how to protect RDP from ransomware attacks
how to protect RDP from ransomware attacks
RDP ransomware attacks may hit at any time and any business can be hit: suddenly, access to important data is blocked and you receive a ransom note. Your data will only be free again if you pay for it. Congratulations, you have fallen victim to a ransomware attack! We'll show you how you can protect your business from RDP ransomware attacks and how to act properly if it hits you
What is ransomware?
Ransomware is a malware with which the intruder can access foreign computer systems and the data they contain. The data on the target computer is encrypted and, in the worst case, the entire computer system is locked. The owner can no longer access his data. The criminals demand a ransom to decrypt or release the data. The claim is displayed to the victim on the screen. If this is paid for, they release the system again or send the person concerned a code with which he can decode the encrypted files. This is mostly done by a Brute Force Attack which tries and infiltrates the system by trying different user name and passwords.
RDP Ransomware attacks: facts and figures
In 2017, a wave of RDP ransomware attacks hit hundreds of thousands of computers worldwide. RDP in general has many security flaws and is used by hackers to infiltrate systems that are going to be hit by ransomware attacks. The WannaCry malware caused damage running into the millions. According to a report by Symantec, the number of ransomware attacks fell by 20 percent for the first time since 2013, but attacks on companies rose by 12 percent. The cyber criminals are apparently less massively taking over private computers, but prefer to choose companies and institutions such as authorities or banks as victims, as more money can be obtained there.
The Federal Office for Information Security (BSI) published in its annual report that the number of malware programs in circulation rose from around 600 million in 2017 to more than 800 million in 2018. Around 400,000 malware variants are added every day.
You can read about the situation for 2019 in our Cybercrime Outlook 2019. You can find out what damage can be expected from cybercrime in our article Underestimated risk: Cybercrime causes increasing damage.
RDP Ransomware Attacks: Recent RDP Attack Cases
The US city of Baltimore has been attacked by cyber criminals for three years. Various IT systems in the city are not working properly. The emergency telephone line could not be reached at times, and documents could not be issued. The resulting damage amounts to around 19 million dollars. The city is still unable to issue water bills today. It is not known exactly which data and systems were infected and encrypted. A large part of the costs result from the fact that the city used external IT security consultants and purchased additional hardware to secure the IT infrastructure.
Baltimore refuses to pay ransom
The attackers demanded 13 Bitcoins ransom for the release of the encrypted data. This corresponds (as of June 27, 2019) to a value of around 170 ,000 dollars. But the city refused to pay the ransom because they couldn’t be sure that the criminals would actually release the data after the payment or the fact that they could have built a back door into the IT system so that they can strike again at a later point in time.
Riviera Beach pays the ransom note
A similar case also occurred in the United States. The city of Riviera Beach, Florida was hacked. This encrypted data on the IT systems of the city administration. The encryption Trojan apparently entered the system through an email that was read by an employee.
After consultation with an external IT security expert, the city council voted to pay the ransom demand of around 620,000 dollars. Although there is no guarantee that the perpetrator will release the data after receiving the ransom, the city hopes that the payment will solve the problem. The ransom will be completely covered by the insurance, a spokeswoman said. The city is also planning an investment of around 1,400,000 dollars in upgrading IT security.
The perpetrator demanded payment of the ransom in bitcoins. Bitcoin transactions can be tracked, but it is difficult to find out who owns the Bitcoin account. Therefore, money transfer via Bitcoins is particularly attractive for cyber criminals.
More and more companies are falling victim to ransomware
More RDP Ransomware Attacks Ensue
In addition to municipalities, companies in particular are increasingly falling into the crosshairs of cyber criminals. The Heise Group and the Heinz Heise Verlag fell victim to the Emotet Trojan. An employee opened a file from an email that appeared to have come from a business partner. Emotet spread throughout the system, infecting several computers and causing great damage.
In another case, several computer systems and servers belonging to the global Eurofins laboratory group were infected. To prevent further damage, the technicians decided to take the affected computers off the network.
Best practices when you get hit by an RDP ransomware attack
These examples show that anyone can become a victim of ransomware. If you are caught, then you should first remain calm and then take care of solving the problem step by step. The following checklist can help you:
- Analyze the situation: which data has been encrypted, which systems are affected and how extensive is the damage?
- If personal data is affected by the encryption, you must report this to a competent authority and, if necessary, to the persons concerned.
- Try to rid the affected systems of the malware. You should consult an IT security expert for this. If you want to clean up your system yourself, free programs can help.
- Once the system has been cleaned up of the RDP ransomware attack, you can try to decode the encrypted data. You can find various providers of free decoders for known ransomware on the Internet:
- Kaspersky decoder list
- Stay virus-free decoder list
- If a decoder is not yet available for the remote desktop connection malware that affects you, you can import a data backup in order to restore the lost data. If you haven't made a backup, you have to hope that your malware will be decrypted soon, or call in an IT specialist for data recovery.
- If you have taken out professional liability insurance, you must report the incident to them immediately; this is the only way for the insurer to react as quickly as possible and help you to keep the damage as low as possible.
Ransomware Ransom Note: to Pay or Not to Pay?
Those affected who are confronted with a ransom note often do not know whether to pay it or not. There is no clear answer to this question, as it always depends on the individual case. Depending on how important the data concerned is (e.g. health data from patients in the hospital), the institution concerned may not have time to wait until the encryption Trojan has been eliminated. Often the ransom is then paid in the hope that the RDP ransomware attack situation will end quickly.
But this is exactly where the problem lies. No one can guarantee that the data will actually be released again after the ransom has been paid. The common opinion among experts is therefore not to pay a ransom. The BSI also advises against not complying with the ransom demand. Instead, those affected should photograph the screen including blackmail text and report it.
The moral aspect also plays a role. After all, cyber criminals want to make money with a ransomware attack. If the ransom is paid in most cases, the business model works and it will be pursued. The money is used to finance further malicious programs and other RDP ransomware attacks. The demands are getting higher and higher as the criminals realize that the victims are willing to pay.
This is How You Can Protect Yourself Against Ransomware
We provided you with information about RDP ransomware attacks, but we hope that it doesn't even get that far, here are a few tips to prevent infection with ransomware:
Strengthen the IT Infrastructure
Invest in good hardware, trained IT security personnel and good anti-virus software. Even if you have to spend a lot of money for this, it pays off in the end and prevents high follow-up costs. You can try and set up a two-factor authentication system to secure your infrastructure.
Make regular backups of your data. So you are protected when your data is encrypted. Make sure, however, that the backup copies are separated from your network, otherwise there is a risk that the ransomware will also spread to the backup copy. Storage media that can be disconnected from the computer and only reconnected after the system has been cleaned up are suitable (e.g. USB stick or external hard drive).
Keep the Software Up to Date
Make sure that you are always using the latest version of your software, regardless of whether it is the operating system, antivirus software or other programs. Outdated versions are a potential gateway for attackers. The updates and patches are necessary in order to be able to react to current malware.
Disable Remote Assistance
With remote assistance, ransomware can infect not just individual computers, but entire networks. You should therefore switch off the Remote Desktop Protocol (RDP) in the system properties. Remote assistance is intended to enable remote access to a Windows PC while on the move. You can also try changing your RDP port or try and make your RDP connection invisible to hackers.
Beware of Dangerous Emails
A popular gateway for ransomware is email. Seemingly trustworthy emails contain file attachments or a link that the recipient should open or click on. This can infect your system with malware. Therefore, you should never open emails from unknown senders. And never click links or open files unless you are absolutely sure that the sender can be trusted
In companies in which there is a lot of email traffic and many employees are on the Internet, it is particularly important that they know about cybercrime risks. You should therefore train your employees in this regard and give them recommendations for action on how they can recognize attacks and how they react correctly in which situation.
RDP ransomware attacks can happen at any time and they are often done by brute force attacks. This can be really stressful for every IT administrator , we recommend you try and protect yourself from attacks.