Remote Desktop Protocol attacks surged by 241% in 2020
Due to remote-work, employees started using Microsoft’s client software called remote desktop protocol (RDP), which is used to access corporate resources remotely.
Cybercriminals immediately saw this as an opportunity to hack into the company’s systems. Since the work-from-home shift happened almost overnight, it exposed many improperly configured and, in turn, unsafeservers.
According to data presented by the Atlas VPN research team, RDP attacks rocketed by 241% in 2020. In 2019, RDP attacks stood at 969 million, but in the year 2020, threat actors carried out a staggering 3.3 billion attacks. Our reports have also highlighted how RDP attacks surged.
This data is provided by, one of the biggest antivirus companies globally that protects more than 400 million users and 250,000 corporate clients.
Data reveals that RDP attacks have been steadily increasing since the start of 2019, but the pandemic accelerated the growth dramatically, which led to 3.3 billion cyber attacks from January to November 2020.
A deeper dive into the data reveals that in 2019, hackers carried out an average of 88,180,802 attacks per month. However, in 2020, the average number of RDP attacks per month soared to 302,020,526.
Moreover, in 2019, threat actors executed most attacks in September, at 160,234,416. Yet, in November 2020, hackers pulled off 409,155,016 RDP cyber attacks, representing a 155% increase when comparing the maximum number of attacks per month in 2019 and 2020.
Analysis of the RDP attack landscape
Most of the RDP cyber attacks are brute-force attacks. Cybercriminals attempt to find the correct credential combination that will allow the attacker to access the company's target computer.
Worth noting that they are not using random username and password combinations. Hackers have millions of username and password combinations that were leaked from other businesses.
As a matter of fact, Atlas VPN recentlythat there were 37 billion data records leaked in 2020, a growth of 140% year-over-year. Meaning, there is no shortage of credentials that hackers can try.
After stumbling upon the correct combination, a threat actor can move laterally within the organization’s infrastructure until they find what they are looking for, be it financial data, contact information, user data, or any other sensitive information.
Hackers usually have one of two goals in mind when they are carrying out these attacks.
First - they want to steal the data to sell it to an already existing buyer that ordered the attack or they will put it up for sale on the dark web. The targeted information might be an intellectual property that gives an organization it’s competitive edge in the industry or its customers' data.
Second - after stealing the data, they will contact the company demanding a ransom payment. If the enterprise agrees to pay, then hackers will hand over the data back to the company and promise to hide the fact that the company was compromised, allowing the enterprise to preserve it’s reputation.
By putting all of this into place, we can see the full journey a hacker has to go through to reach his goal - which is usually financial profit. Let’s go over it step-by-step to get a clearer picture.
To start, hackers purchase millions of leaked credentials from their cybercriminal colleagues. Then, they use those username and password combinations to hack into the company’s computer that uses the remote desktop protocol (RDP). Now, they have access to sensitive information that they can use to turn into profit.
Many might know the dangers of data leaks and remote desktop attacks, but here, we wanted to explain how all of this falls into place to benefit the criminal.