Multiple ransomware groups that target open Remote Desktop Protocol (RDP) ports have been reported by Cyble Research and Intelligence Labs (CRIL).
RDP enables users to connect to and manage remote computers across a network. Businesses frequently utilize it to allow remote access to corporate networks.
Thus, a critical security issue might occur if an RDP port is left open to the internet. Threat actors can quickly search the internet for computers with open RDP ports, and then try to log in using compromised credentials or security holes.
After gaining access, threat actors can steal confidential information from the system and even distribute malicious programs like ransomware to other network systems. Cyble Global Sensor Intelligence (CGSI) observed exploitation attempts of the Remote Desktop Protocol for the last three months.
Reports stated that over 18 instances that point to a ransomware incident are shown by one of the online scanners. The United States and Russia regions account for the majority of cases.
Ransomware Families That Target Open RDP Ports
Researchers identified Redeemer ransomware, a C/C++-based binary that targets windows operation systems. Upon execution, this ransomware encrypts the victim’s PC and drops the “Read Me.TXT” ransom note.
In 2022, NYX ransomware first appeared. It was created in C/C++. The ransom note is delivered as a “000 NYX READ ME”.text and.hta file. Additionally, the group says it will steal the victim’s data before it is encrypted and may employ the Double Extortion method.
In the second half of November 2022, a ransomware named Vohuk and Amelia first appeared. Vohuk ransomware encrypts files, alters their names to a random string, and ends them with the “.Vohuk” extension. Additionally, it modifies the system wallpaper and file icon.
A brand-new malware called BlackHunt has just been seen to target open RDP ports. To decrypt the files, follow the instructions in the “ReadMe” ransom note.
“Threat Actors are constantly scanning for vulnerable, exposed assets that can be compromised and used to deploy further exploits”, CRIL
BlueKeep (CVE-2019-0708) was found to be the most frequently used exploit, according to CGSI. The fact that the BlueKeep vulnerability is still present is that most exposed RDP ports are over the internet.
Researchers observed a significant amount of RDP access being sold on the dark web, which suggests that TAs may soon aggressively use stolen access to launch ransomware attacks.
Penetration Testing As a Service – Download Red Team & Blue Team Workspace