Exposed Remote Desktop Protocol Actively Targeted by Threat Actors to Deploy Ransomware

Originally published by Cyble on December 2, 2022.

Cyble Global Sensors Intelligence and Darkweb findings show TAs actively targeting RDP

Cyble Research and Intelligence Labs (CRIL) discovered multiple ransomware groups targeting open Remote Desktop Protocol (RDP) ports. RDP allows users to access and control remote computers over a network connection. It is commonly used by businesses to enable remote access to corporate networks.

However, if an RDP port is left exposed on the internet, it could lead to a major security incident. Threat actors can easily scan the internet for systems with exposed RDP ports and then attempt to gain access using stolen credentials or vulnerabilities. Once access is gained, Threat Actors (TAs) can access the system, steal sensitive data, and potentially spread malicious programs such as ransomware to other network systems. Leaving the Remote Desktop Protocol (RDP) port exposed over the internet is a common security mistake that organizations make.

There have been several incidents in the past where prominent ransomware groups were witnessed targeting RDP. The Cybersecurity and Infrastructure Security Agency (CISA) recently pointed out that ransomware groups such as Daixin Team and MedusaLocker actors gained access to victim devices through vulnerable RDP configurations.

Findings

Online Scanners

Cyble Research & Intelligence Labs recently noticed that exposed Remote Desktop services are still prime targets for Threat Actors (TA) to launch ransomware attacks. One of the online scanners shows there are over 18 instances that point toward a ransomware incident. These instances have a common RDP port. A geographical representation of the same is given in the figure below.

Figure 1 – Compromised exposed Remote Desktop

Figure 1 shows that most instances are from the United States (US) and Russia (RU) regions. Cyble Researchers investigated further and identified five ransomware families currently targeting open RDP ports. The ransomware families found are explained in the below section.

Redeemer

Redeemer ransomware is a C/C++-based binary that targets windows operation systems. It first appeared in 2021, and in July 2022, the author of Redeemer ransomware released their new version – Redeemer 2.0 – with updated features. The ransomware developer released the builder on a cybercrime forum and specified that the ransomware was free. However, the TA using the Redeemer ransomware is required to share 20% of the victim’s total ransom amount (collected in Monero). This ransomware, on execution, encrypts the victim’s system and drops a ransom note named “Read Me.TXT”. The figure below shows the ransom note left by Redeemer ransomware.

Figure 2 – Redeemer Ransomware

NYX

NYX ransomware surfaced in 2022. It’s developed in C/C++. This ransomware is possibly based on Conti ransomware. We suspect that TA might have modified the leaked source code of Conti ransomware. It drops the ransom note as a .text and .hta file named “000_NYX_READ_ME”. The group also claims to exfiltrate the victim’s data before encryption and might use the Double Extortion technique. We have not observed any leak site associated with this group till now. The figure below shows the ransom note of NYX ransomware.

Figure 3 – NYX ransomware

Vohuk and Amelia

Vohuk and Amelia ransomware surfaced in the second half of November 2022. We spotted these two ransomware groups targeting open RDP ports. During our investigation using one of the online scanners, we observed that the ransom notes of these two ransomware groups were similar, which researchers also observed in the past.

This indicates that these two ransomware groups might have originated from the same source. After encrypting files, Vohuk ransomware changes the name of a file with a random string and appends them with a “.Vohuk” extension. It also changes the icon of files and system wallpaper. The figure below shows the ransom notes of Amelia and Vohuk ransomware.

Figure 4 – Amelia and Vohuk’s ransom note

BlackHunt

BlackHunt is a new ransomware that was spotted targeting open RDP ports recently. A ransom note named “ReadMe” gives instructions for decrypting the files. The figure below shows the ransom note left by BlackHunt ransomware.

Figure 5 – BlackHunt ransom note

Threat Actors are constantly scanning for vulnerable, exposed assets that can be compromised and used to deploy further exploits. Cyble Global Sensor Intelligence (CGSI) provides unique insights into cyber attacks being launched from various geographies worldwide. One of the observations from CGSI was that scanning and exploitation attempts of Remote Desktop services are quite high. The figure below depicts exploitation attempts of the Remote Desktop Protocol for the last three months.

Figure 6 – Exploitation attempts on RDP

Over 4,783,842 exploitation attempts were made in 3 months, with a peak in exploitation attempts being observed in September end and mid-November, as shown in the figure above. The majority of attacks originated from the United States, South Korea, Netherlands, India, and Vietnam, as shown in the figure below.

Figure 7 – Attacks observed from different regions

CGSI observed that BlueKeep (CVE-2019-0708) was most prevalent in exploitation attempts. One reason for this could be that most exposed RDP ports over the internet still contain the BlueKeep vulnerability. Over 50,000 instances are still exposed over the internet, affected by the BlueKeep vulnerability.

The figure below shows geographical distribution assets vulnerable to CVE-2019-0708. Among CVEs that can be exploited are Weak Credentials, which can be easily bypassed by password spraying.

Figure 8- Geographical representation of assets vulnerable with Bluekeep

Cybercrime and Darkweb Forums

Cyble dark web intelligence indicates that there are 154 posts by various threat actors on darkweb and cybercrime forums, selling over 10k RDP accesses from multiple critical infrastructure sectors like government, LEA, BFSI, Manufacturing, Telecommunications, etc. The below graph shows the timeline of the sale of access.

Figure 9- Timeline of posts selling RDP over Darkweb

Gaining access through RDP access via the dark web makes it more convenient for TAs to target organizations with ransomware attacks. Darkweb monitoring pointed out that some victim organizations’ revenues range in Billions of dollars. The screenshot below depicts one such incident where a TA was selling RDP access to an organization in a critical sector.

Figure 10 – TA selling access to an organization over a Russian cybercrime forum

Conclusion

Ransomware attacks have been especially damaging to supply chains, as companies cannot access their data, leading to delays in production and distribution. This results in distress among public and state entities that rely on the availability of critical infrastructure services. Additionally, the attacks have caused significant financial losses, as organizations must pay a ransom to regain access to their sensitive data. Furthermore, organizations may suffer reputational damage from these attacks, as customers and clients may perceive that the organization is vulnerable to cyber-attacks.

Organizations dealing in critical infrastructure sectors must take proactive steps to protect themselves from ransomware attacks. This includes educating employees on the dangers of phishing emails, ensuring that software is updated regularly, and implementing effective security protocols. Additionally, organizations should consider investing in security solutions.

RDP ports have played a key role in previous cyber incidents, and as per our observations, these ports are being used by TAs to launch ransomware attacks. Intelligence gained from Cyble Global Sensor Intelligence (CGSI), there was a surge in the number of exploitation attempts in the past 90 days.

Cyble Darkweb Intelligence has also noticed high numbers of RDP access sold over the dark web, indicating that TAs will actively utilize stolen access to launch ransomware attacks in the near future.

Recommendations

1. Patch outdated devices, applications, software, etc., with the latest patch released by the official vendor timely.
2. Implement proper network segmentation within the organization’s network to avoid exposure of critical assets over the internet and lateral movement.
3. Increase the visibility of assets by utilizing software bills of materials.
4. Keep the firewall updated and well-configured.
5. Close open ports which an administrator is not managing.
6. Regular audits and VAPT exercises decrease the probability of cyber incidents.
7. Keep proper logging and monitoring of assets within the organization’s network to detect early anomalies.
8. Ensure proper access controls are implemented within the organization.
9. Employee cyber security awareness programs are a must within the organization to keep employees updated with the latest threats in cyberspace.
10. Follow a strong password policy within the organization.

Indicators of Compromise