Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Compromised RDP Servers Used in Corporate Ransomware Attacks

Researchers from Fox-IT have discovered a new attack vector for ransomware aimed at the enterprise. The attack itself is not new, but the combination of this attack combined with persistence and network analysis prior to activating the ransom is new to Fox-IT.

Researchers from Fox-IT have discovered a new attack vector for ransomware aimed at the enterprise. The attack itself is not new, but the combination of this attack combined with persistence and network analysis prior to activating the ransom is new to Fox-IT.

The NCC Group-owned IT security company said in a blog post today that there are three common methods for distributing ransomware: in weaponized attachments, through phishing links to poisoned sites, and via malvertising. However, the company says it has found a new method: “activating ransomware from a compromised remote desktop server.”

Attackers can leverage this approach by brute forcing their way into remote desktop servers that are connected to the Internet – or simply buying compromised credentials from the underground. Once in, they can use privilege escalation methods to seek domain admin status (if they haven’t already got it). However, Fox-IT notes that this isn’t always necessary “as the compromised user account might have access to all kinds of network shares with sensitive data.”

Once in, the attackers have the normal possibilities: data exfiltration, recruiting into a botnet, delivering spam – and now holding the company hostage with ransomware. If internal defenses and network segmentation can limit the reach of the compromised workstation, then the effect of the ransom will be similarly limited. However, if the attacker can get access to more company servers, then the effect and harm of the ransomware will be more critical. 

The key, suggests Fox-IT, is the victim’s ‘time to detect’ – and this depend on the effectiveness of the victim’s detection systems. The longer it takes, the more devastating the attack. In one instance investigated by Fox-IT, the attackers had been inside the network for weeks.

They did not immediately activate the ransomware. Instead they spent their time scanning and exploring the network, and understanding how and when company backups were undertaken. This allowed them to time their attack for maximum effect. 

“As soon as the ransomware was activated, no fixed ransom was demanded but negotiation by e-mail was required. As the attackers have a lot of knowledge of the compromised network and company, their position in the negotiation is stronger than when infection took place through a drive-by download or infected e-mail attachment. The demanded ransom,” notes the Fox-IT report, “reflects this and could be significantly higher.”

This new, and potentially more damaging, attack vector for ransomware demonstrates the need for layered defenses. First of all, suggests Fox-IT, remote desktop access should be deactivated if possible. If not possible, then user accounts with access should have strong passwords, preferably supported by a second factor. The channel should be encrypted to prevent eavesdropping on the connection. 

Once compromised, however, the only defense is rapid detection. There are many different products that can help in this detection: continuous log analysis, SIEMs, anomaly detection and network traffic analysis, for example. The danger is that if detection fails, or takes too long, it is not just the theft of data that is at risk, but the total loss of all data on the system.

Related: The Rapid Evolution of Ransomware in the Enterprise

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.