning tool to search the internet for any exposed RDP ports. These scanning tools are often free and relatively simple to operate for attackers of varying skill levels.
- Gaining access—After identifying an exposed RDP port, the cybercriminal then gains access to the targeted server or device by using stolen credentials. Attackers can secure these credentials by either purchasing them on the dark web or implementing a brute-force tool that can rapidly input a series of usernames and passwords until the correct combination is found.
- Disabling security features—Once the cybercriminal has accessed the targeted server or device, they attempt to make it as defenseless against an attack as possible by disabling any existing security features (e.g., antivirus software, data encryption tools and system backup capabilities).
- Executing the attack—From there, the cybercriminal is able to steal sensitive data and deploy a ransomware attack on a vulnerable server or device. Some attackers even install backdoors during this step to allow for easy access during future attacks.
Like other ransomware incidents, RDP-based attacks can result in devastating ramifications for the impacted organization—including business interruption issues, reputational damages and large-scale financial loss.
Strengthening RDP against ransomware
Although RDP-based ransomware attacks have become increasingly common, there are several ways for you to bolster your organization’s RDP security and lessen the risk of such an incident impacting your operations. Consider the following best practices:
- Close your RDP connection. First and foremost, ensure that your RDP connection is not open to the internet.
- Establish a virtual private network (VPN). To keep your RDP port from being exposed to the internet, be sure to establish a VPN. This will allow remote employees to securely access your organization’s RDP port, while also making the port far more difficult for cybercriminals to locate online.
- Elevate authentication protocols. Because cybercriminals require login credentials to properly execute an RDP-based ransomware attack, make sure you have effective user authentication protocols in place. Specifically, encourage employees to develop unique passwords for all of their devices and accounts. These passwords should be an appropriate length, refrain from using common words or phrases, and contain several special characters. In addition to strong passwords, consider requiring multifactor authentication for RDP port access as an extra layer of protection.
- Implement login attempt limits. To stop cybercriminals from being able to deploy brute-force tools to secure login credentials during an attack, update RDP port protection features to detect when multiple failed login attempts have occurred in a short period of time. Establish a limit on how many incorrect logins can occur before the user is blocked from further attempts—therefore halting an attack.
- Utilize adequate security software. Ensure all workplace technology is equipped with top-rated security software—including antivirus programs, a firewall, data encryption features and a gateway server—to deter attempted attacks. Update this software on a regular basis.
- Restrict employee access. Be sure to uphold the principle of least privilege by only providing employees with RDP access if they absolutely need it to conduct their work tasks. These employees should be trusted and trained in appropriate RDP usage. After all, granting extra employees unnecessary RDP permissions simply creates additional security gaps.
- Have a plan. Lastly, make sure your organization has an effective cyber incident response plan in place that addresses RDP-based ransomware attack scenarios. This plan should promote the backup storage of any critical data in multiple secure locations (both on-site and off-site) to minimize potential losses. Practice this plan regularly with staff and make updates as needed.
Cyber coverage to consider when fighting against ransomware
- Cyber Threats or Extortion: reimbursement for payment resulting from a threat to prevent access to your computer system, introduce a virus to your system, reveal your confidential information, or damage your brand or reputation by posting false comments on social media sites.
- System Damage: costs you incur to retrieve, restore or replace any of your computer programs that are lost or damaged.
- Business Interruption: replacement of your lost income resulting from a computer system outage because of a cyber attack.
- Regulatory Actions or Investigations: coverage for costs, expenses, fines and penalties as a result of a regulatory investigation arising out of an actual or suspected breach.
The level of coverage your business needs is based on your individual operations, and can vary depending on your range of exposure. It’s important to work with an Insurance Advisor that can identify your areas of risk, and customize a policy to fit your unique situation.
We can help you recover from a ransomware attack
Businesses are operating in an environment where it’s not a matter of IF a cyber attack will occur, it’s only a matter of when.
We need to take reasonable measures to reduce the likelihood of an attack, but we also need to be realistic and understand that inevitably, we’ll all deal with a cyber attack at some point.
The two most important questions you need to answer as a business owner are:
- Will I know how to respond when a cyber attack occurs?
- Will my business survive the devastating consequences of a cyber attack?
The planning you do today, the strategic partnerships you put in place, and the adequacy of your Cyber & Data Breach Insurance coverage are all critical components to confidently answering the question of ‘will my business survive after a cyber attack’ with a resounding ‘ABSOLUTELY.’
We understand the negative effects a cyber attack can have on your organization, we’ve seen first-hand how it impacts clients. We also know which insurance companies provide the broadest insurance coverage to help you recover after an attack occurs.
But we don’t stop there.
The best place to begin is with your own internal operations, the security measures you have in place, and the controls implemented to avert a data breach.
In addition providing the Cyber & Data Breach Liability coverage, we can also provide you several services that will help position your business for the best insurance premiums offered by the nation’s strongest insurance carriers. Specifically, we can:
- Provide you with data security resources designed to help keep your data, and your network, safe
- Perform a cyber risk assessment of your business to help identify areas of weakness, and offer solutions to mitigate the exposures
- Help you develop and implement an incident response plan
To learn more about the ways we can help simply Request a Proposal and we’ll get to work right away.