Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research

Ransomware Delivered Using RDP Brute-Force Attack

MOHD SADIQUE, PRADEEP KULKARNI
January 08, 2021 - 5 min read

Zscaler ThreatLabZ recently published a report on the 2020 State of Public Cloud Security that showed security misconfiguration to be the leading cause of cyberattacks against public cloud infrastructure. In this blog, we will look at one of the commonly abused security misconfigurations—the RDP service port left open to the internet—and how cybercriminals abuse it. 

Brute-forcing RDP (Remote Desktop Protocol) is the most common method used by threat actors attempting to gain access to Windows systems and execute malware. The reason is simple: In our public cloud threat research, we have observed that 70 percent of systems keep RDP ports open in the public cloud. Threat actors scan for these publicly open RDP ports to conduct distributed brute-force attacks. Systems that use weak credentials are easy targets, and, once compromised, attackers sell access to the hacked systems on the dark web to other cybercriminals.

Ransomware groups such as SamSam and Dharma have been spreading almost exclusively via RDP for years. In this case study, we will look at Dharma ransomware attacks. Dharma, also known as Crysis, has been distributed under a ransomware-as-a-service (RaaS) model since 2016. Its source code was up for sale in March 2020, making it available to a wider spectrum.
 

Infection chain

Attackers use open-source port-scanning tools to scan for exposed RDP ports online and then try to gain access to a system using brute-force tools or stolen credentials purchased from the dark web. After attackers gain access to the target system, they go on to make the system vulnerable by deleting backups, disabling antivirus software, and changing configuration settings. Once the security is disabled and the network vulnerable, attackers deliver malware payloads. The process involves installing ransomware, using infected machines to distribute spam, deploying keyloggers, or installing backdoors to be used for future attacks.

The below figure shows the infection cycle of Dharma ransomware delivered via RDP brute-force attack.

Infection chain of RDP brute force attack delivers Dharma ransomware

Figure 1: Infection chain of RDP brute-force attack delivers Dharma ransomware

 

Once the attacker gains access to the machine, the following files are uploaded:

%temp%\ns.exe – Network enumeration/scanning tool

%programfiles%\process hacker\ – Process hacker tool

ns.exe is a network enumeration and scanning tool used by attackers to scan SMB shares, open ports, and services through which they can move within the network.

Process Hacker is a program used mostly by system administrators for monitoring, debugging, and troubleshooting, but in this case, it was used for malicious purposes such as disabling AV or services.

Following the pre-execution process, the attacker uploads a ransomware file and executes it.

 

Technical details

Once executed, this variant of Dharma ransomware uses the below commands to quietly delete all of the shadow volume copies on the machine.

mode con cp select=1251

vssadmin delete shadows /all /quiet

Exit

For persistence, the ransomware executes the following commands:

  1. Copy the file to %windir%system32 or %appdata% and set 'LOCAL_MACHINE/LOCAL_USER Software\Microsoft\Windows\CurrentVersion\Run'

  2. Copy file to 'Startup' folder

  3. Copy file to 'Common Startup’ folder

The ransomware encrypts files with the following extensions:

File extensions to encrypt

Figure 2: File extensions to encrypt

 

The ransomware encrypts files using an AES 256 algorithm. The AES key is also encrypted with an RSA 1024 algorithm. This encrypted AES key is stored at the end of the encrypted file along with the filename.

The name of the encrypted files have the following pattern:

[Filename].id-{8 bytes ID}.[recovery_email].zimba

Encrypted files

Figure 3: Encrypted files

After encrypting the files, the ransomware pops up two different ransom notes on the victim’s computer. One is the Info.hta file, which is launched via autorun when a user logs into the computer.

info.hta

Figure 4: info.hta

The other note is called FILES ENCRYPTED.txt and can be found on the desktop.

FILES ENCRYPTED.txt

Figure 5: FILES ENCRYPTED.txt

 

Lateral movement

Dharma ransomware uses typical methods for obtaining credentials and propagating laterally within a network. In most cases, it uses the Mimikatz tool, which allows it to dump the network share credentials, and in other cases, it uses NirSoft CredentialsFileView, which allows for the recovery of passwords stored in encrypted credential files. The obtained credentials are used to attempt lateral movement inside the on-prem as well as public cloud infrastructure.

In some cases, the ransomware tries to spread through the network by taking advantage of the compromised Domain Controller and deploying a Default Domain Policy that will run the ransomware payload on StartUp for each machine.
 

Conclusion

Since Dharma ransomware is usually installed by gaining access to Remote Desktop Services, it is important to ensure that those services are properly locked. This includes ensuring that computers running Remote Desktop Services do not connect directly to the internet. Instead, organizations should use a zero trust architecture to allow remote users to securely access these servers without exposing them to the entire internet. 

While applying security patches is always important, most RDP-based attacks rely on cracking weak credentials, so passwords should be long, unique, and random. It’s important for enterprises to establish password requirements and train employees to use strong passwords. 

Attackers typically identify potential targets by scanning the internet for systems listening on the default RDP port (TCP 3389). Changing the listening port via Windows Registry can help organizations hide vulnerable connections.

 

MITRE ATT&CK tactic and technique mapping

TacticTechnique
T1190Exploit Public-Facing Application
T1059Command Line Interface
T1061Graphical User Interface
T1547Boot or Logon Autostart Execution
T1037Startup Items
T1110Brute Force
T1003Credential Dumping
T1083File and Directory Discovery
T1135Network Share Discovery
T1018Remote System Discovery
T1063Security Software Discovery
T1076Remote Desktop Protocol
T1105Remote File Copy
T1486Data Encrypted for Impact

 

 

form submtited
Thank you for reading

Was this post useful?

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.