We all know stolen or weak remote desktop credentials are often used to infect point-of-sale systems with malware, but we are seeing an increase in them being a common distribution method for file-encrypting Ransomware.
What is Ransomware?
Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid. March 2016 saw researchers discovering a ransomware program dubbed Surprise that was being installed through stolen credentials for TeamViewer, a popular remote administration tool. It’s shown, however, some ransomware variants had been distributed through brute-force password guessing attacks against Remote Desktop Protocol (RDP) servers since 2015.
There’s more and more documented evidence that this is going on, says Ori Eisen, founder and chief innovation officer of fraud prevention company 41st Parameter. “It’s more prevalent in the United Kingdom, which is sort of a staging or testing ground. It’s starting there and getting more momentum.”
While this method of infection was initially used by relatively obscure ransomware programs, recently it has been adopted by an increasing number of cybercriminals, including those behind widespread ransomware programs such as Crysis.
How Does It Work?
These assaults begin in a similar manner to scareware. You’re tricked into clicking on an infected popup advertisement or you visit an infected website. However, instead of just trying to trick you into buying fake antivirus software, your computer is held hostage until you pay up.
In some instances, ads appear on your screen each time you try to click on a Web page. The ads cover a portion of the page you’re trying to view.
The criminals often ask for a nominal payment, figuring you’ll be more likely to pay to avoid the hassle and heartache of dealing with the virus.
The Kaspersky researchers announced:
“Connecting remote desktop servers directly to the Internet is not recommended and brute forcing them is nothing new; but without the proper controls in place to prevent or at least detect and respond to compromised machines, brute force RDP attacks are still relevant and something that cybercriminals enjoy.”
Edge are invested in maintaining secure systems. We suggest talking to our account manager Nadine at [email protected] or call in for support if you have any concerns or questions.