Ransomware Delivered Using RDP Brute-Force Attack

Zscaler ThreatLabZ recently published a report on the 2020 State of Public Cloud Security that showed security misconfiguration to be the leading cause of cyberattacks against public cloud infrastructure. In this blog, we will look at one of the commonly abused security misconfigurations—the RDP service port left open to the internet—and how cybercriminals abuse it. 

Brute-forcing RDP (Remote Desktop Protocol) is the most common method used by threat actors attempting to gain access to Windows systems and execute malware. The reason is simple: In our public cloud threat research, we have observed that 70 percent of systems keep RDP ports open in the public cloud. Threat actors scan for these publicly open RDP ports to conduct distributed brute-force attacks. Systems that use weak credentials are easy targets, and, once compromised, attackers sell access to the hacked systems on the dark web to other cybercriminals.

Ransomware groups such as SamSam and Dharma have been spreading almost exclusively via RDP for years. In this case study, we will look at Dharma ransomware attacks. Dharma, also known as Crysis, has been distributed under a ransomware-as-a-service (RaaS) model since 2016. Its source code was up for sale in March 2020, making it available to a wider spectrum.
 

Infection chain

Attackers use open-source port-scanning tools to scan for exposed RDP ports online and then try to gain access to a system using brute-force tools or stolen credentials purchased from the dark web. After attackers gain access to the target system, they go on to make the system vulnerable by deleting backups, disabling antivirus software, and changing configuration settings. Once the security is disabled and the network vulnerable, attackers deliver malware payloads. The process involves installing ransomware, using infected machines to distribute spam, deploying keyloggers, or installing backdoors to be used for future attacks.

The below figure shows the infection cycle of Dharma ransomware delivered via RDP brute-force attack.

Figure 1: Infection chain of RDP brute-force attack delivers Dharma ransomware

Once the attacker gains access to the machine, the following files are uploaded:

%temp%\ns.exe – Network enumeration/scanning tool

%programfiles%\process hacker\ – Process hacker tool

ns.exe is a network enumeration and scanning tool used by attackers to scan SMB shares, open ports, and services through which they can move within the network.

Process Hacker is a program used mostly by system administrators for monitoring, debugging, and troubleshooting, but in this case, it was used for malicious purposes such as disabling AV or services.

Following the pre-execution process, the attacker uploads a ransomware file and executes it.

Technical details

Once executed, this variant of Dharma ransomware uses the below commands to quietly delete all of the shadow volume copies on the machine.

mode con cp select=1251

vssadmin delete shadows /all /quiet

Exit

For persistence, the ransomware executes the following commands:

1. Copy the file to %windir%system32 or %appdata% and set 'LOCAL_MACHINE/LOCAL_USER Software\Microsoft\Windows\CurrentVersion\Run'

2. Copy file to 'Startup' folder

3. Copy file to 'Common Startup’ folder

The ransomware encrypts files with the following extensions:

Figure 2: File extensions to encrypt

The ransomware encrypts files using an AES 256 algorithm. The AES key is also encrypted with an RSA 1024 algorithm. This encrypted AES key is stored at the end of the encrypted file along with the filename.

The name of the encrypted files have the following pattern:

[Filename].id-{8 bytes ID}.[recovery_email].zimba

Figure 3: Encrypted files

After encrypting the files, the ransomware pops up two different ransom notes on the victim’s computer. One is the Info.hta file, which is launched via autorun when a user logs into the computer.

Figure 4: info.hta

The other note is called FILES ENCRYPTED.txt and can be found on the desktop.

Figure 5: FILES ENCRYPTED.txt

Lateral movement

Dharma ransomware uses typical methods for obtaining credentials and propagating laterally within a network. In most cases, it uses the Mimikatz tool, which allows it to dump the network share credentials, and in other cases, it uses NirSoft CredentialsFileView, which allows for the recovery of passwords stored in encrypted credential files. The obtained credentials are used to attempt lateral movement inside the on-prem as well as public cloud infrastructure.

In some cases, the ransomware tries to spread through the network by taking advantage of the compromised Domain Controller and deploying a Default Domain Policy that will run the ransomware payload on StartUp for each machine.
 

Conclusion

Since Dharma ransomware is usually installed by gaining access to Remote Desktop Services, it is important to ensure that those services are properly locked. This includes ensuring that computers running Remote Desktop Services do not connect directly to the internet. Instead, organizations should use a zero trust architecture to allow remote users to securely access these servers without exposing them to the entire internet. 

While applying security patches is always important, most RDP-based attacks rely on cracking weak credentials, so passwords should be long, unique, and random. It’s important for enterprises to establish password requirements and train employees to use strong passwords. 

Attackers typically identify potential targets by scanning the internet for systems listening on the default RDP port (TCP 3389). Changing the listening port via Windows Registry can help organizations hide vulnerable connections.

MITRE ATT&CK tactic and technique mapping