Stolen or weak remote desktop credentials are routinely used to infect point-of-sale systems with malware, but recently they’ve also become a common distribution method for file-encrypting ransomware.
In March, researchers discovered a ransomware program dubbed Surprise that was being installed through stolen credentials for TeamViewer, a popular remote administration tool. But the trend had started long before that, with some ransomware variants being distributed through brute-force password guessing attacks against Remote Desktop Protocol (RDP) servers since 2015.
While this method of infection was initially used by relatively obscure ransomware programs, recently it has been adopted by an increasing number of cybercriminals, including those behind widespread ransomware programs such as Crysis.