Diagnosing the «Ransomware Deployment Protocol» (RDP)

Remote Desktop Protocol (RDP) is the most popular initial ransomware attack vector and has been for years. For the 2020 Unit 42 Incident Response and Data Breach Report, Unit 42 studied data from over 1’000 incidents and found in 50% of ransomware deployment cases, RDP was the initial attack vector. In the 2021 Cortex Xpanse Attack Surface Threat Report, Cortex Xpanse researchers found that RDP accounted for 30% of total exposures, which more than doubles the next most common exposure.

RDP is a protocol on Microsoft Windows systems that is designed to allow users to remotely connect to and control a remote system. The most common legitimate use is to allow IT support to remotely control a user’s system to fix an issue. More recently, RDP has become popular for cloud computing to access virtual machines (VMs) in cloud environments or to remotely manage cloud assets.

It is extremely easy to expose RDP unintentionally by leaving RDP exposed on a forgotten system, cloud instance, device previously protected by network segmentation or by directly connecting to the internet. What’s worse is that RDP has become more widespread, more exposed and a more prevalent risk that can lead to attacks – specifically ransomware deployment – loss of data, expensive downtime and remediation efforts, as well as brand damage for organizations.

RDP is a favorite target of threat actors because once an attacker is in, they have full access (up to the level of the compromised user account) to the system. If an admin account is attacked, that’s a disaster. But, even if a more restricted user account is compromised, the attacker just needs to find another vulnerability on that system to elevate privileges and gain more access.

Read Kane Lightowler’s blog here to learn more about avoiding the ransomware lottery, ensuring you don’t have unnecessary RDP exposures, and making RDP a priority.

To learn more about risks to your attack surface, download the here 2021 Cortex Xpanse Attack Surface Threat Report.

Contact your local Exclusive Networks Account Manager to find out how the Palo Alto Networks portfolio of products and services can help protect your customers’ environments against RDP attacks.