Ransomware Attacks Target SMBs via Remote Desktop Protocol

Sophos researchers warned about series of ransomware attacks against small-to-medium companies via Remote Desktop Protocol (RDP).

According to the experts, hackers abuse the week passwords as a common issue in their attacks. After managing to crack and RDP password, the attackers can easily install the malware onto the company’s systems, hoping to get a ransom payment.

The Sophos team claims that discovering RDP ports exposed to the Internet isn’t difficult at all, and hackers can use specialized search engines such as Shodan to do that. After that, the criminals abuse public or private tools to gain access to the vulnerable machines.

The attackers used a tool called NLBrute to brute-force their way into the found systems by trying a variety of RDP passwords. As soon as they managed to find the right password, the hackers would immediately log into the network and create their own administrative accounts.

In this way, the cyber criminals can reconnect to the network even if the admin password they used for initial compromise has been changed. “They’ve already got backup accounts they can use to sneak back in later,” the experts state.

Then, the criminals download and install low-level system tweaking software, such as Process Hacker, after which they turn off or reconfigure anti-malware applications. Additionally, the hackers try to elevate privileges via abusing known vulnerabilities, including the CVE-2017-0213 and CVE-2016-0099 flaws which Microsoft has patched long time ago.

The hackers turn off database services to let the ransomware target databases, turn off the Windows live backup service called Volume Shadow Copy and delete existing backups to prevent victims from restoring targeted files without paying. After that, the attackers upload and run the malware.

The criminals demanded a 1 Bitcoin ransom from their victims. Despite the fact that many companies were already hit by the malware, the hackers’ Bitcoin wallet shows a single transaction matching the demanded amount. According to the experts, this means that either victims have not paid, or they negotiated lower payments.

“The victims of this kind of attack are almost always small-to-medium companies: the largest business in our investigation had 120 staff, but most had 30 or fewer,” the Sophos team claims.

To keep safe from malware, companies are advised to turn off RDP, or to protect it well if they need to use it regularly. Also, they should consider using a Virtual Private Network (VPN) for connections from outside their network, alongside two-factor authentication (2FA), and to install available patches fast.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.