{
	"id": "9be08d81-f765-4edc-ab1c-d09646f58012",
	"created_at": "2026-04-06T00:12:01.827986Z",
	"updated_at": "2026-04-10T03:20:20.542837Z",
	"deleted_at": null,
	"sha1_hash": "2b7299a5fcd333825ad6c567032e8b3befcdc572",
	"title": "Ransomware Delivered Using RDP Brute-Force Attack | Zscaler",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 855278,
	"plain_text": "Ransomware Delivered Using RDP Brute-Force Attack | Zscaler\r\nBy Mohd Sadique, Pradeep Kulkarni\r\nPublished: 2021-01-08 · Archived: 2026-04-05 19:38:34 UTC\r\nZscaler ThreatLabZ recently published a report on the 2020 State of Public Cloud Security that showed security\r\nmisconfiguration to be the leading cause of cyberattacks against public cloud infrastructure. In this blog, we will\r\nlook at one of the commonly abused security misconfigurations—the RDP service port left open to the internet—\r\nand how cybercriminals abuse it. \r\nBrute-forcing RDP (Remote Desktop Protocol) is the most common method used by threat actors attempting to\r\ngain access to Windows systems and execute malware. The reason is simple: In our public cloud threat research,\r\nwe have observed that 70 percent of systems keep RDP ports open in the public cloud. Threat actors scan for these\r\npublicly open RDP ports to conduct distributed brute-force attacks. Systems that use weak credentials are easy\r\ntargets, and, once compromised, attackers sell access to the hacked systems on the dark web to other\r\ncybercriminals.\r\nRansomware groups such as SamSam and Dharma have been spreading almost exclusively via RDP for years. In\r\nthis case study, we will look at Dharma ransomware attacks. Dharma, also known as Crysis, has been distributed\r\nunder a ransomware-as-a-service (RaaS) model since 2016. Its source code was up for sale in March 2020,\r\nmaking it available to a wider spectrum.\r\n \r\nInfection chain\r\nAttackers use open-source port-scanning tools to scan for exposed RDP ports online and then try to gain access to\r\na system using brute-force tools or stolen credentials purchased from the dark web. After attackers gain access to\r\nthe target system, they go on to make the system vulnerable by deleting backups, disabling antivirus software, and\r\nchanging configuration settings. Once the security is disabled and the network vulnerable, attackers deliver\r\nmalware payloads. The process involves installing ransomware, using infected machines to distribute spam,\r\ndeploying keyloggers, or installing backdoors to be used for future attacks.\r\nThe below figure shows the infection cycle of Dharma ransomware delivered via RDP brute-force attack.\r\nhttps://www.zscaler.com/blogs/security-research/ransomware-delivered-using-rdp-brute-force-attack\r\nPage 1 of 5\n\nFigure 1: Infection chain of RDP brute-force attack delivers Dharma ransomware\r\nOnce the attacker gains access to the machine, the following files are uploaded:\r\n%temp%\\ns.exe – Network enumeration/scanning tool\r\n%programfiles%\\process hacker\\ – Process hacker tool\r\nns.exe is a network enumeration and scanning tool used by attackers to scan SMB shares, open ports, and services\r\nthrough which they can move within the network.\r\nProcess Hacker is a program used mostly by system administrators for monitoring, debugging, and\r\ntroubleshooting, but in this case, it was used for malicious purposes such as disabling AV or services.\r\nFollowing the pre-execution process, the attacker uploads a ransomware file and executes it.\r\nTechnical details\r\nOnce executed, this variant of Dharma ransomware uses the below commands to quietly delete all of the shadow\r\nvolume copies on the machine.\r\nmode con cp select=1251\r\nvssadmin delete shadows /all /quiet\r\nExit\r\nFor persistence, the ransomware executes the following commands:\r\n1. Copy the file to %windir%system32 or %appdata% and set 'LOCAL_MACHINE/LOCAL_USER\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Run'\r\n2. Copy file to 'Startup' folder\r\n3. Copy file to 'Common Startup’ folder\r\nThe ransomware encrypts files with the following extensions:\r\nhttps://www.zscaler.com/blogs/security-research/ransomware-delivered-using-rdp-brute-force-attack\r\nPage 2 of 5\n\nFigure 2: File extensions to encrypt\r\nThe ransomware encrypts files using an AES 256 algorithm. The AES key is also encrypted with an RSA 1024\r\nalgorithm. This encrypted AES key is stored at the end of the encrypted file along with the filename.\r\nThe name of the encrypted files have the following pattern:\r\n[Filename].id-{8 bytes ID}.[recovery_email].zimba\r\nFigure 3: Encrypted files\r\nAfter encrypting the files, the ransomware pops up two different ransom notes on the victim’s computer. One is\r\nthe Info.hta file, which is launched via autorun when a user logs into the computer.\r\nhttps://www.zscaler.com/blogs/security-research/ransomware-delivered-using-rdp-brute-force-attack\r\nPage 3 of 5\n\nFigure 4: info.hta\r\nThe other note is called FILES ENCRYPTED.txt and can be found on the desktop.\r\nFigure 5: FILES ENCRYPTED.txt\r\nLateral movement\r\nDharma ransomware uses typical methods for obtaining credentials and propagating laterally within a network. In\r\nmost cases, it uses the Mimikatz tool, which allows it to dump the network share credentials, and in other cases, it\r\nuses NirSoft CredentialsFileView, which allows for the recovery of passwords stored in encrypted credential files.\r\nThe obtained credentials are used to attempt lateral movement inside the on-prem as well as public cloud\r\ninfrastructure.\r\nIn some cases, the ransomware tries to spread through the network by taking advantage of the compromised\r\nDomain Controller and deploying a Default Domain Policy that will run the ransomware payload on StartUp for\r\neach machine.\r\n \r\nConclusion\r\nSince Dharma ransomware is usually installed by gaining access to Remote Desktop Services, it is important to\r\nensure that those services are properly locked. This includes ensuring that computers running Remote Desktop\r\nServices do not connect directly to the internet. Instead, organizations should use a zero trust architecture to allow\r\nremote users to securely access these servers without exposing them to the entire internet. \r\nWhile applying security patches is always important, most RDP-based attacks rely on cracking weak credentials,\r\nso passwords should be long, unique, and random. It’s important for enterprises to establish password\r\nrequirements and train employees to use strong passwords. \r\nAttackers typically identify potential targets by scanning the internet for systems listening on the default RDP port\r\n(TCP 3389). Changing the listening port via Windows Registry can help organizations hide vulnerable\r\nconnections.\r\nMITRE ATT\u0026CK tactic and technique mapping\r\nhttps://www.zscaler.com/blogs/security-research/ransomware-delivered-using-rdp-brute-force-attack\r\nPage 4 of 5\n\nTactic Technique\r\nT1190 Exploit Public-Facing Application\r\nT1059 Command Line Interface\r\nT1061 Graphical User Interface\r\nT1547 Boot or Logon Autostart Execution\r\nT1037 Startup Items\r\nT1110 Brute Force\r\nT1003 Credential Dumping\r\nT1083 File and Directory Discovery\r\nT1135 Network Share Discovery\r\nT1018 Remote System Discovery\r\nT1063 Security Software Discovery\r\nT1076 Remote Desktop Protocol\r\nT1105 Remote File Copy\r\nT1486 Data Encrypted for Impact\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/ransomware-delivered-using-rdp-brute-force-attack\r\nhttps://www.zscaler.com/blogs/security-research/ransomware-delivered-using-rdp-brute-force-attack\r\nPage 5 of 5\n\n https://www.zscaler.com/blogs/security-research/ransomware-delivered-using-rdp-brute-force-attack \nTactic Technique \nT1190 Exploit Public-Facing Application\nT1059 Command Line Interface\nT1061 Graphical User Interface\nT1547 Boot or Logon Autostart Execution\nT1037 Startup Items \nT1110 Brute Force \nT1003 Credential Dumping \nT1083 File and Directory Discovery\nT1135 Network Share Discovery\nT1018 Remote System Discovery\nT1063 Security Software Discovery\nT1076 Remote Desktop Protocol\nT1105 Remote File Copy\nT1486 Data Encrypted for Impact\nExplore more Zscaler blogs \nSource: https://www.zscaler.com/blogs/security-research/ransomware-delivered-using-rdp-brute-force-attack  \n  Page 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/ransomware-delivered-using-rdp-brute-force-attack"
	],
	"report_names": [
		"ransomware-delivered-using-rdp-brute-force-attack"
	],
	"threat_actors": [],
	"ts_created_at": 1775434321,
	"ts_updated_at": 1775791220,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2b7299a5fcd333825ad6c567032e8b3befcdc572.pdf",
		"text": "https://archive.orkl.eu/2b7299a5fcd333825ad6c567032e8b3befcdc572.txt",
		"img": "https://archive.orkl.eu/2b7299a5fcd333825ad6c567032e8b3befcdc572.jpg"
	}
}