Ransomware-spreading hackers sneak in through RDP

Thanks to Sophos security experts Peter Mackenzie and Paul Ducklin
for their behind-the-scenes work on this article.

If there’s an unexploited niche caused by insecure software or behaviour then sooner or later a crook is going to wiggle into it and attempt to use it as a way to make money from someone else’s misery.

Sophos has recently uncovered a new ecological niche in the great internet hack-o-sphere that’s equal parts low-cunning and directness: crooks who are breaking into computers one at a time and running ransomware on them manually – clickety click – in the same way that you might run Word, Notepad or Solitaire.

Let me do that!

We normally think of ransomware as something that’s catapulted into victims’ computers using some form of mass distribution.

For example, the criminals behind WannaCry and NotPetya used a stolen NSA exploit to create worms that copied themselves from one computer to another, encrypting files, demanding ransoms and creating mayhem as they zig-zagged through and between networks.

More common still is phishing. Why bother with worms and exploits when you can simply sign up for crimeware online and click a button to crank out booby-trapped email attachments?

Phishing is a numbers game: most of your emails won’t get through, many of those that do will go unread, and even those that get opened may find themselves hitting a brick wall – a patched system, for example, or a user who realises that something phishy is going on and stops just short of getting infected.

The phishing crooks only make money if they can repeatedly find new ways to persuade users to open emails and do things their IT team have warned them about, such as saving attachments to disk and then launching them, or opening Office documents and deliberately enabling macros.

For this reason, some cybercriminals have decided that if you want something doing properly, you have to do it yourself.

The attack

Many companies, notably small businesses, outsource their IT to, or pay for lots of help from, outside contractors.

These contractors might live in another part of town, or elsewhere in the country, or even on the other side of the world.

To let remote sysadmins look after your Windows networks, the most widely-used tool is Microsoft’s own Remote Desktop Protocol, or RDP for short.

RDP, for those who haven’t used it, effectively turns your IT guy’s laptop into a remote screen, keyboard and mouse connected over the internet to your local computer.

When they move their mouse in the RDP client software far away, they’re controlling your computer; when a software dialog pops up, they see it on their remote computer.

RDP is like being right there, and allows remote use even of fully-graphical applications that can’t be scripted or operated via a command prompt.

In other words, the RDP password you’ve chosen for your remote sysadmin (or that you’ve let them choose for themselves) is essentially the key to your office – a weak password is like a server room door that’s propped open, inviting any passing snooper to take a look inside.

So, if the crooks notice that you’ve got RDP open to the internet, for example by using a network search engine such as Shodan, you can be sure they’ll take a poke around.

Sophos security experts who’ve investigated a spate of recent RDP attacks have frequently found evidence that a tool called NLBrute was used to try a whole range of RDP passwords – a so-called brute force attack – in the hope of sneaking in.

Once they’ve got your RDP password – whether they use NLBrute, or simply look you up on Facebook to find your birthday and your pet’s name – they’ll logon and immediately create various brand new administrative accounts.

That way, even if you get rid of the crooks and change your own admin password, they’ve already got backup accounts they can use to sneak back in later.

What next?

Once they’re in, here’s what you can expect to happen next, based on what we’ve seen in a number of attacks we’ve investigated:

  • The crooks download and install low-level system tweaking software, such as the popular Process Hacker tool.

Tools of this sort are regularly used by legitimate sysadmins for troubleshooting and emergency recovery, especially if they use kernel drivers to let you to pull off modifications that the operating system usually prevents. This includes: killing off processes that usually disallow shutdown, deleting locked files, and changing configuration settings that are usually locked down.

  • The crooks turn off or reconfigure anti-malware software, using the newly-installed tweaking tools.

The crooks go after the passwords of administrator accounts so that they’ll enjoy all the power of a legitimate sysadmin. If they can’t get an admin password, they may try logging in as a regular user and running hacking tools that try to exploit unpatched vulnerabilities to get what’s called EoP, or elevation of privilege.

EoP means that already logged-on users can sneakily promote themselves to more powerful accounts to boost their powers. We’ve seen EoP tools left behind on attacked systems that tried to abuse vulnerabilities dubbed CVE-2017-0213 and CVE-2016-0099, patched by Microsoft back in May 2017 and March 2016 respectively.

  • The crooks turn off database services (e.g. SQL) so that vital database files can be attacked by malware.

Files such as SQL databases are usually locked while the database server software is active, as a precaution against corruption that could be caused by concurrent access by another program. The side-effect of this is that malware can’t get direct access to database files either, and therefore can’t scramble them to hold them to ransom.

  • The crooks turn off Volume Shadow Copy (the Windows live backup service) and delete any existing backup files.

Shadow copies act as real-time, online backups that can make recovery from ransomware a quick and easy process. That’s why crooks often go looking for shadow copies first to remove them.

You can guess what happens next.

  • The crooks upload and run ransomware of their choice.

Because they’ve used their sysadmin powers to rig the system to be as insecure as they can, they can often use older versions of ransomware, perhaps even variants that other crooks have given up on and that are now floating around the internet “for free”.

The crooks don’t have to worry about using the latest and greatest malware, or setting up a command-and-control server, or running a hit-and-hope spam campaign.

In one attack, we saw a folder on the desktop containing four different types of ransomware. The crooks ran each in turn, until one of them worked.

How much is the ransom?

Many ransomware attacks are distributed indiscriminately, and therefore rely on a “pay page” – a Dark Web server set up specially to tell victims how much to pay, and how to pay it.

But these RDP crooks are already personally involved to the extent of logging into your network themselves, so there’s often what you might call a “personal touch”.

Rather than automatically squeezing you via a website, you’ll probably see a pop-up something like this, telling you to make contact via email to “negotiate” the release of your data:

At the time of writing the Bitcoin address used by that attacker contained BTC 9.62, currently worth just over $60,000.

Only one of the transactions matched the 1BTC amount demanded in the ransom, which might indicate that the account is being used for other activities at the same time, or that some victims managed to negotiate a lower price.

The victims

The victims of this kind of attack are almost always small-to-medium companies: the largest business in our investigation had 120 staff, but most had 30 or fewer.

With small scale comes a dependence on external IT suppliers or “jack-of-all-trades” IT generalists trying to manage cybersecurity along with many other responsibilities.

In one case a victim was attacked repeatedly, because of a weak password used by a third-party application that demanded 24-hour administrator access for its support staff.

What to do?

  • If you don’t need RDP, make sure it’s turned off. Remember to check every computer on the network: RDP can be used to connect to servers, desktops and laptops.
  • Consider using a Virtual Private Network (VPN) for connections from outside your network. A VPN such as the one in Sophos XG Firewall and Sophos UTM requires outsiders to authenticate with the firewall first, and to connect from there to internal services. This means software such as RDP never needs to be exposed directly to the internet.
  • Use two-factor authentication (2FA) wherever you can. Sophos XG Firewall and Sophos UTM support 2FA, so that you need a one-time logon code every time. If crooks steal or guess your password, it’s no use on its own.
  • Patch early, patch often. This prevents crooks exploiting vulnerabilities against your network as quickly as possible, thus reducing your exposure to danger.
  • After an attack, check to see what the crooks have changed. Don’t just remove the malware or apply the missed patches and be done with it. Especially check for added applications, altered security settings, and newly-created user accounts.
  • Set a lockout policy to limit password guessing attacks. With three guesses at a time followed by a five-minute lockout, a crook can only try out 12 × 3 = 36 passwords an hour, which makes a brute force attack impractical.

If you’re using a third-party IT company and they haven’t already suggested the precautions we’ve listed above, why not ask them why, and ask yourself if they’re the right people to be looking after your network?

Be careful out there – don’t let the Remote Desktop Protocol for your IT team turn into a Ransomware Deployment Process for criminals.