Secure Remote Access

RDP-Based Ransomware is Targeting School Districts; What Can You Do to Prevent It?

We’ve learned many lessons about staying safe – and keeping others safe too — over the course of the COVID-19 pandemic; don’t cough or sneeze close to others, wash your hands frequently, don’t leave home without a mask, and don’t connect to your network via RDP alone. 

RDP – The Hero of COVID-19?

As COVID-19 sent the world home for an undetermined period of time, RDP or Remote Desktop Protocol, became something of a superstar. RDP is a native Microsoft communication protocol that allows people to instantly connect from their local computer to their remote work or school networks and access the applications they regularly use, as if they were using a computer on that network.

In the past, RDP was valuable for enabling people to work out of office if they couldn’t get into the office for one reason or another. But offices suddenly closing to contain COVID-19 spread, it became a lifesaver. Employees could continue to work as usual while staying safely isolated, and students could continue their studies while hunkering down at home.


On Second Thought… Ransomware RDP

There’s just one problem with this rosy RDP picture: RDP can be a security nightmare. In fact, experts have been warning users about its dangers for years. With RDP, all an attacker needs is the right username and password to make their way deep inside company or university networks. RDP points are prone to brute force attacks — a very common and effective method attackers use to gain access to open RDP ports.

And in fact, attacks to open RDP ports increased by 330% in March 2020 alone. In light of this alarming increase and the expectation that attacks will continue, it’s not surprising that the FBI recently issued a PIN, or Private Industry Notification, warning to schools, alerting them to the dangers of connecting to networks via RDP. Schools, it turns out, are at heightened risk for RDP-based attacks.

Why is this so? Companies sent their workforces home with some level of understanding of the dangers involved in working outside the network perimeter. Many employees were instructed to connect via VPN and many of these accounts made use of lockout thresholds among other security measures. But unfortunately, schools – even large universities — tend to be less aware of security risks. Often, their ports were opened without proper security measures in place, putting their data and their students’ data directly in the hands of attackers.

In the PIN issued on June 23, the FBI warned schools that, “cyber actors are likely to increase targeting of K-12 schools during the COVID-19 pandemic because they represent an opportunistic target as more of these institutions transition to distance learning.” The PIN was referring to a specific ransomware variant called Ryuk. Ryuk is one of the most prolific ransomware variants at the moment, with infections doubling quarter on quarter. Among other methods, it uses RDP vulnerabilities to enter systems and encrypt files.

Ryuk began targeting schools in the fall of 2019, when it shut down a school district in New Mexico. Thereafter, it was the ransomware behind two thirds of attacks targeting schools through the remainder of 2019, hitting districts across New York, Pennsylvania, Louisiana and many more states. These schools were relatively easy targets even before the pandemic. And once administrators, teachers, and students alike started using Microsoft’s built-in RDP as well as RDP solutions developed by other providers to access the desktops they normally use at school, attacking schools became an incredibly attractive and profitable option for malicious actors.

Ryuk is far from the only ransomware variant hackers deploy when they exploit less-than-ideal RDP deployments; the currently trending Nifililm/Nephilim, Dharma, SAMSAM, Matrix and Crysis ransomware all infiltrate networks via vulnerable RDP ports. Considering that the incidence of exposed RDP ports shot up by 127% over the course of the pandemic, it only makes sense that attackers would pursue this relatively simple way of getting what they want. 


Preventing RDP-based Ransomware Attacks on Schools and Beyond

Obviously, we all appreciate RDP’s role in enabling work during this incredibly challenging time. But if you’re going to make use of it, you need to ensure that you’re doing everything you can to keep it from becoming a way in for attackers. If RDP is your primary means of accessing your remote work or school applications, make sure to:

  • Back up all files on a regular basis and keep those backups secure. This will keep you from having to pay the ransom fee if you do fall victim. 
  • Patch all OSes and software as soon as patches are released. 
  • Use a monitoring tool or solution to enable troubleshooting and to locate attacks.
  • Use 2FA or MFA for all access credentials.
  • Enforce least-privileged access for applications, data, and access.

With Ericom Connect, you can connect to RDP knowing you’ll have the security, scalability and control you need to prevent ransomware from getting into your network. Ericom Connect is a web-based clientless remote desktop solution that can be centrally configured by admins, without having to depend on employees and students. It enables users to connect securely, even from outside the firewall. 


More than ever, keeping attackers out of networks is critical, regardless of whether your network belongs to a school district, university system or a Fortune 500 company. Ericom Connect allows you to have both operability and security – just what you need to keep work and classes running through these challenging times.


James Lui

James Lui

Group CTO, Americas | Ericom Software