* [Blog](https://www2.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www2.paloaltonetworks.com/blog/corporate/)
* [Must-Read Articles](https://www2.paloaltonetworks.com/blog/security-operations/category/must-read-articles/)
* Diagnosing the Ransomware...

# Diagnosing the Ransomware Deployment Protocol (RDP)

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2021%2F07%2Fdiagnosing-the-ransomware-deployment-protocol%2F)  
[](https://twitter.com/share?text=Diagnosing+the+Ransomware+Deployment+Protocol+%28RDP%29&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2021%2F07%2Fdiagnosing-the-ransomware-deployment-protocol%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2021%2F07%2Fdiagnosing-the-ransomware-deployment-protocol%2F&title=Diagnosing+the+Ransomware+Deployment+Protocol+%28RDP%29&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/2021/07/diagnosing-the-ransomware-deployment-protocol/&ts=markdown)  
\[\](mailto:?subject=Diagnosing the Ransomware Deployment Protocol (RDP))  
Link copied  
By [Kane Lightowler](https://www.paloaltonetworks.com/blog/author/kane-lightowler/?ts=markdown "Posts by Kane Lightowler")  
Jul 08, 2021  
6 minutes  
[Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)  
[Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)  
[Cortex Xpanse](https://www.paloaltonetworks.com/blog/tag/cortex-xpanse/?ts=markdown)  
[ransomware](https://www.paloaltonetworks.com/blog/tag/ransomware/?ts=markdown)  
[ransomware deployment protocol](https://www.paloaltonetworks.com/blog/tag/ransomware-deployment-protocol/?ts=markdown)

This post is also available in: [日本語 (Japanese)](https://www2.paloaltonetworks.com/blog/2021/07/diagnosing-the-ransomware-deployment-protocol/?lang=ja "Switch to Japanese(日本語)")

# Diagnosing the Ransomware Deployment Protocol (RDP)

Remote Desktop Protocol (RDP) is the most popular initial ransomware attack vector and has been for years. For the [2020 Unit 42 Incident Response and Data Breach Report](https://www.paloaltonetworks.com/resources/research/2020-unit42-incident-response-and-data-breach-report), Unit 42 studied data from over 1,000 incidents and found in 50% of ransomware deployment cases, RDP was the initial attack vector. In the [2021 Cortex Xpanse Attack Surface Threat Report](https://start.paloaltonetworks.com/asm-report), Cortex Xpanse researchers found that RDP accounted for 30% of total exposures, which more than doubles the next most common exposure.

RDP is a protocol on Microsoft Windows systems that is designed to allow users to remotely connect to and control a remote system. The most common legitimate use is to allow IT support to remotely control a user's system to fix an issue. More recently, RDP has become popular for cloud computing to access virtual machines (VMs) in cloud environments or to remotely manage cloud assets.

It is extremely easy to expose RDP unintentionally by leaving RDP exposed on a forgotten system, cloud instance, device previously protected by network segmentation or by directly connecting to the internet. What's worse is that RDP has become more widespread, more exposed and a more prevalent risk that can lead to attacks -- specifically ransomware deployment -- loss of data, expensive downtime and remediation efforts, as well as brand damage for organizations.

## More Exposures Mean More Targets

The COVID-19 pandemic first led to a surge in working from home, meaning laptops moved from the safe space of an office network with a firewall, to home networks where security was never considered.

IT wasn't ready for this shift, so new laptops had to be purchased and sent out very quickly to remote workers. This speed meant mistakes and more RDP exposures. The shift to remote work also exacerbated the risks associated with ephemeral dynamic DNS.

Computers on office networks with assigned IP addresses are easy to inventory and track. In individual homes, computers have IP addresses that can change day-to-day as internet service providers (ISPs) dynamically assign addresses. And, those remote assets can move from home to a coffee shop or friend's house and back, each time getting a new IP address. This has long been a risk, but right now there are more remote workers than ever before.

The [Unit 42 Cloud Threat Report, 1H 2021](https://www.paloaltonetworks.com/prisma/unit42-cloud-threat-research-1h21) found that from Q1 2020 (pre-COVID-19) to Q2 2020 (post-COVID-19) RDP exposures increased by 59% across all cloud providers. It is easier than ever to spin up new cloud instances, and the likelihood of mistakes being made only rises.

So, RDP is everywhere; RDP is a major target for threat actors; and, RDP is often the initial attack vector in ransomware attacks. Unfortunately, there's a bit more bad news. According to the Cortex Xpanse report, RDP accounted for 32% of overall security issues found in scans of 50 million IP addresses associated with 50 global enterprises in the first three months of 2021.

## Why RDP is Dangerous

RDP is a favorite target of threat actors because once an attacker is in, they have full access (up to the level of the compromised user account) to the system. If an admin account is attacked, that's a disaster. But, even if a more restricted user account is compromised, the attacker just needs to find another vulnerability on that system to elevate privileges and gain more access.

For malicious actors, finding exposed RDP requires a simple nmap script that scans the internet for an open port 3389 --- the default RDP port. Today, attackers are constantly scanning for port 3389, as shown in Figure X.
![Graph showing the frequency of open port scanning showing RDP port 3389 as one of the most scanned.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/07/word-image.jpeg)
Attackers scan for open RDP ports, often with ransomware deployment as the endgame.

According to Cortex Xpanse research, attackers can scan the entire internet in just 45 minutes. So if RDP is exposed, it will be found, and there are multiple ways an attacker can get in:

* Use stolen credentials to login.
* Brute force the login (if the implementation allows unlimited login attempts).
* Perform a man-in-the-middle attack, if it's an outdated version of RDP or using flawed encryption.
* Exploit known vulnerabilities in older versions of RDP, such as [BlueKeep](https://expanse.co/blog/bluekeep-the-threat-is-real-and-heres-what-you-should-do/).

## Avoiding the Ransomware Lottery

Malicious actors aren't always looking for specific targets. More often than not, they're just looking for vulnerabilities and hoping an attack will result in a payout. Ransomware is an evil lottery system and you play just by leaving the door open with exposures, like RDP.

Step one for any organization is to limit RDP risk by scanning for vulnerabilities faster than your adversaries can, and be sure to have full visibility and a full system of records for all of your internet-connected devices. This record needs to be constantly updated because new assets may pop up and known assets could have settings changed in risky ways. Vulnerability scanners can't find these exposures if they exist in outside IP space, so you need to be scanning from the outside-in. Leading companies use [mean time to inventory](https://www.paloaltonetworks.com/blog/2021/05/rsac-attack-surface-management/) (MTTI) to measure how quickly they can scan for full inventory and assess potential exposures.

The number one way to ensure you don't have unnecessary RDP exposures is to simply disable RDP on all systems where it isn't necessary. For systems where RDP is needed, follow security measures:

* Place RDP behind a virtual private network (VPN).
* Enable multi-factor authentication (MFA). The best way to mitigate risk related to stolen credentials is to ensure MFA is enabled on all user accounts.
* Limit login attempts. Similarly, to mitigate risk of brute force attacks, limit failed login attempts rather than allowing unlimited attempts.
* Set time limits on disconnected sessions and automatically ending sessions that hit that limit.
* Consider an allow-list, so that only approved IP addresses can connect to RDP servers.
* Deploy an internet-scale Attack Surface Monitoring solution, such as [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse), to monitor for unintended exposures of RDP or other remote access services.

## Make RDP a Priority

By now, it should be clear why RDP = Ransomware Deployment Protocol. RDP configuration should be a high priority item in all IT hygiene plans. It is a protocol that has dangerous default settings, and it is far too easy for a user to enable or use in risky ways.

If not properly configured, RDP will be used as an attack vector if/when your organization is targeted by ransomware operators. This is not a theoretical risk. It is a simple fact of IT. **Unsecured RDP will be used against you at some point.**

Whether or not you intend to expose RDP publicly, these exposures happen internet-wide and not just on your known IP space. This means defenders must monitor at internet-scale for any unintended or misconfigured implementations, because you can be sure the attackers are monitoring, too.

To learn more about risks to your attack surface, download the [2021 Cortex Xpanse Attack Surface Threat Report](https://start.paloaltonetworks.com/asm-report).

*** ** * ** ***

## Related Blogs

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### When Should You Protect Against Ransomware? Now, Before it Hits You.](https://www2.paloaltonetworks.com/blog/2021/07/protect-against-ransomware/)

### [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Unit 42](https://unit42-dev2.paloaltonetworks.com)

[#### 2023 Unit 42 Attack Surface Threat Report Highlights the Need for ASM](https://www2.paloaltonetworks.com/blog/2023/09/attack-surface-threat-report-highlights-need-for-asm/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Learning From the Past --- Ten 2022 Cybersecurity Events to Know](https://www2.paloaltonetworks.com/blog/2022/12/unit42-cybersecurity-events-2022/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### 2022 ASM Threat Report v2.1: Tending to Your Attack Surface Garden](https://www2.paloaltonetworks.com/blog/2022/07/tending-to-your-attack-surface-garden/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Public Sector](https://www.paloaltonetworks.com/blog/category/public-sector/?ts=markdown)

[#### Average Ransom Payment Up 71% This Year, Approaches $1 Million](https://www2.paloaltonetworks.com/blog/2022/06/average-ransomware-payment-update/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Ransomware Trends: Higher Ransom Demands, More Extortion Tactics](https://www2.paloaltonetworks.com/blog/2022/03/ransomware-trends-demands-dark-web-leak-sites/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language