Import

The Remote Desktop Protocol (RDP) – or “Remote Desktop Protocol” – is a key tool for businesses, allowing administrators and staff to remotely access computers and servers. But its widespread use also makes it a popular target. Over the 50% of small and medium-sized businesses (SMBs) and IT service providers use RDP in daily operations, which dramatically increases the “attack surface.” If RDP is exposed to the Internet without adequate protection, an attacker who gains access can essentially take control of the system remotely​. This fact has led to RDP being characterized as "main gateway" for cyberattacks, especially in times where teleworking and remote system management are increasing.

RDP attack statistics & trends:

In recent years, there has been a surge in RDP attacks. At the beginning of the pandemic, the number of RDP servers exposed to the Internet increased from approximately 3 million (Jan 2020) to over 4.5 million in March 2020​, indicating how many more RDP services came online and became potential targets. According to Sophos analysis, in 95% of breach incidents in the first half of 2023, attackers exploited RDP at some stage of the attack, a percentage increased from 88% in 2022. Accordingly, data from cyber insurance providers shows that 58% of direct ransomware incidents in 2023 were due to a vulnerability in a remote access tool, with RDP historically being a significant part of these. In addition, huge amounts of malicious web scanning data are recorded daily looking for open RDP ports – a recent report recorded up to 740,000 different IP addresses scanning RDP services every day​. It is characteristic that the attackers are not limited to the default port 3389: in late 2024, the Shadowserver Foundation observed an unusually large scanning campaign with a focus on port 1098/TCP – an unusual port for RDP – with 740 thousand sources per day (including 405,000 from Brazil) to search for vulnerable RDP systems.

This focus on non-standard ports (such as 1098) suggests that attackers are trying to exploit poor configurations or bypass traditional security measures that only guard port 3389. Overall, RDP services that are open to the public are considered high risk targets – as CISA notes, RDP is ranked alongside SMB, Telnet, and NetBIOS as a service that is often exploited by attackers if left unprotected.

Exploitation techniques by cybercriminals:

Attackers have developed a variety of strategies to breach RDP, targeting either password management weaknesses either in vulnerabilities of the protocol itself:

Brute-force and credential theft: The most common tactic is to test a large number of codes (brute-force or dictionaries of simple codes) on exposed RDP systems. Weak passwords (e.g. predictable or low complexity) allow automated tools to guess credentials and gain unauthorized access. Attackers use scanners to detect open RDP ports and then attempt successive connections until they “crack” an account, often exploiting the lack of locking mechanisms after repeated failed connection attempts.

In addition, a underground RDP access market. Stolen RDP passwords or active sessions are being sold on dark web forums, making it easy for even non-expert hackers to buy ready-made access to victim networks. This practice is supported by groups known as Initial Access Brokers, who massively scan and collect such accesses. The result is that the use of stolen/compromised credentials surpassed vulnerability exploitation as the initial cause of breaches – in the first half of 2023, cases where attackers launched an attack with already compromised credentials reached 50%, compared to 23% who exploited a software vulnerability. Given that RDP is preinstalled on most Windows and often without active brute-force protection, it is a tempting target.

Examples: Ransomware CrySiS (and variants such as CryptON) primarily targets US businesses via open RDP ports, using brute-force attacks to crack passwords and install the encryption malware.

Accordingly, ransomware SamSam became notorious because its perpetrators preferred to break into networks via RDP, either by purchasing stolen login credentials, or by trying combinations until they find the correct passwords. In one incident in July 2018, SamSam operators executed brute-force attack on RDP account of a health organization and thus penetrated the network, managing to encrypt thousands of machines before they are detected.

Exploiting known RDP vulnerabilities: Although rarer in terms of frequency (due to the knowledge and patching requirements from the administrator), the software vulnerabilities in RDP can allow an attack without even needing a password. One of the most important was the vulnerability BlueKeep (CVE-2019-0708), discovered in 2019 in Windows. It was a critical vulnerability in the Remote Desktop Service mechanism, which allowed an attacker to send specially crafted packets to a system with RDP enabled and remotely execute arbitrary code. without any valid account​. BlueKeep was characterized as “wormable” vulnerability, that is, with the ability to self-propagate as a worm from system to system, similar to the way the EternalBlue vulnerability was used by WannaCry in 2017.

Microsoft, realizing the seriousness, released emergency patches in May 2019 even for operating systems that had gone out of support (e.g. Windows XP), and both it and government agencies (e.g. CISA) issued continuous warnings for immediate patching. Despite preventive actions, hundreds of thousands of systems remained vulnerable even a few months after the first cases of BlueKeep exploitation “in the wild”, where attackers used this vulnerability to install cryptocurrency mining software on unprotected machines. Fortunately, there was no widespread BlueKeep-based ransomware attack, likely thanks to timely updates in critical environments, but this case highlighted how An RDP vulnerability can be devastating if not addressed immediately.

In addition to BlueKeep, other vulnerabilities have also appeared: e.g. Microsoft revealed that it only fixed it in December 2024 nine major vulnerabilities affecting Remote Desktop Services, most of which were classified as remote code execution (RCE). Additional fixes were released the following month (January 2025). two critical RDP vulnerabilities (CVE-2025-21309 & CVE-2025-21297), which could allow an attacker to execute malicious code remotely without any certification (similar severity to BlueKeep). These ongoing revelations show that RDP continues to be investigated by experts (and unfortunately by hackers) for new vulnerabilities, which is why the timely application of security updates is of critical importance.

Internal exploitation and lateral movements:  It is worth noting that even when RDP is not used as an initial entry point, attackers often exploit it. after Once they gain some initial traction (e.g. through phishing or other vulnerabilities), many malware tools or hands-on hackers enable RDP on internal machines or use existing RDP access to lateral movementAccording to Sophos, in 77% of incidents Where RDP was involved, the perpetrators used it primarily for internal access and inter-system connectivity, in order to establish their control over the entire network. This means that even if the initial entry is achieved otherwise, RDP is a tool for extending the attack, making it difficult to quickly detecting intruders more difficult (movements through valid RDP connections may go unnoticed if there is no proper monitoring).

Examples of real attacks via RDP:

Many of the biggest cyberattacks in recent years have had RDP as a common denominator. Numerous ransomware incidents have been reported where the initial breach was achieved via exposed RDPIn addition to the aforementioned examples of CrySiS/CryptON and SamSam from the USA, similar scenarios have been recorded worldwide. In United Kingdom, the National Cybersecurity Service (NCSC) has repeatedly warned that RDP is one of the main paths for ransomware gangs, while the FBI's intelligence service (IC3) had already issued a special alert in 2018 noting that the RDP exploitation has been growing rapidly since 2016 by providing access through dark markets. A high-profile incident was the attack of SamSam ransomware in the city of Atlanta (2018): the attackers infiltrated the city's systems via a server with a weak RDP password and disabled critical services. The city initially refused to pay a ransom of $50,000, but the cost of recovery exceeded all expectations. It was estimated that the total cost of restoring systems, upgrading software and repairing damage would reach 17 million dollars, much more than initially estimated. Overall, SamSam's campaign hit over 200 organizations (mainly in the US), earning the attackers ~$6 million in ransom payments, while causing cumulative over 30 million dollars in financial losses due to outage and recovery. Other ransomware families, such as Dharma (a variant of CrySiS), continue to this day to massively target open RDPs – often of small and medium-sized businesses with limited security measures – because this offers an easy initial push. A worrying element is that as the practice of "double blackmail" (data encryption and theft/threat of leakage) became the norm, access via RDP can lead not only to file encryption but also sensitive data breach. Attackers who gain administrator rights via RDP often seek out backup files, customer databases, and other valuable assets, either to extract them or to destroy backups, thereby maximizing the pressure on the victim to pay. Indicatively, in over 51% of ransomware incidents in 2023 the perpetrators not only encrypted but also extracted data (double extortion), which was often made possible by the extensive access that had been obtained (e.g. via RDP or VPN).

Impact on businesses:

RDP attacks can have disastrous consequences for an organization. Beyond the obvious cost of ransom in the case of ransomware, there is the multiple cost of downtime, data loss or reputation. As the Atlanta case showed, recovery costs (system recovery, consulting, new protections) can far exceed the ransom amount itself. In addition, if customer data or trade secrets are leaked due to an RDP breach, businesses face legal penalties and long-term trust issues. According to FBI data, ransomware attacks that start from an open RDP often affect small and medium-sized businesses considered "easy targets" due to lack of security measures. These companies may have thought they were "too small to attract hackers", but it is precisely this relaxed attitude that makes them particularly vulnerable.

For example, attacks like ransomware Mespinoza they intensively target smaller organisms and in a large percentage it is detected that the initial point of entry was brute-force attempt on RDP​. The consequences for these businesses – which often lack an IT security team – include total shutdown for days or weeks, loss of revenue, recovery costs, even closing the business in extreme cases. Given that an average of 19 days of productivity are lost in a serious ransomware attack (according to insurance studies) and that the average cost of an attack can reach hundreds of thousands of dollars, it becomes clear that RDP shielding is not optional but absolutely necessary for business continuity.

Security best practices for RDP:

Due to the above risks, multiple layers of defense are required for the secure use of RDP. The following are strategies and measures recommended by cybersecurity experts (Microsoft, CISA, NIST, etc.) to reduce risk:

Minimize Exposure: The most fundamental principle is to do not leave RDP open to the wide InternetIf remote access is required, use RDP. behind a firewall and allow only via VPN or other secure network tunnels. In other words, any user who needs RDP must first connect to a virtual private network (VPN) or go through one RDP gateway which only authorized users have access to. This drastically reduces exposure, as attackers can no longer scan your IP and find port 3389 open.

Additionally, where possible, restrict RDP access based on IP address (whitelisting specific IPs or ranges that can connect) and grant RDP permissions only to those employees who need it (minimizing RDP-enabled accounts). In many cases, servers or workstations may not need to accept at all RDP – disable the service on these machines to completely eliminate the risk.

Finally, a "security by obscurity" practice that provides an additional small obstacle is the change default port 3389 of RDP on a non-standard port. This does not replace other measures (an attacker can scan a range of ports), but it may filter out more automated tools that only check 3389. (Note: As we have seen, attackers now also scan other ports such as 1098, so changing the port does not provide absolute protection, but it can reduce the noise of random scans).

Multi-factor authentication (MFA): The 2FA/MFA is perhaps the most effective measure to prevent misuse of stolen passwords. Even if an attacker finds or guesses your password, the additional requirement (e.g. a dynamic OTP, mobile verification, security token) can prevent them from logging in. The importance of MFA is particularly emphasized for RDP, as it is considered one of the most common ransomware infection routes – therefore enabling MFA in everyone accounts (including administrators) is critical. In practice, however, many organizations still don't implement it: Sophos found that in 39% of incidents investigated (IR cases 2023), the RDP did not have MFA configured. This contributes to the ease of attackers – which is why even insurance companies now require MFA as a prerequisite for cyber insurance. So implement MFA solutions (either through Active Directory if supported, or through third-party tools/RDP gateways that add it) to shield access. No user (not even the administrator) not be exempt from this requirement.

Strong passwords and login policies: In addition to MFA, make sure that the passwords all RDP accounts meet high complexity standards (length, case, numbers, symbols) and uniqueness. Avoid reused passwords that may have been leaked to other sites – attackers often try credentials from known data breaches. Implement account lockout policy after a certain number of failed attempts (e.g. 15-minute lockout after 5 failed logins) to discourage automated brute-force tools. Additionally, enable the available security options of RDP itself: specifically, the Network Level Authentication (NLA), which requires user authentication before a full desktop connection is established. With NLA enabled, even if there is a BlueKeep-type vulnerability, an attacker cannot exploit it without credentials – this adds a layer of defense. Microsoft recommends that it be NLA always active on RDP servers. Also, make sure that the RDPSec (Transport Layer Security for RDP) is active so that communication is encrypted and man-in-the-middle attacks are prevented.

Updates and patch management: Constantly update operating systems and Remote Desktop services. The security fixes (patches) often encounter newly discovered vulnerabilities – delaying their application leaves an “open door” for attackers. For example, systems that had not applied the BlueKeep patch in 2019 were left vulnerable to attacks even months after the update was released. Subscribe to Microsoft and/or CISA security bulletins to receive notifications of critical RDP updates. If you are using older versions of Windows, consider upgrading, as support for them is ceasing to provide patches (BlueKeep showed that even Windows XP needed to get an emergency patch, but this is an exception).

Make patching a priority: according to CISA, remote access servers should be kept fully updated and hardened, because a successful exploit gives external attackers direct access to the internal network.

Surveillance and detection: Implement mechanisms for recording and monitoring of RDP connections. Enable Windows Remote Desktop logs (successful/failed connection events) and collect them in a central system (SIEM) to be able to identify attack patterns (e.g. many failed attempts, out-of-hours connections from unknown IPs, etc.). The centralization of logs is important, as CISA emphasizes, so that suspicious activity does not go unnoticed. In addition, consider using tools Endpoint Detection & Response (EDR) who have the ability to detect anomalies in RDP sessions – e.g. sudden RDP interface creation, attempts from unauthorized systems, etc. Some EDR or IDS solutions can also automatically block suspicious activity. Such tools add a layer of defense “inside” the network, capable of stopping an attacker who has bypassed external measures.

Safe alternatives and additional measures: Consider whether traditional RDP is the best way to access remotely. Microsoft recommends using modern solutions like Windows Virtual Desktop/Azure Virtual Desktop or Remote Desktop Gateway with TLS which add more secure proxying. If this is not possible, at least make sure that RDP is running with strong encryption (RDP TLS mode) and only with authenticated clientsAlso, restrict rights, users connecting via RDP should not use local admin accounts unless necessary – it is better to use shared users and then Run as admin where needed, to reduce the impact if an account is compromised

Ensure recovery readiness: maintain reliably offline backups, tested for recovery, so that if the worst-case scenario occurs (e.g. ransomware via RDP) you can restore your systems without giving in to blackmail.

Conclusion:

RDP remains a necessary tool for many businesses and is not going to disappear – however, the threats around this are real and evolving. Cybercriminals are constantly trying new methods, from brute-forcing passwords to exploiting non-obvious ports (like 1098) and zero-day attacks, to compromise systems via RDP. For this reason, RDP security should be a priority. With updated systems, limited exposure, MFA, strong passwords, and additional layers of protection, organizations can enjoy the benefits of remote access without sacrificing their safetyThe relevant authorities (Microsoft, CISA, NIST, etc.) provide detailed instructions, but the gist is that RDP must be used with great care and constant supervision – then it remains a useful tool instead of turning into a “Trojan Horse” for attackers.

Sources:

• Microsoft (MSRC & Security Blog),
• CISA & FBI/IC3,
• NIST special publications
• Sophos
• Coveware
• Shadowserver
• techtarget.com​
• cybersecuritynews.com​
• hipaajournal.com​
• cisa.gov