The DXXD ransomware apparently attacks Windows servers directly. Like other ransomware, DXXD encrypts files and appends the extension .dxxd to the encrypted file.
Until now, an attack on Windows Server usually started from an infected client, which then encrypted files on network drives. In the forum of Bleeping Computer However, it is suspected that brute force attacks are being carried out on the RDP service in order to infect the servers directly.
Whether RDP is actually used is still unclear at present. However, I would like to take this opportunity to point out that RDP must not be directly accessible on the Internet. Unfortunately, I know some people who use a simple port forward to access servers quickly.
It would be much better to configure a VPN, even the cheapest router supports this and is still better than making RDP directly accessible on the Internet. And no: changing the port from 3389 to anything else makes no difference.
A policy that blocks accounts after a certain number of incorrect passwords is also not a good idea. In the worst case scenario, a brute force attack could result in quite a few accounts all being blocked.
Deutlich besser: VPN mit 2 Faktor Authentifizierung. Das ist zumindest meine Meinung zu dem Thema. RDP ist eine angenehme Sache um Server innerhalb des eigenen Netzwerks zu verwalten, aber nicht geeignet für die Fernwartung aus dem Internet. Es kommt doch auch niemand auf die Idee, seine Management Schnittstellen (vSphere, iLO, DRAC etc.) direkt aus dem Internet erreichbar zu machen. Oder doch? Fühlt sich jemand angesprochen? Wenn ja, solche Schnittstellen im Internet zu finden, ist ähnlich einfach wie diese Webseite zu finden, einfach mal hier „iLO“ oder „vSphere“ als Suchbegriff eingeben: https://www.shodan.io
Anyway, I digress. So don't make RDP accessible on the Internet. Period. Even in the internal network, RDP should not be accessible to everyone, but should be restricted accordingly. This can be done quickly with the Windows firewall by searching for the appropriate rule:
Und im Reiter „Bereich“ ein Subnetz, Range oder IPs angeben, die RDP nutzen dürfen:
Also important: Please do not remove the small tick here:
And the following always applies to the Windows Firewall:
Always!