Is this still an issue?
Basically, you got brute forced.
Everyone is correct, you don't want RDP exposed to the internet, specifically port 3389 and 3390. We saw this issue at my work (we are an Managed Service Provider). We had this issue this past winter which subsided in about February with over 100 customers affected.
Basically, they had port 3389 wide open to the internet and the attackers used their external IP plus port 3389 to gain access. We sent a massive email about this and closed all RDP ports if they gave use permission. Then we had to modify their Password Policy is Group Policy Management.
Like suggested already, you want to shut down port 3389 completely, users will not be able to access the computer/server remotely but you can do port translation such as making the port high like 9989 or 10090 or something that limits their scans because when they scan the typically go from port 3389-3395. Best solution is to get a VPN. This will remove any chance of another attack from happening.
As for those accounts, the attackers will use any account name, we've seen: fbadmin, zz, funny, Jane, welcome.pin, Intel and a whole bunch more (the list was about 20 different names). From what we've seen, they didn't encrypt files like the ramping RansomWare attacks. They just made fake FaceBook accounts, fake Gmail accounts etc.. basically to scam others out of money and used our customers servers and/or PC to commit the crime.
1. Block RDP on port 3389
2. Get a VPN, if not possible then do port translation
3. Have all users change passwords to 12 characters or more
4. Disable all fake accounts in Active Directory or Local Users and change the password on all fake accounts. Check the box that the user cannot change the password. (Don't delete the account, odd as it sounds but if they gain access again, they'll recreate it)
5. In the C:Users folder, delete the fake account's folder
6. Check the Windows Registry. They like to attach their backdoor to the sethc.exe (sticky keys) at HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe. We've seen stuff from Russian and Chinese characters. Delete any odd keys, again ours had Russian text.
If it's confirmed it's there, search for the file, it will be hidden and in the Winrar package that is most likely encrypted. Just delete that file and empty the trash.
7. Scan ALL affected computers for infections
This should help limit issues.
Edited by TechUser01, 21 May 2017 - 05:08 PM.