Malicious attackers are using Windows Remote Desktop Protocol to sneak into PCs and run ransomware on it themselves, rather than infect devices remotely, it has been claimed.
The security firm Sophos said many smaller companies, which did not have dedicated It departments, had their Windows computers looked after by third parties who used the RDP feature to access their clients' machines.
These attackers used search engines like Shodan to find PCs that had RDP turned on, and then employed brute force tools to find out the passwords on these systems.
Once they gained access, they made sure that they would be able to return by setting up a number of accounts with administrator privileges. Hence even if the user noticed their entry and changed the admin password, the attackers still had a route in.
{loadposition sam08}After gaining entry to a system, such attackers tended to download and install low-level tweaking software such as the Process Hacker tool.
They also made changes to any anti-malware software, so that they were free to run any malware of their choosing when they chose to do so.
Database services were often turned off so that malware could attack vital database files and Volume Shadow Copy, the Windows live back-ups service, was switched off and any existing back-ups deleted.
Then the attackers could run ransomware of their choice, with older versions being used as the system was now in a highly insecure state.
Sophos cited the case of one attacker whose Bitcoin addrss contained 9.62 Bitcoin, with one Bitcoin being from this kind of extortion.