BullWall Intros “Behind the Firewall” Protection for RDP Sessions – The Top Entry Point for Ransomware Deployments

BullWall’s Server Intrusion Protection (SIP) brings multifactor authentication (MFA) where it’s long been needed most: behind the firewall to stave off unauthorized server access resulting from the use of compromised credentials during RDP sessions.

It’s an important new protection against the malicious use of stolen or compromised credentials. Moreover, the lack of server protection has emerged as an important gating factor in determining whether organizations qualify for cyber insurance and if so, what coverage rates will be.

With the migration to remote and hybrid work environments, RDP has emerged as the entry point in nearly 50% of all ransomware attacks. It offers an especially attractive entry point because:

– RDP is widely used for remotely accessing and managing Windows systems, and offers a direct pathway into a network.

– Weak and default credentials are an almost ubiquitous problem that give would-be attackers a clear route for brute force attacks.

– Credential theft via phishing, keyloggers, or credential dumping attacks further heighten the risks.

– RDP vulnerabilities can enable remote code execution, enabling attackers to compromise systems valid credentials.

Once inside a network through an RDP compromise, attackers can move laterally and escalate privileges, allowing deployment of ransomware across a broader range of systems.

Insufficient monitoring and logging can allow intruders to go undetected.

BullWall SIP prevents RDP session hijacking and impedes breach progression to prevent ransomware deployment. When an illegitimate session is detected, SIP immediately blocks any compromised clients and servers, and issues alerts, halting bad actors who may have gained entry.

“One of the biggest stumbling blocks to obtaining cyber insurance is the requirement for MFA on servers in addition to endpoints, for every login attempt. BullWall Server Intrusion Protection provides a game-changing MFA solution for server access that doesn’t require a second device. We’re thrilled to offer a solution that increases security, reduces user friction and stops today’s most common attack vector,” said Morten Gammelgard, BullWall Co-Founder and EVP of EMEA.

BullWall Server Intrusion Protection works together with BullWall Ransomware Containment (formerly BullWall RansomCare) to prevent and contain ransomware, protecting the organization’s most important, targeted digital assets against cyberattacks – a singularly important safeguard that can substantially impact cybersecurity insurance eligibility and terms for many organizations.

Jan Lovmand, BullWall Co-Founder and CTO, said: “Remote Desktop Protocol is the single most exploited initial attack vector and the entry point for fully half of all ransomware attacks. We’re really excited to introduce BullWall Server Intrusion Protection to shut down RDP session-level attacks, closing a door that’s otherwise too easily opened. Together with our Ransomware Containment solution, BullWall offers organizations the strongest defense against ransomware available on the market today.”

To mitigate the risk of RDP-based ransomware attacks, experts with BullWall have published a paper on the threat and key steps organizations should take. A partial list of those steps includes:

1. Disabling Unnecessary RDP;

2. Enforcing Strong Authentication – including for RDP access on every server login;

3. Regular Patching to keep RDP software and the underlying operating system up to date with security patches to mitigate vulnerabilities;

4. Network Segmentation that isolates critical systems from less critical ones to limit lateral movement in case of an RDP compromise;

5. Monitoring and Loging RDP Sessions; and

6. Restricting RDP access to only authorized personnel, and regularly review and revoke unnecessary access.

For analysis of the RDP ransomware threat and recommended safeguards, read: How Has RDP Become a Ransomware Gateway and What to do About it.