Compromised RDP Servers Used in Corporate Ransomware Attacks

Researchers from Fox-IT have discovered a new attack vector for ransomware aimed at the enterprise. The attack itself is not new, but the combination of this attack combined with persistence and network analysis prior to activating the ransom is new to Fox-IT.

The NCC Group-owned IT security company said in a blog post today that there are three common methods for distributing ransomware: in weaponized attachments, through phishing links to poisoned sites, and via malvertising. However, the company says it has found a new method: “activating ransomware from a compromised remote desktop server.”

Attackers can leverage this approach by brute forcing their way into remote desktop servers that are connected to the Internet – or simply buying compromised credentials from the underground. Once in, they can use privilege escalation methods to seek domain admin status (if they haven’t already got it). However, Fox-IT notes that this isn’t always necessary “as the compromised user account might have access to all kinds of network shares with sensitive data.”

Once in, the attackers have the normal possibilities: data exfiltration, recruiting into a botnet, delivering spam – and now holding the company hostage with ransomware. If internal defenses and network segmentation can limit the reach of the compromised workstation, then the effect of the ransom will be similarly limited. However, if the attacker can get access to more company servers, then the effect and harm of the ransomware will be more critical. 

The key, suggests Fox-IT, is the victim’s ‘time to detect’ – and this depend on the effectiveness of the victim’s detection systems. The longer it takes, the more devastating the attack. In one instance investigated by Fox-IT, the attackers had been inside the network for weeks.

They did not immediately activate the ransomware. Instead they spent their time scanning and exploring the network, and understanding how and when company backups were undertaken. This allowed them to time their attack for maximum effect. 

“As soon as the ransomware was activated, no fixed ransom was demanded but negotiation by e-mail was required. As the attackers have a lot of knowledge of the compromised network and company, their position in the negotiation is stronger than when infection took place through a drive-by download or infected e-mail attachment. The demanded ransom,” notes the Fox-IT report, “reflects this and could be significantly higher.”

This new, and potentially more damaging, attack vector for ransomware demonstrates the need for layered defenses. First of all, suggests Fox-IT, remote desktop access should be deactivated if possible. If not possible, then user accounts with access should have strong passwords, preferably supported by a second factor. The channel should be encrypted to prevent eavesdropping on the connection. 

Once compromised, however, the only defense is rapid detection. There are many different products that can help in this detection: continuous log analysis, SIEMs, anomaly detection and network traffic analysis, for example. The danger is that if detection fails, or takes too long, it is not just the theft of data that is at risk, but the total loss of all data on the system.

Related: The Rapid Evolution of Ransomware in the Enterprise