The Remote Desktop Protocol (RDP) is an increasingly popular distribution vector among ransomware operators, so popular in fact that it appears to have surpassed email, recent statistics from Webroot suggest.
RDP attacks have been used for the distribution of malware for several years, but they have become a ransomware distribution vector only recently.
Last year, numerous attacks that brute-forced RDP credentials for ransomware distribution were reported, including those involving Bucbi, Apocalypse, and Shade. In May 2016, Fox-IT suggested that RDP was indeed becoming a new infection vector in ransomware attacks, and Kaspersky Lab researchers in September associated the method with the distribution of Xpan in Brazil.
In February 2017, Trend Micro revealed that the Crysis ransomware was being distributed via RDP attacks too. While the method had been employed since September 2016, the number of such attacks doubled in January 2017 when compared to the previous months, the security firm said.
A chart published by Webroot this week shows that RDP is more widespread than email when it comes to ransomware vectors: 66% versus 33%. Historically, ransomware has been distributed via other methods as well, including exploit kits and malvertising, but the traffic associated with these vectors doesn’t not appear to be as popular.
“Over the last couple of months, the data we’ve seen underscores how important it is for system admins to secure RDP. Unsecured RDP essentially leaves the front door open for cybercriminals. And since modern criminals can just encrypt your data, instead of having to go through the trouble of stealing it, we shouldn’t make it any easier for them to get what they want,” the security firm notes.
When it comes to ransomware families that use RDP, Crysis is the most prevalent. At the moment, the variant being distributed appends the “.wallet” extension to encrypted files, but around half a dozen other variants have been observed to date.
Other well-known pieces of ransomware that users should be aware of include Locky, Cerber, CryptoMix, or Samas, which emerged over a year ago and continue to wreak havoc. However, newer malware families are also worth taking into consideration, such as Spora, which was first detailed only this year.
Source: SANS ISC SecNewsFeed @ March 6, 2017 at 08:08AM