Sophos’s recent Active Adversary analysis for 1H 2024 highlights the increasing trend of ransomware attacks exploiting the Windows remote desktop protocol (RDP).


The analysis revealed that 90% of ransomware attacks involved RDP abuse, the highest level since 2020 [2] [5] [7] [8]. External remote services [1] [2] [5] [6] [7] [8], like RDP [1] [2] [5] [7], were identified as the most common initial access point for attackers [2] [5] [8], leading to network compromise and ransomware attacks [3]. Compromised credentials have surpassed vulnerabilities as the most frequent root cause of attacks [1] [2] [5] [7] [8], with over 50% of incidents involving stolen credentials. Lack of multifactor authentication (MFA) and unpatched servers are key vulnerabilities exploited by attackers [3], who often leverage highly privileged accounts to amplify the damage that can be done [6]. The report drew on data from over 150 incident response investigations [4], with 88% of cases from organizations with fewer than 1,000 employees [4]. Manufacturing was the top sector engaging Sophos for the fourth year in a row [4]. Ransomware was the most prevalent attack type [4], accounting for 70% of investigations [4], while network breaches were linked to unsuccessful ransomware attacks [4]. Sophos tracked ransomware deployment outside traditional business hours and identified LockBit as the most prolific ransomware group in 2023 [4]. The group Akira emerged in March 2023 and took second place in attacks last year [4]. Alphv/BlackCat ransomware gang was temporarily disrupted by law enforcement [4], but remains active [4].


It is crucial for organizations to actively manage risks and implement security measures to protect against cyber attacks, particularly ransomware attacks exploiting RDP. Urgent action is needed to defend against these threats and mitigate the impact on businesses and individuals in the future.