The Microsoft Windows Remote Desktop Services have become the perfect platform to infect a computer with a new ransomware campaign. Hackers are using Microsoft Windows to install ransomware in computers, encrypt data and demand ransom of their choice.  The ransomware is installed on computers equipped with open Remote Desktop/Terminal Services connections after brute force attacking common account names and weak passwords.  After infecting the system, the hackers execute the ransomware executable that locates all network and local drives.  Once a virtual map of all available drives and files is created, the software searches for data files of a particular extension and encrypts them with a strong 2048-bit RSA key.

These new campaigns are severely damaging server host operating systems, and the supporting applications running on them – they now target backup devices such as USB drives (at this time, TAPE devices are still secure).  This has the potential to significantly cripple a business without good backup solutions in place, resulting in data loss.  This is the same system that Cryptolocker uses and is regarded as the most common,nefarious and harmful ransomware family currently affecting computers.

In light of this current round of attacks, Value Added Systems recommends that public access to your terminal servers be removed. In order to achieve this goal, we are recommending strengthening the current security settings on your firewall and implementing remote VPN connectivity.  Current VPN client software can be loaded on PCs, laptops,phones and tablets, allowing you to connect anywhere.  Please contact Value Added Systems to discuss blocking public terminal access, implementing a VPN or a new firewall solution.