RDP Attacks Implement Ransomware

Friday, February 10, 2017 @ 12:02 PM gHale


Ransomware that broke out last year is now going out globally via Remote Desktop Protocol (RDP) brute force attacks, researchers said.

The ransomware, called CRYSIS, went out in September via RPD brute force attacks with a focus on businesses in Australia and New Zealand, said researchers at Trend Micro.

RELATED STORIES
Ransomware Took DC Cameras Offline
New Ransomware as a Service Starts Up
SF Metro Victim of Ransomware
New Ransomware Tries to Grow Organically

After learning lessons from the initial attack, the same attack method is hitting companies of all sizes across the globe, researchers said.

What’s more, the volume of these RDP attacks has doubled in January 2017 compared to previous months.

Most of the attacks focus on the healthcare industry in the United States, though other industries ended up hit hard as well, Trend Micro researchers said in a blog post.

“We believe that the same group of attackers is behind the earlier attacks and the current campaign. The file names being used are consistent within each region. Other parts of this attack—such as where the malicious files are dropped onto the compromised machine—are also consistent,” researchers said.

In analyzing an RDP attack, researchers found a folder shared on the remote PC was able to transfer malware from the attacker machine, and the clipboard could also transfer files in some cases. These methods exposed the local resources of the attacker to the remote machine, the researchers said.

The default settings don’t apply restrictions to these RDP features on endpoints exposed to the Internet, meaning administrators are those who have to apply controls. Attackers using RDP brute force their way onto new systems by using various commonly-used usernames and passwords. Once the attacker establishes access to a system, he or she can return multiple times within a short period to try and infect the endpoint, researchers said.

On their test endpoint, the CRYSIS ransomware deployed six times within a 10 minutes interval, and the security researchers said the dropped samples ended up created “at various times during a 30-day period starting from the time of the first compromise attempt.”



Leave a Reply

You must be logged in to post a comment.