Over the last four years, businesses in Israel have been experiencing a wave of ransom attacks that are using the RDP (Remote Desktop Protocol).
We have already released some updates on the issue, are still being attacked every weekend.
The latest wave of attacks was from an old ransom called Crysis; its new version changes the file extension to “Arena” and does not yet have a tool capable of opening encryption.
When an RDP attack occurs on a business, the attackers try to connect through a security breach application in the RDP protocol– if no relevant Microsoft updates have been made, there will be no need for attackers to break through the password.
If Microsoft security updates are available, attackers will try to crack the password using a “brute force attack” which uses automated software that contain tens of thousands of possible password combinations.
It is important to understand that when an attacker accesses your server with administrator privileges for the domain, it can remove your security software such as anti-virus or DLP (data loss prevention) systems and then run the ransom remover manually.
Therefore, when an RDP attack is launched, your anti-virus software will not be able to block it.
The following recommendations for securing your network against ransom attacks via the RDP are arranged in order, from the most recommended to the least recommended:
1) Disable the RDP protocol on an out-of-network connection
The best way to protect yourself against a network hack through the RDP is, of course, by shutting it down. You can use alternative software to connect remotely when a need arises.
2) Set up a VPN connection outside the network
If you still have software or services that require an RDP connection, you can set up a VPN to connect to before you connect to the RDP outside the network.
3) Set up a connection using 2FA
Connecting with 2-step authentication prevents brute force attacks on the RDP password.
4) Secure connection points
It is important to control the security of computers that are enabled for connection.
5)Tighten your RDP security.
It’s important to understand that even hardening does not prevent hacking, but definitely reduces the risk.
If you still work with RDP, there are a number of additional measures to harden the connection:
Set up a complex password that has at least 13 characters consisting of lower and uppercase letters, numbers, and special characters.
Replace the default port 3389 by switching the RDP connection to a port higher than 50,000 in order to make it difficult to scan the ports.
Set up IP addresses to which the connection is allowed. IP addresses can only be defined in the firewall, which will only allow an RDP connection. Obviously, home users do not have fixed IP addresses.
Policy settings can be set locally on the server or through a GPO for all users on a user blocking network after several failed connection attempts in sequence.