According to an article over at SC Magazine, hackers are using brute force to crack their way into Remote Desktop / Terminal Servers and installing a CryptoLocker type malware that is encrypting the files on the server.
The blog was alerted to the malware by users on its support forum. The ransomware appears to be installed directly by the attacker who brute forces weak passwords on computers running Remote Desktop or Terminal Services.
This makes perfect sense. Why bother with trying to trick employees into clicking on a fake link to install malware when you can go directly after a server.
- If you don’t need RDS then disable it on all servers
- Don’t have RDS exposed directly to the Internet. Require VPN access to get to any internal servers
- Implement account lockout on all user accounts
- Use 2 Factor Authentication to log into servers via RDS or Citrix