CrySiS Ransomware Targets Open RDP Servers

The FBI released an alert this week about malware called CrySiS that attacks public facing servers that have RDP enabled.

RDP or Remote Desktop Protocol is an old Microsoft protocol that was designed to allow IT people to remotely control a Windows machine (server or desktop) to perform maintenance.  The protocol is old – it was first released with Windows NT in 1996  – and has been upgraded many times.  There are also many non-Microsoft versions of the client such as a Unix and a Mac version.

However, RDP was designed in pre-Internet days and while Microsoft continues to button up the security of RDP, hackers continue to attack it.

The CrySiS ransomware finds servers facing the Internet which have RDP enabled and attacks them.  Businesses that have been infected with CrySiS include small businesses, churches, medical facilities, law firms and local governments.

Assuming that the attackers are successful, CrySiS operates like many ransomware attacks – they encrypt your files and demand money, in cryptocurrency, to get your files decrypted.

They breach RDP using dictionary attacks, brute force or stolen credentials obtained in other ways.

Our recommendation is that businesses NEVER expose the RDP protocol to the public Internet.  If you need to remotely manage a server where the only access is via the Internet, we recommend that you connect to that remote network via a VPN.  This will put you on a private network that is not visible to the Internet.  From this private network it is safe to RDP into the server to remotely manage it.

Information for this post came from a private FBI alert.  This alert can be provided to clients on request.

by