Quick Heal has detected an ongoing ransomware attack. This post outlines the important steps you must take to protect your computer(s) against this threat.
What to do to stay safe from the attack?
Most of the steps mentioned below are technical in nature. If you need any assistance, please call us.
- Ensure all protection levels in your Quick Heal product are ON.
- Disable Remote Desktop Protocol (RDP) if not used. Instructions on how to do this have been mentioned at the end of this post.
- Change RDP port to a non-standard port. Click here to know how to do this
- Configure your Firewall in the following ways:
- Deny access to Public IPs to important ports (in this case RDP port 3389)
- Allow access to only IPs which are under your control
- Use a VPN to access a network, instead of exposing RDP to the Internet.
- If possible, implement Two Factor Authentication (2FA).
- Set a lockout policy which hinders guessing of credentials.
- Create a separate network folder for each user when managing access to shared network folders.
- Don’t keep shared software in an executable form.
- Don’t assign administrator privileges to users. Most importantly, don’t stay logged in as an administrator unless it is strictly necessary. Also, avoid browsing, opening documents or other regular work activities while logged in as an administrator.
About the ransomware attack
Quick Heal has detected a recent ransomware outbreak which uses a Remote Desktop Protocol (RDP) brute force attack. However, we suspect that this attack could also be using other means to spread. These could be:
- Spam and phishing emails
- Exploit Kits
- SMB vulnerabilities like (EternalBlue, etc.)
- Dropped by other malware
What is Remote Desktop Protocol (RDP)?
The Remote Desktop protocol is used to connect to another computer over a network remotely. It’s generally used to carry out remote device management. The protocol runs over TCP/UDP port 3389.
What is a Brute Force Attack?
A brute force attack is a trial-and-error method used to retrieve critical information such as usernames, passwords or any kind of personally identifiable information (PII). A brute force attack is generally carried out through automated scripts.
By brute forcing the user credentials to access the RDP on a victim’s machine, attackers are able to uncover usernames and passwords. Once the user credentials are obtained, attackers control the victim’s machine to carry out the intended attack. In most cases, ransomware attacks have been observed as the end result of a Remote Desktop Protocol brute force attack.
About the detected ransomware that is spreading through the RDP brute force attack
Quick Heal has observed the Dharma ransomware outbreak to have used the RDP brute force attack. Earlier, other ransomware were also observed to have spread through the same mechanism. In this particular scenario, the attacker can take control of the system with administrative privileges. This allows them to install/uninstall any program on the infected computer. Here, we have observed that attackers were uninstalling the security software from the infected machine. And by doing so, they were able to implant a ransomware on it.
How Quick Heal protects its users from such attacks
Quick Heal products are built with the following multi-layered security layers that help counter such attacks.
Specially designed to counter ransomware attacks. This feature detects ransomware by tracking its execution sequence.
Blocks malicious attempts to breach network connections.
Detects RDP brute force attempts and blocks the remote attacker IP for a defined period.
- Virus Protection
Online virus protection service detects the known variants of the ransomware.
- Behavior-based Detection System
Tracks the activity of executable files and blocks malicious files.
- Back Up and Restore
Helps you take regular backups of your data and restore it whenever needed.
Important safety measures to keep your computer safe against ransomware attacks
It is important to understand that such kinds of attacks are targeted towards victims with weaker security infrastructure. This makes it highly critical for individual users and businesses to strengthen their security perimeter and stand strong against all such attacks.
1. Back up data regularly
- Back up your important data regularly and keep a recent backup copy offline. Encrypt your backup. If your computer gets infected with a ransomware, your files can be restored from the offline backup once the malware has been removed.
- Always use a combination of online and offline backup.
- Do not keep offline backups connected to your system as this data could be encrypted when a ransomware strikes.
2. Keep OS and all other software up-to-date
- Always keep your security software up-to-date.
- Keep your Operating System and other software updated. Software updates frequently include patches for newly discovered security vulnerabilities which could be exploited by attackers.
- Apply patches and updates for software like Microsoft Office, Java, Adobe Reader, Flash, and all Internet browsers like Internet Explorer, Chrome, Firefox, Opera, etc., including browser plugins
3. Do not download unverified, cracked/pirated software as they can be used to install malware on your computer.
4. Avoid downloading software from untrusted P2P or torrent sites. In most cases, they are malicious.
5. Stay away from phishing attacks
- Do not click on links or download attachments in unexpected, unknown or unwanted emails. Most phishing emails carry a sense of urgency. They are crafted to trick you into taking an action like clicking on a link or downloading an attached file.
- Ensure your antivirus is built with an anti-phishing feature that automatically blocks phishing emails and websites.
How to disable RDP?
- In Control Panel, click System And Security, and then click System.
- On the System page, click Remote Settings in the left pane. This opens the System Properties dialog box to the Remote tab.
- To disable Remote Desktop, select Don’t Allow Connections To This Computer, and then click OK. Skip the remaining steps.