Protecting Against Ransomware by Addressing RDP Issues

According to Statista, 68.5% of businesses have been victimized by ransomware in 2021. The highest percentage reported to date. And as companies move to a hybrid work environment, workers will continue to access business-critical applications remotely. Which is why it’s now more critical than ever to understand and address how legacy remote desktop and virtual desktop technologies impact the security of your remote & hybrid workforce. 

In the wake of the recent Kaseya ransomware attack, there is now an increased level of scrutiny. But most Virtual Desktop Infrastructure (VDI) and Desktop as a Service (DaaS) products do not provide adequate protection against ransomware and other remote access security threats. In addition, organizations relying on Remote Desktop Protocol (RDP) that require open server ports to the Internet are at even greater risk from brute force and RDP-specific attacks like BlueKeep.

To increase security, VDI, DaaS, and RDP companies typically recommend adding VPNs, using strong passwords, implementing two-factor authentication, performing regular software updates, using a remote desktop gateway, installing the latest OS patches, enforcing account lockout, and implementing a centralized audit trail. With advice like this, it’s a wonder the number of ransomware victims isn’t 100%.

Understanding the Attack Vectors

According to Coveware’s Quarterly Ransomware Report, “in Q1 (2021) compromised remote desktop protocol connections regained the top position as the most common attack vector. RDP remains a frustratingly common vulnerability despite well known secure remote connection best practices.” See the chart below to see how RDP overtook email phishing as the leading attack vector in Q1:

Screenshot of a graph tracking the leading ransomware attack vectors, including RDP and email phishing

Moreover, the larger an organization gets, the bigger problem RDP becomes. For companies over 10,000 people, RDP was the attack vector for over 50% of ransomware attacks. That number increases to nearly 75% as organization size grows to 100,000+ people.  

Coveware bar chart tracking the leading ransomware attack vectors based on company size

Why the Rise in RDP Attacks?

One could safely assume that the dramatic spike in RDP being used as an attack vector directly correlates to the rise in remote work brought on by the pandemic. That’s true, but it’s not the whole story. Back in 2019 the McAfee Labs Threat Report reported that ransomware and brute-force attacks increased by 118% that year – and that much of that access was gained by brute-force attacks to open and exposed remote access points such as RDP. So this trend began before the pandemic, and was then accelerated by it. 

But let’s take a step back – what do we mean when we talk about open/exposed RPP ports? 

When organizations enable remote functionality on a Windows server, they open its RDP ports to the outside world, specifically ports 3389, 3387, 3392. At that point, if the server is connected to the Internet, it is vulnerable to RDP brute-force attacks. While opening RDP ports to the Internet was uncommon a few years ago, it has unfortunately become the de-facto standard when creating cloud Windows instances. 

But What Do These RDP Attacks Look Like, Really? 

Back in September of 2019 our own Cameyo research showed that the average internet-connected server faced 150K brute force-triggered password attempts per week, performed by automated bots, scripts, viruses and zombie machines. We began using our RDPmon solution to monitor our own environment and in less than 6 months, Cameyo’s RDPmon recorded 7 million RDP password attempts on our ‘honeypot’ server. That means that the average number of brute-force triggered password attempts was over 318K attempts per week – and that was BEFORE the pandemic moved the world to remote work. 

And in reality, that’s just the beginning. The increase in RDP-focused attacks are exponential. At first, only a few bots attempt to connect every few hours, and then as soon as they detect your RDP port as being exposed, they make more and more attempts, resulting in an exponential increase over time.

This is part of the reason we introduced Cameyo Port Shield back in 2019. Port Shield is the first security solution capable of automatically and dynamically opening and closing RDP ports on-the-fly at the Windows Firewall level, rather than statically. Unlike other solutions that keep RDP ports open only to a pre-defined number of IPs – thereby limiting cloud and geographic flexibility – Cameyo proactively closes the RDP port at the Windows Firewall and only opens it if/when needed based on a validated user’s IP, authenticated through Cameyo’s central portal.

And the best part? Cameyo Port Shield is completely free for all Cameyo customers. Because at Cameyo we view security as foundational, never something that should be “optinoal”, there is no action required to utilize this feature – it is active for all users of the Cameyo platform, and is included at no additional cost.

And Port Shield is just the beginning of our end-to-end, Zero Trust security approach. Cameyo Virtual Application Delivery platform was designed since day one to be the simplest and most secure way to deliver business-critical applications to users in a hybrid and remote work environment. Cameyo’s single architecture and Zero Trust security model includes:

  • Limited attack surface – Cameyo’s single architecture eliminates the need for additional gateways and appliances that can fail and become a security issue on their own (e.g., CVE-2019-19781 – Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance).
  • Port Shield – a Cameyo-developed technology provides built-in security that automatically closes RDP, HTTP, and HTTPS ports and opens them to authenticated users only when needed.
  • No VPN – all traffic is encrypted and apps are delivered from a secure HTML5 browser, effectively separating the user’s device from the corporate network and eliminating the need for VPNs.
  • Non-persistent servers – customer user data is removed from the Cameyo server every time the user logs out, and in the very unlikely event that the secure browser is penetrated, the hacker only has access to the user’s session and is wiped from the server when the session ends.

We’d love to schedule a demo and show you first-hand how Cameyo’s ultra-secure Virtual App Delivery platform can help protect your organization from ransomware, including the growing issues of RDP vulnerability as the primary attack vector. You can schedule a demo here, or contact us at [email protected] anytime to set up a demo. Want to test drive it yourself first? Start your free trial (no credit card required) here within minutes.