A recent article from CNBC claims one out of every four Americans will work remotely this year with a projected 36 million working remotely by 2025. Experiencing an 87% percent increase from pre-pandemic times, remote work is a possible force to stay.
Influenced by remote work, Remote Desk Protocol (RDP) and Server Message Block (SMB) have become an increasingly useful business tool—permitting employees to retrieve files and applications stored on their organization’s network while working from home. It additionally allows IT departments to identify and fix employees’ technical problems remotely.
What is RDP? Remote desk protocol (RDP) is a network communications protocol developed by Microsoft and consists of a digital interface that allows users to connect remotely to other servers or devices. Through RDP ports, users can easily access and operate these servers or devices from any location.
What is SMB? Server Message Block (SMB) is also a Microsoft network protocol that permits users to communicate with remote computers/servers and utilize their resources or share, open and edit files.
Both RDP and SMB are built into the Microsoft Windows Operating System. They are not malicious in the sense of a computer virus or malware. Instead, many ransomware attackers use RDP or SMB as the means for gaining access to a victim’s network.
These infiltrations entail a cybercriminal deploying malicious software to compromise a network. The hackers then demand a significant ransom payment before restoring the victim’s technology. A recent Kaspersky report discovered that nearly 1.3 million RDP-based cyberattacks occur daily and RDP being the top ransomware attack vector.
Don’t let RDP/SMB contribute to a costly ransomware incident for your organization. Review the following guidance to learn more about how ransomware attacks can occur via RDP/SMB and best practices for minimizing the likelihood of such an incident.
Ransomware Attacks via RDP
Usually RDP/SMB-based ransomware attacks occur when organizations leave their RDP/SMB ports exposed to the internet. This may be more convenient for employers for remote work operations, but internet-exposed ports are easily identifiable for cybercriminals and provide a clear access point for deploying harmful attacks.
The typical process of an RDP/SMB-based ransomware attack is as follows:1. Scanning
Initially, cybercriminals utilize a port-scanning tool to search the internet for any exposed ports. These scanning tools are often free and relatively simple to operate for attackers of varying skill levels.2. Gain Access
Once the cybercriminal identifies an exposed RDP/SMB port, they can gain access to the targeted server or device through stolen credentials. Attackers secure these credentials through either a dark web purchase or a brute-force tool that rapidly inputs a series of usernames and passwords until the correct combination is discovered.3. Disable Security Features
Accessing the targeted server or device, the cybercriminals attempt to make it defenseless against an attack as possible by disabling any existing security features (e.g., antivirus software, data encryption tools and system backup capabilities).4. Execute the Attack
Finally, the cybercriminal can steal sensitive data and deploy a ransomware attack on a vulnerable server or device. Some attackers even install backdoors during this step to allow access during future attacks.
Like other ransomware incidents, RDP/SMB-based attacks can result in devastating ramifications including business interruption issues, reputational damages and large-scale financial loss.
Strengthening RDP Against Ransomware
Although RDP/SMB-based ransomware attackshave become increasingly common, there are several ways for you to bolster your organization’s security and lessen the risk of such an incident impacting your operations.
Consider the following best practices:
1. Close your RDP connection.
In order to reduce the likelihood of a cyber event from occurring, organizations with open RDP or SMB ports should close them as soon as possible. Most organizations should not open their RDP or SMB ports outside their network.
2. Establish a virtual private network (VPN).
To keep your ports from being exposed to the internet, establish a VPN. This will allow remote employees to securely access your organization’s ports, while also making the port far more difficult for cybercriminals to discover online.
3. Elevate authentication protocols.
Cybercriminals require login credentials to properly execute a RDP/SMB-based ransomware attack. To combat, verify your organization has effective user authentication protocols in place. Encourage employees to develop unique passwords for all of their devices and accounts. These passwords should be an appropriate length, refrain from using common words or phrases and contain several special characters.
Your IT department should also consider requiring multifactor authentication (MFA) for port access as an extra layer of protection. A MFA method requires the user to provide two or more verification factors to gain access to a resource such as an application, online account or VPN. Multi-factor authentication tools send users an email, text or require a biometric check (face recognition or fingerprint scan), before users can login. This step is significant as many cyber carriers will not quote a risk unless MFA has been fully implemented across the enterprise.
4. Implement login attempt limits.
To prevent cybercriminals from deploying brute-force tools, update RDP/SMB port protection features to detect multiple failed login attempts within a short period of time. Establish a limit of incorrect logins prior to blocking the user from further attempts.
5. Utilize adequate security software.
Ensure all workplace technology is equipped with top-rated security software. Antivirus programs, a firewall, data encryption features and a gateway server will deter attempted attacks. Conduct updates/patches weekly or in accordance with the vendor recommendations. Beware that many cyber security carriers will include language prohibiting coverage if software is not updated/patched on a timely basis.
6. restrict employee access.
Only provide employees with RDP/SMB access if it is absolutely necessary to conduct their work tasks. These employees should be trusted and trained in appropriate RDP/SMB usage. Granting employees unnecessary permissions simply creates additional security gaps.
7. Have a plan.
Lastly, make sure your organization has an effective cyber incident response plan in place that addresses RDP/SMB-based ransomware attack scenarios. This plan should promote the backup storage of any critical data in multiple secure locations (both on-site and off-site) to minimize potential losses. Practice this plan regularly with staff and make updates as needed.
For additional risk management guidance and insurance solutions, contact a member of our team.
Additional Related Resources
5 Cybersecurity Threats to Manage in 2021