How attackers exploit exposed RDP services — the single largest ransomware initial-access vector.
Remote Desktop (RDP) is the single largest ransomware initial-access vector of the past decade. Verizon DBIR, Mandiant M-Trends, CISA advisories, and cyber-insurance claims data all identify exposed RDP as the dominant entry point for ransomware affiliates — not exotic zero-days, not sophisticated nation-state campaigns, just internet-exposed RDP endpoints with weak or breached credentials. If you are reading this because ransomware hit your organisation: there is a high probability RDP was involved.
The threat model is well-characterised. Attackers scan the entire IPv4 space for port 3389 (the default RDP port) continuously; exposed services are found within minutes of going online. Credential stuffing against found endpoints runs 24/7 using credentials from breach databases. Once a valid credential is found, the attacker has interactive desktop access — equivalent to being physically at the keyboard, with whatever privileges that account carries. From that foothold, lateral movement to domain controllers and eventual ransomware deployment follows in days to weeks.
This page is written for the professional defender audience — IT and security teams who manage RDP or who are cleaning up after an RDP-related incident. The advice is stark because the threat is stark: RDP exposed to the internet without aggressive defensive controls is not a security posture, it is a scheduled compromise. Organisations that treat this seriously migrate to VPN-gated access or zero-trust alternatives; organisations that do not treat it seriously end up on incident-response timelines.
Conceptual attack categories, not exploitation procedures. Understanding these patterns is what lets you recognise and defend against them.
Automated campaigns scan for port 3389 constantly. Found endpoints receive credential-stuffing attacks using breach-database credentials. No human attention needed per target until credentials succeed; then human operators take over for reconnaissance and lateral movement.
RDP has traditionally lacked aggressive rate-limiting. Slow-and-low brute force against common account names (administrator, admin, backup, sql) with dictionary passwords still succeeds against many unprotected endpoints. Account Lockout policies and Network Level Authentication mitigate but do not eliminate.
CVE-2019-0708 (BlueKeep) and subsequent RDP vulnerabilities allowed pre-authentication code execution on unpatched systems. Wormable-class issues that required emergency patching cycles. Similar vulnerabilities recur periodically; patching cadence matters significantly for any RDP-exposed system.
Entire cybercrime economy exists around "initial access brokers" — specialist operators who compromise RDP endpoints and sell access to ransomware affiliates. Compromised RDP to a mid-sized company sells for low-thousands of dollars; the buyer then deploys ransomware or exfiltrates data. This industrialisation means your endpoint does not need to be specifically targeted; generic successful compromise gets sold in a market.
Once attackers have interactive RDP access with any valid credential, they run standard privilege-escalation playbooks — kerberoasting, LSASS dumping, credential harvesting, BloodHound reconnaissance, eventual domain-admin compromise. The RDP foothold is the ignition point; the full incident unfolds from Windows-internal attack chains.
Even when external RDP is not exposed, internal RDP between endpoints is frequently over-permitted. Attackers who gain initial access via other means use internal RDP to move laterally through the network. Host-based firewall restrictions and network segmentation between endpoint subnets matter even for environments without external RDP exposure.
Signs that your remote desktop / rdp may have been compromised:
Event ID 4624 with LogonType 10 (RemoteInteractive) from source IPs outside your expected range. SIEM correlation or manual review of authentication logs surfaces these. Concentrate on accounts not typically used interactively (service accounts especially).
Event ID 4625 patterns indicating credential stuffing in progress. Even if no successful logon occurs yet, the activity indicates active attack attempts against your endpoint.
`quser` or Task Manager showing user sessions you do not recognise. Immediate incident-response situation; disconnect the endpoint from the network while investigating.
Post-compromise, attackers commonly install persistence (scheduled tasks, services, registry run keys) and run reconnaissance tools (BloodHound, AdFind, Sharphound, PowerSploit). SIEM or endpoint detection alerts on these; also visible in running processes and scheduled task list.
C2 channels, data exfiltration, lateral movement initiation all produce outbound traffic. Network monitoring or endpoint firewall logs show this. Concentrate on connections to unfamiliar destinations during non-business hours.
Shodan, Censys, GreyNoise, or threat-intel feeds showing your IPs in scan lists or indicator feeds. Subscription to Shodan Monitor for your own IP ranges is a cheap early-warning system.
Concrete actions ranked by impact. Items marked critical are the highest-leverage protections; do those first.
The single most important control. If RDP needs to be accessible externally, route through VPN (WireGuard, OpenVPN, commercial VPN appliance — with its own security considerations — see the Corporate VPNs defender guide), through a bastion host / jump server with hardened authentication, or via zero-trust network access (Cloudflare Access, Zscaler Private Access, Tailscale, Google BeyondCorp-style model). No justification survives scrutiny for directly-exposed RDP in 2026.
NLA requires authentication before RDP session establishment — blocks pre-authentication exploits. Combined with complex unique passwords, Account Lockout policies, and ideally smart-card or certificate-based authentication for privileged users. Default-allow credentials-as-only-factor is inadequate; add factors.
Windows Update for the RDP components should be on the shortest patching SLA in your environment. Pre-authentication RDP vulnerabilities (BlueKeep-class) warrant emergency patching outside normal cadence. Unpatched RDP becomes a ticking clock after each Patch Tuesday.
Group Policy / local policy: lockout after 5-10 failed attempts, 15-30 minute lockout duration, reset counter after 15-30 minutes. Does not stop determined attackers but raises cost of naive credential stuffing substantially.
Even internal RDP: firewall rules restricting which source subnets can RDP to which destination subnets. Limits blast radius if any endpoint is compromised — attackers cannot trivially pivot across the environment.
Service accounts should not be able to RDP at all. Group Policy: "Deny log on through Remote Desktop Services" for all service accounts. Eliminates a common post-compromise lateral-movement path.
For administrators and high-privilege users, session recording (via jump-server integration, commercial PAM tools like CyberArk, or native Windows Event Forwarding) creates audit trail. Deterrent effect plus forensic value.
Microsoft Defender for Endpoint, CrowdStrike Falcon, SentinelOne, or equivalent. Post-authentication attacker activity (credential dumping, BloodHound, lateral movement) is what EDR detects best. Without EDR, dwell time from initial compromise to ransomware deployment can extend for weeks without any detection.
Shodan Monitor (free tier available) alerts when new services appear on your IPs. Catches accidentally-exposed RDP before attackers do. Takes 10 minutes to set up; provides ongoing early warning.
The long-term direction for remote access is not hardened perimeter RDP — it is identity-aware, per-application access via Zero Trust frameworks. Cloudflare Access, Zscaler Private Access, Tailscale, Twingate. Multi-year migration for many organisations but strategic direction worth committing to. Reduces attack surface substantially; RDP becomes one of many protected internal services rather than a perimeter exposure.