RDP can greatly increase your vulnerability to a Ransomware attack.
Ransomware has gained serious notoriety over the last few years and the number one intrusion method so far in 2020 is the Remote Desktop Protocol (RDP).
RDP is one of the easiest ways to allow users and third-party vendors to work remotely. However, it greatly increases your vulnerability unless configured correctly.
Cybercriminals scan the internet to look for systems with open RDP ports and employ brute force tools to log in to a machine. Once they gain access, they disable any pre-installed security solution like antivirus and then launch ransomware software and may also look for and delete backups. This is why it is critical to have a backup strategy in place.
RDP Ransomware Attacks Focused at SMBs
Over the last several months, there has been a great increase in the number of Ransomware attacks where the hacker figured out a way through the password protection used with RDP. Small and medium-sized businesses (SMB) continue to be top targets for cybercriminals.
RDP is one of today’s top technology for connecting to remote systems and there are millions of computers with RDP ports exposed online.
So, What Can an SMB Do to Prevent RDP Attacks?
First, RDP should only be used if absolutely necessary.
If it must be used, here are some tips to lower the chances of a cybercriminals attack.
- Put RDP access behind a VPM so it’s not directly accessible. Allow access only from internal IP addresses coming from your company’s network. Doing so protects RDP connection ports from the public Internet.
- Enable Two-factor authentication for remote users as another layer of protection.
- Limit access to only those who really need it. Leaving access open to all users by default when only a small portion needs it increases your risk of a ransomware attack.
- Change RDP to a non-standard port. By default, Remote Desktop uses TCP port 3389. If you use RDP, changing the default port number makes it a little more difficult for a cybercriminal to find and access your custom port number.
- Block IPs that fail multiple login attempts. A high number of failed login attempts in a short period of time usually indicates the presence of cybercriminal activity. Your administrator can set up a policy that limits the number of times a user can attempt to login to RDP.
- Add an Endpoint detection and response service. Today’s endpoint detection and response (EDR) tools are created to detect and investigate suspicious activities on hosts/endpoints. For example, an EDR can detect an oddity on your network such as an in-office user logging into the RDP.
Disaster Recovery as Another Form of RDP Prevention
In the event that a ransomware attack occurs on your network, comprehensive backups are among the best tools to combat it. Like a carbon copy of your business’ critical data, backups can ensure information can be restored to normal should you ever get locked out or if data becomes corrupted. Backup systems should have up-to-date, on-site, and off-site versions of all critical data.