Guest Post – Remote Desktop Protocol Users Have Highest Incidence of Ransomware Attacks

As more schools and businesses find themselves going online, Remote Desktop Protocol (RDP) users are more vulnerable than ever to a ransomware attack. Learn more about the latest threat from Drovorub malware, and what organizations can do to protect themselves.  This article is offered as a part of Cybersecurity Awareness Month, and the week two theme, “Securing devices at home and work.”

Businesses, government organizations, and educational institutions found themselves navigating new challenges as they worked to provide remote access to an unprecedented number of workers. Many turned to Remote Desktop Protocol (RDP) so users could remote into their office devices to access company systems. RDP’s popularity endures because there are clients available for most popular operating systems, including Windows, Linux, Unix, Android, and macOS.


One continuing problem with using RDP is that many organizations fail to ensure that proper security is in place. That leaves hackers with a potential entry point into company systems once they obtain the RDP login credentials needed for access. The credentials could then be sold to others on the dark web, putting many companies and institutions at risk for ongoing cyberattacks.

Earlier versions of RDP also have a vulnerability in the encryption method used on platforms like Windows Server 2008 and Windows XP. While Microsoft issued a legacy patch to repair the issue, any organization using RDP while still running legacy Windows software are at additional risk for a cyberattack. This may be a concern for those running an older Linux OS alongside Windows. There’s more information about the vulnerability of older versions of Windows OS and RDP available here.


A recent alert sent from both the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) about the threat presented from an insidious malware called Drovorub, with the origins traced back to GRU Russian intelligence.

The malware consists of four main components:

  • Client — Receives commands from the remote Drovorub server and transfers files to and from the target endpoint.
  • Kernel Module — Functions as a rootkit that comes packaged with the client. It hides the malware and other artifacts like network ports, sessions, and files from detection within the user’s space.
  • Agent — Gets installed on hosts accessible via the internet or other infrastructure controlled by a hacker. The executable receives commands sent from the Drovorub server and is primarily responsible for uploading and downloading files from the Drovorub client and forwarding network traffic through port relays.
  • Server — Provides control of the agent and client to hackers using a MySQL database to hold data needed for component registration, authentication, and tasks.

Drovorub hides itself in systems while hackers take control of system functions. They may plant other malicious components or manipulate a company’s network settings, all without needing to be on the same continent. Hackers often target internet devices connected via RDP to exploit the port vulnerabilities.


Locating Drovorub malware on a large scale can be a complex undertaking. It hides itself among the tools used for a live response to intrusions. Organizations can take steps to prevent the introduction of Drovorub into their systems in the following ways, especially those who use machines with both Windows and Linux:

  1. Configure Transport Layer Security — Acquire a certificate for the Terminal server from a trusted third-party Certificate Authority or obtain it from an internal PKI solution.
  2. Employ High-Level Encryption — Go in through the Group Policy setting for RDP, then set the encryption level to High.
  3. Validate Network Level Authentication — Organizations should make sure computers using RDP are running version 6.0 or higher on Windows machines running a Linux OS. The Network Level Authentication Group Level Policy should be set to require user authentication for remote connections.

Using the Secure Boot feature is another option, though it can cause disruptions for some Linux distributions. It checks for any issues with the boot loader before launch and makes sure it has a valid signature.

Other detection methodologies can help institutions and companies locate Drovorub, including:

  • Network-Based Intrusion Systems (NIDS) — NIDS Looks for control and command messages sent between the Drovorub agent, client, and server. The effectiveness is blunted when the message format changes. NIDS can also be evaded using TLS.
  • Host-Based Detection — A script on the host computer can probe Drovorub kernels containing a specific file or file prefix. Security products like Antivirus and Endpoint Detection software may be able to look inside Drovorub components to obtain insight into how they function.
  • Live Response — Launches a real-time response to suspicious changes in a host computer’s files, processes, and network connections.

Organizations relying on RDP connections should make frequent updates to their security protocols to prevent any invasion or hijacking of valuable business resources. More information about securing infrastructure against cyberattacks can be found here.

Cybersecurity flickr photo by Infosec Images shared under a Creative Commons (BY) license

Today’s guest post is by a friend and professional peer of mine, Tony Chiappetta, owner of CHIPS.  CHIPS is a Technology Success Provider located in Shoreview, MN near the intersection of Highway 96 and Lexington.  Since 2001, CHIPS has been working with businesses to help them get the most from their technology investment.

Tony has been around technology all his life and holds numerous industry certifications.  With the completion of both a Law Enforcement and a Business Management Degree, Tony brings a business perspective to the technology landscape.  This has allowed CHIPS to lead the industry by bringing enterprise solutions down to the Small Business sector.

CHIPS has received many industry awards and accredations however, Tony is most proud that his team has been asked to help secure the Critical Infrastructure of the Twin Cities by bringing to market a proven technology that was previously only available to Federal Government Agencies.

You can follow CHIPS via Social Media and stay connected with their blog.  Today’s article can be found here.


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at
  Related Posts

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.