Virtual Event Today: Cloud & Data Security Summit - Join Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

RDP Tops Email for Ransomware Distribution: Report

The Remote Desktop Protocol (RDP) is an increasingly popular distribution vector among ransomware operators, so popular in fact that it appears to have surpassed email, recent statistics from Webroot suggest.

The Remote Desktop Protocol (RDP) is an increasingly popular distribution vector among ransomware operators, so popular in fact that it appears to have surpassed email, recent statistics from Webroot suggest.

RDP attacks have been used for the distribution of malware for several years, but they have become a ransomware distribution vector only recently. 

Last year, numerous attacks that brute-forced RDP credentials for ransomware distribution were reported, including those involving Bucbi, Apocalypse, and Shade. In May 2016, Fox-IT suggested that RDP was indeed becoming a new infection vector in ransomware attacks, and Kaspersky Lab researchers in September associated the method with the distribution of Xpan in Brazil.

In February 2017, Trend Micro revealed that the Crysis ransomware was being distributed via RDP attacks too. While the method had been employed since September 2016, the number of such attacks doubled in January 2017 when compared to the previous months, the security firm said.

A chart published by Webroot this week shows that RDP is more widespread than email when it comes to ransomware vectors: 66% versus 33%. Historically, ransomware has been distributed via other methods as well, including exploit kits and malvertising, but the traffic associated with these vectors doesn’t not appear to be as popular.

“Over the last couple of months, the data we’ve seen underscores how important it is for system admins to secure RDP. Unsecured RDP essentially leaves the front door open for cybercriminals. And since modern criminals can just encrypt your data, instead of having to go through the trouble of stealing it, we shouldn’t make it any easier for them to get what they want,” the security firm notes.

Advertisement. Scroll to continue reading.

When it comes to ransomware families that use RDP, Crysis is the most prevalent. At the moment, the variant being distributed appends the “.wallet” extension to encrypted files, but around half a dozen other variants have been observed to date.

Other well-known pieces of ransomware that users should be aware of include Locky, Cerber, CryptoMix, or Samas, which emerged over a year ago and continue to wreak havoc. However, newer malware families are also worth taking into consideration, such as Spora, which was first detailed only this year.

Related: Hackers Using RDP Attacks to Install CRYSIS Ransomware

Related: Destructive KillDisk Malware Turns Into Ransomware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

N-able has appointed Russell Rosa as Chief Revenue Officer.

Stacy O'Mara has joined Armadin as Chief Policy Officer and Director of Global Government Affairs.

F5 has appointed Cathy Peterman as Chief People Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.