RDP Abuse Present in 90% of Ransomware Breaches

Remote desktop protocol (RDP) compromise has reached record levels in ransomware attacks, according to new data from Sophos.

The UK-based security vendor analyzed 150 of its incident response cases from 2023 and found RDP abuse featured in 90% of them to give threat actors remote access to Windows environments.

Sophos described the rate of RDP abuse as “unprecedented” and said it partially explained why “external remote services” were the most popular way for threat actors to gain initial access in ransomware attacks – accounting for 65% of cases last year.

In one case, attackers successfully compromised the same victim four times within six months via exposed RDP ports. Once inside, they were able to move laterally through its networks, downloading malicious binaries, disabling endpoint protection and establishing remote access, Sophos said.

RDP offers several advantages for ransomware actors:

It is extremely popular among network administrators
Attackers can abuse it for remote access without setting off any AV or EDR alarms
It offers an easy-to-use GUI
The service is often misconfigured, meaning it is publicly exposed and protected only with easy-to-crack credentials
Highly privileged accounts are sometimes used for RDP, amplifying the damage that can be done
Administrators often disable security features such as Network Level Authentication
Many organizations forget to segment their networks, which helps RDP attackers

“External remote services are a necessary, but risky, requirement for many businesses. Attackers understand the risks these services pose and actively seek to subvert them due to the bounty that lies beyond,” argued John Shier, Sophos field CTO.

“Exposing services without careful consideration and mitigation of their risks inevitably leads to compromise. It doesn’t take long for an attacker to find and breach an exposed RDP server, and without additional controls, neither does finding the Active Directory server that awaits on the other side.”

RDP Abuse Present in 90% of Ransomware Breaches

Phil Muncaster

You may also like

Ransomware Encryption Rates Reach New Heights

Schools Out for Ransom: Education Under Attack

Insurer’s UK Honeypots Attacked 17 Million Times Per Day

Record Number of Breaches Detected Amid #COVID19

Education Sector Has Highest Share of Ransomware Victims

What’s hot on Infosecurity Magazine?

How to Backup and Restore Database in SQL Server

DragonForce Ransomware Group Uses LockBit's Leaked Builder

Vulnerability Exploitation on the Rise as Attackers Ditch Phishing

State-Sponsored Espionage Campaign Exploits Cisco Vulnerabilities

BEC and Fund Transfer Fraud Top Insurance Claims

US Takes Down Illegal Cryptocurrency Mixing Service Samourai Wallet

Alarming Decline in Cybersecurity Job Postings in the US

North Korean Group Kimsuky Exploits DMARC and Web Beacons

Russian Sandworm Group Hit 20 Ukrainian Energy and Water Sites

Dependency Confusion Vulnerability Found in Apache Project

Security Leaders Braced for Daily AI-Driven Attacks by Year-End

Fifth of CISOs Admit Staff Leaked Data Via GenAI

Is MFA Enough? Strategies for Next-Level Identity Security in 2024

Navigating the Evolving Cybersecurity Compliance Landscape in 2024

Adapting to Tomorrow's Threat Landscape: AI's Role in Cybersecurity and Security Operations in 2024

Untangling the Web: Navigating Third-Party Risk in a Hyperconnected World

Beyond Passwords: Securing the Digital Age with MFA, 2FA, and Passwordless Authentication

Understand and Combat the Top Healthcare Cloud Threats Today

Infosecurity Magazine Spring Online Summit 2024: Day One

Infosecurity Magazine Spring Online Summit 2024: Day Two

Russia’s Midnight Blizzard Accesses Microsoft Source Code

I-Soon GitHub Leak: What Cyber Experts Learned About Chinese Cyber Espionage

LockBit Takedown: What You Need to Know about Operation Cronos

Women in Cybersecurity at Infosecurity Europe 2024

RDP Abuse Present in 90% of Ransomware Breaches

Written by

You may also like

What’s hot on Infosecurity Magazine?