I'm creating this topic to help out those who are affected by specific variants of ransomware (.wallet, .xtbl, .crysis, .dharma, .access_denied, .LeChiffre, and sometimes Cerber).
All of the variants included in this topic's title are distributed via compromised RDP 100% of the time, besides Cerber which also uses spam email attachments. Chances are, if you got Cerber on a server without users logging into it, then it was because of RDP compromise.
Usually with these variants, they primarily hit servers, most of those infected are clients of managed service providers or simply server owners.
What does compromised RDP mean?
Compromised RDP means your system (likely a server) was brute forced with weak username and password combinations because you have RDP open (port 3389) and attackers gained access.
How did the attackers do this?
These individuals scan for IP addresses with port 3389 open and send weak usernames and passwords to see if one is valid to login. Once they find a weak username and password, they remote into the system, download the ransomware, and run it. They often disable antivirus software and can bypass any type of protection because they have remote access.
A common tool used to do this is called DuBrute.
What can you do now?
Finding the compromised user is the most difficult part after being hit with one of these ransomware variants. There may even be more accounts on the system than there should be - some accounts can be created by the same individuals to maintain access even if the initial compromised account's password is changed.
Follow these steps to secure the system:
1) Install multiple top rated antivirus - it doesn't hurt to get a second or even a third opinion.
2) Review recently installed programs and remove any which do not belong, especially programs that allow remote access like Logmein, Teamviewer, etc. These can be installed for the attackers to maintain access.
3) Change all user's passwords and remove any accounts which do not belong.
4) Restore files from backup.
If you do not have a backup, you may try some tools to decrypt files (excluding Cerber), however it's a low chance they'll work.
What can you do to protect yourself in the future?
- Use Reputable, Proven, Multi-Vector Endpoint Security
- Back-up your data
and... Secure RDP
Secure weak username/passwords which have Remote Desktop access.
Increase password complexity requirements for users which use RDP. Some variants of ransomware are deployed via compromised RDP credentials because the credentials are weak and easily guessable by a brute force attack. We also advise changing the default port from 3389 for remote desktop, to a different port.
Preventing scanning for an open port:
- Change default RDP port from 3389 to another unused port
To change the default port, execute the following in an elevated command prompt –REG ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /t REG_DWORD /v PortNumber /d 3390 /fThe above command will change the default port to 3390.
Block RDP (port 3389) via firewall
- Restrict RDP to a whitelisted IP range
Preventing attackers from gaining access if RDP is enabled:
- Create a GPO to enforce strong password policy: https://technet.microsoft.com/en-us/library/cc786468(v=ws.10).aspx
- Require two-factor authentication
- Use protection software to prevent RDP bruteforce
Edited by JesseBropez, 28 January 2017 - 12:50 PM.