The FBI is telling businesses to stop using remote desktop software - here's why

News
By Sead Fadilpašić
published

A known threat actor is using RDP to steal files

Ransomware attack on a computer
(Image credit: Kaspersky)

The FBI, the US Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Cyber Security Centre (ACSC) are urging businesses to "strictly limit the use of Remote Desktop Protocol (RDP) and other remote desktop services" and thus minimize the threat coming from the BianLian ransomware group.

In a joint security advisory the law enforcement agencies said BianLian usually targets Windows systmes through RDP credentials, before deploying additional software to steal more credentials, or exfiltrate sensitive data and other important files.

Given that RPD is BianLian's usual point of entry, locking the door seems like a logical step forward. 

Reducing the impact

The law enforcement agencies also said businesses should increase PowerShell logging, add time-based locks to accounts, as well as track domain controllers and active directories for suspicious new accounts and other shady activities. 

"FBI, CISA, and ACSC encourage critical infrastructure organizations and small- and medium-sized organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of BianLian and other ransomware incidents," the advisory reads.

We last heard of BianLian in March 2023, when cybersecurity researchers Redacted spotted the group attempting to extort businesses for money - without encrypting their endpoints first. 

Researchers came up with two possible explanations as to why the threat actors ditched the encryptor, one being that the whole ordeal is too time-consuming, too costly, and redundant, and the other one being that the group never recovered from Avast’s decryptor which was released in January this year. In any case, should your business suffer a ransomware encryption, the FBI recommends not paying the ransom demand.

Read more

> You're a ransomware victim: Here's 5 things you should do

> What is ransomware and how does it work?

> Here's our rundown of the best endpoint protection software at the moment

BianLian was first observed in June 2022, targeting businesses in the healthcare industry, as well as other critical infrastructure verticals.

In a report by The Register, it was said that BianLian is actually multiple ransomware groups growing in size and using newer programming languages, such as Go, or Rust. 

Via: The Register

Sead Fadilpašić
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.