Adaptive Segmentationmicro-segmentation January 7, 2022

How to Stop RDP-Based Ransomware Attacks With Illumio

Ron Isaacson, Field CTO, US East

Over 90 percent of ransomware attacks are preventable, according to Gartner. They’re also fairly predictable to a certain extent, as attackers tend to follow one of just a handful of threat vectors. The most popular is Remote Desktop Protocol (RDP) exploitation, which accounted for nearly half of attacks in Q3 2021, according to one estimate. 

The bottom line: if your organization can get better at halting ransomware attacks via RDP, it has a great chance of minimizing cyber risk across the board.

The good news is that Illumio offers visibility and control where organizations need it most: to understand where they’re most exposed, and then deploy policy at scale to restrict RDP communications.

What is RDP?

RDP is a Microsoft protocol that allows computer users to connect remotely to PCs and servers. It runs on every Windows server — ubiquity which also makes it a prime target for attack.

RDP attacks surged during the pandemic when home workers' use of remote access solutions also soared. According to one study, the volume of devices exposing RDP to the public internet on standard ports jumped by over 40 percent in a single month.

How is RDP abused?

There are several factors that explain why RDP ransomware attacks are so successful.

Many organizations have poor visibility into their IT network infrastructure. This means they may not know how many RDP pathways are open. Attacks also take advantage of common corporate security challenges, including effective patch and password management.

Here’s how it works:

  1. An attacker will scan for Windows servers with public IP addresses and an open port 3389 (commonly used for RDP).
  2. Once these have been located, the threat actor will seek to compromise the exposed servers via:
    • Exploiting Microsoft vulnerabilities which could allow them to bypass RDP authentication or directly execute malware through a connection.
    • Brute force RDP accounts protected only with weak credentials. Sometimes these automated password guessing attempts will be carried out over a number of days to avoid raising the alarm.
  3. Once initial access has been achieved, the attacker could use RDP or other techniques to move laterally to other assets and data. Eventually, it will have built a large enough foothold in the victim’s network to deploy widespread ransomware and/or steal sensitive data for extortion.

Stopping RDP ransomware attacks

Preventing RDP ransomware attacks is partly about ensuring systems are protected with up-to-date patches and switching on multi-factor authentication to mitigate password cracking attempts.

But more fundamentally, it’s about first understanding where RDP is running across your organization, and where you can cut connections without impacting business processes or productivity. Blocking port 3389 on those servers will do the trick.

Reducing the attack surface in this way can help to minimize the number of potential intrusion points. It will also reduce the opportunity for attackers to leverage RDP to move through a network. That leaves a smaller number of remaining servers to monitor and secure with best practice authentication policies.

How Illumio can help

Illumio is already being used by some of the world’s largest and most demanding organizations to mitigate the ransomware threat — including more than 10 percent of the Fortune 100. We offer the granular visibility you need to understand where RDP communication is occurring and the control to block it where needed.

Illumio’s simple three-step approach to minimizing RDP ransomware risk is as follows:

  1. Map all RDP servers and connections
  2. Identify essential and non-essential RDP communications
  3. Take action with simple, rapid policy deployment to restrict non-essential communications at scale

To read more best practice advice on mitigating ransomware risk and how Illumio can help to block threats, check out our new ebook, How to Stop Ransomware Attacks.

Adaptive Segmentationmicro-segmentation
Share this post: