Ransomware attacks with RDP access breaches continue.

RDP access violation attacks to spread ransomware such as Phobos and Sodinokibi continue in 2019.

Sometimes business needs (and too much haste to achieve goals) can distract from what has become a global and unavoidable issue today: CYBER SECURITY. More and more users need technologies that allow them to work and access data and programs remotely, especially as a result of the spread of CLOUD systems.
These needs expose to cyber attacks by CyberCriminals.


  ==> A case detected by the C.R.A.M..
  ==> Evidence confirming the intrusion

  ==> Useful tips

In fact attacks persist with remote desktop access (RDP) to PCs/Servers aimed at encrypting files with Ransomware/CryptoMalware, for ransom purposes.

RDP protocol (Remote Desktop Protocol) is a remote management protocol developed by Microsoft and found in all Windows® Operating Systems used for remote PC/Server management that, if not configured properly, can be exploited as a point of attack.

In fact, PCs/Servers with active RDP and exposed to the Internet are subject to attacks aimed at obtaining login credentials.
Usually the initial phase of the attack is by "brute forcing" credentials to gain access to the machine.
Once access is gained, the CyberCriminal can perform various operations:
  • Theft of passwords/information/data.
  • Running Ransomware/CryptoMalware.
  • Lateral movement.
  • Tampering with security systems.
Actually, there is a growing increase in "lateral movements": the attacker can move through the internal network (LAN) either through the incorrect, but now established, habit of storing passwords for access to other networked systems, or through the use of ad hoc tools capable of extracting passwords.
In this way the attacker can enlarge the attack surface increasing the range of potential damage.

Finally the Ransomware/CryptoMalware is executed so that the data is encrypted and then the ransom demand is made. In these first 8 months of 2019, the main Ransomware/CryptoMalware used are:
  • Dharma/Phobos
  • GandCrab (service officially ended in the period of May and June 2019)
  • Sodinokibi/REvil
The analysis of the CryptoMalware Sodinokibi/REvil, that seems to have officially replaced GandCrab, can be seen at this address: REvil ransomware technical analysis - Sodinokibi and Threat Intelligence Report
The focus by CyberCriminals on RDP access is also favoured by the recent vulnerabilities discovered on this protocol, such as:
  • Bluekeep
  • DejaBlue
It is crucial, to defend yourself, in addition to an active and up-to-date antivirus, antispyware, antimalware, and antiransomware solution, to perform Operating System updates regularly so as to avoid exploitation of protocol flaws.

In the next section, we will illustrate how some CyberCriminals materialized unauthorized access via RDP and then infected the machine with Ransomware/CryptoMalware. As previously reported in the August 2017 news: "Remote Desktop, if misconfigured, becomes an easy entry for CryptoMalware"

The actual case examined by C.R.A.M.

The case we will perform as an example concerns an unauthorized access, which actually occurred, affecting a client machine with Windows 7 Professional Sp1 installed.
Other operating systems including server versions are not exempt from this threat.

When we asked some preliminary questions to the users involved, no one recalled opening any suspicious emails or otherwise clicking some untrustworthy links.
Then, excluding e-mail as a vehicle of infection, the search for the cause began. The only certain thing known by C.R.A.M. were some encrypted files (extension ".crypton") and the presence of the file with the ransom instructions (photo at right).

Back to top of page

Evidence confirming the intrusion

Once verified that the PC could be accessed by remote desktop - a function often clumsily enabled for technical needs - the Windows event log was then analyzed, particularly in the security section.

To start the Event Viewer with the Windows interface:
  1. Click the Start button.

  2. Select Control Panel.

  3. Click System and Maintenance.

  4. Choose Administrative Tools.

  5. Double-click Event Viewer.

To start the Event Viewer with a command line:
  1. Open a command prompt. To open a command prompt, click the Start button, choose All Programs, Accessories, and then Command Prompt.

  2. Type in eventvwr.

When faced with the event/security log, a filter was run for ID 4624, resulting in a list of successful accesses.
Then scrolling through the various filtered rows, especially one was detected that reported an RDP access (access type 10, see img.1 at right) that occurred a few minutes before the files were encrypted.
The IP address (source network address) recorded in the event, does not belong to the corporate network but is located in Russia. (See IMG.2 at right).
In this case, it was easy to find out the details of the intrusion and its origin: the criminal failed to erase his tracks. In other cases analyzed, the event log was found empty or with event lines deleted.

We need to know that once the CyberCriminal gains access to the system, he can potentially:
  • Make security systems, including antivirus, defenseless.;
  • Run CryptoMalware or other Malware in general;
  • Capture credentials saved in mail programs or browsers;
  • exfiltrate data;
  • Create additional access to the corporate network and/or system.

Back to top of page

Useful tips

TG Soft's C.R.A.M. found that in these types of attacks, gross errors are often made in the configuration of the affected machines that facilitate the success of the attack. Before making remote access via RDP protocol possible, we should consider some technical measures including:
  • Do not allow RDP access to either the "everyone" group or the "guest" user .
  • Set up stricter rules in the firewall configuration to restrict access to only authorized IPs and possibly only at set times.
  • Consider for access from outside, VPN technology.
  • Use strong passwords and change them regularly (at least every 3 months).
  • Limit the maximum number of failed logins per account.
  • Prevent users authorized for RDP access from belonging to the "administrators" group.
  • Monitor access logs for any suspicious activity.
  • Avoid storing passwords for access to other systems in the network.
  • Always perform Operating System updates.
It remains critical to have an active and up-to-date antivirus, antispyware, antimalware, and antiransomware solution such as the Vir.IT eXplorer PRO suite.

TG Soft's Anti-Malware Research Center

Back to top of page

Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”

Vir.IT eXplorer PRO is certified by the biggest international organisation: