You didn’t really think that the ransomware wave was coming to an end, did you? You’d be tempted to think so, given the decline in reports about massive ransomware campaigns. But this relative radio silence may be due to some recent developments in the field.
Ransomware attacks are getting more targeted to be more effective. And one of the primary attack vectors is the Remote Desktop Protocol (RDP). Remote desktop is exactly what the name implies, an option to remotely control a PC. And with the currently-available software, it almost feels as if you were actually sitting behind that PC—which is what makes it so dangerous.
- Elevate their privileges (when needed)
- Leave backdoors for future use
- Gain control over wider parts of the infiltrated network
- Deploy the ransomware and leave payment instructions
The first three steps are most important for businesses to pay attention to, as they need to be examined after a breach has been noticed.
We feel compelled to tell you that by paying the ransom, you are facilitating the threat actors with the means to continue performing their crimes. But we also know that sometimes, you simply have no choice. What you do have control over, however, is to do your utmost to prevent this type of attack from happening.
Lock down RDP
If you want to deploy software to remotely operate your work computers, RDP is essentially a safe and easy-to-use protocol, with a client that comes pre-installed on Windows systems and is also available for other operating systems. There are a few things you can do to make it a lot harder to gain access to your network over unauthorized RDP connections:
- Put RDP access behind a VPN so it’s not directly accessible.
- Or use a Remote Desktop Gateway Server, which also gives you some additional security and operational benefits like 2FA, for example. The logs of the RDP sessions can prove especially useful when you are trying to figure out what might have happened. As these logs are not on the compromised machine, they are harder to falsify by intruders.
- To make it harder for a brute force attack to succeed, it helps to use strong passwords.
- Do not disable Network Level Authentication (NLA), as it offers an extra authentication level. Enable it, if it wasn’t already.
- Change the RDP port so port-scanners looking for open RDP ports will miss yours. By default, the server listens on port 3389 for both TCP and UDP. Changing the port will not stop a determined attacker, but it will stop you from showing up on a list of probably easy targets.
- Limit the users to those that really need it. I will explain this in more detail below, as this can’t be done from the Remote Desktop settings but requires security policies.
- Limit access to specific IPs if possible. There’s no need for a whole lot of IPs that need RDP access.
Patch to prevent privilege elevation
There are several possibilities to elevate user privileges on Windows computers, even when using RDP, but all of the known methods have been patched. So, as always, make sure your systems are fully up-to-date and patched to prevent privilege elevation and other exploits from being used.
Limit the users to those that really need it
The first step in this process is to create a user group that will be allowed remote access. You can do this in the Group Policy Management Console (GPMC.MSC).
- In this console, select Computer Configuration > Windows Settings > Security Settings > Restricted Groups.
- Right-click Restricted Groups and then click Add Group.
- Click Browse > type Remote > click Check Names and you should see “REMOTE DESKTOP USERS.”
- Click OK in the Add Groups dialog.
- Click Add beside the MEMBERS OF THIS GROUP box and click Browse.
- Type the name of the domain group, then click Check Names > click OK > OK.
- On the PC, run an elevated command prompt and type GPUPDATE/FORCE to refresh the GPolicy.
- You should see the group added under the SELECT USERS button on the REMOTE tab of the PC’s SYSTEM PROPERTIES.
Now you can open the related local policies by opening Control Panel > System and Security > Administrative Tools > Local Security Policy > User Rights Assignment.
Remove the “Administrators” group from the “Allow log on through Remote Desktop Services” policy and certainly do not grant access to the account with the username “Administrator.” That account is perfect for the intruders—they would love to take it over. Also remove the “Remote Desktop Users Group” as contradictory as that may seem. Because by default, the user group “Everyone” is a member of the “Remote Desktop Users” group.
Now, add the user(s) that you specifically want to have remote access to this system, and make sure that they have the rights they need—but nothing more. Restrict the actions they can perform to limit the damage that they can do if the account should ever become compromised.
Secure your network both from the outside and inside
We probably do not need to tell you that you need to shield your business network from the outside. We can safely assume that you have this under control, right?
But in the context of RDP attacks, it is also important that you apply some internal safety measures. PCs that can be contacted remotely should be able to use network resources, but not be able to destroy them. Use restrictive policies to keep the possible damage at bay that any user, not just a remote one, can do.
Aftermath of an attack
If you have been impacted by a ransomware attack via RDP, you’ll need to take some steps to better secure your network and endpoints. After you have recovered your files from a backup or by forking over the ransom, you need to check your systems for any changes the attackers have made that would make a future visit easier for them—especially if you decided to pay the ransom. By paying the threat actors, you have essentially painted a bulls-eye on your own back. You are now a desirable target, because they know you will pay to get your files back, if necessary.
To be sure there are no artifacts left behind, check not only the PC that was remoted into for backdoor Trojans and hacking tools, but also any networked devices that could have been accessed from the compromised PC.
Do we really need remote access?
This is a valid question and you should not be afraid to ask it. Even if you follow all the safety guidelines, there are always possible weaknesses in RDP that can be exploited, whether they have been found by criminals or not (yet). You do not want to introduce these weaknesses into your network if there is no real need for them. The possible consequences could be devastating, especially without an effective backup strategy.
Since publishing this article, Malwarebytes has added Brute Force Protection to the Nebula cloud-based security console. Check it out.