All articles
Threat Intel

Exposed RDP and SSH: The Open Doors Ransomware Gangs Are Looking For

15 February 202611 min readBy Affinity MSP

The Front Door You Forgot to Lock

Remote Desktop Protocol (RDP) and Secure Shell (SSH) are essential tools for IT administration. They allow administrators and staff to connect to servers and workstations remotely. During and after the pandemic, their use expanded dramatically as businesses adopted remote work.

The problem is that many of these services were set up quickly, with minimal security, and they were never locked down afterward. They remain directly accessible from the internet, visible to anyone who scans for them -- including ransomware operators.

Our scanning platform consistently finds that approximately 18% of Australian businesses have RDP (port 3389) or SSH (port 22) services exposed directly to the public internet. For ransomware gangs, finding these services is like finding an unlocked front door with a "welcome" mat.

---

Why Exposed Remote Services Are So Dangerous

Ransomware's Preferred Entry Point

According to multiple threat intelligence reports, exposed RDP is the number one initial access vector for ransomware attacks globally. The attack chain is straightforward:

  1. Scan the internet for open port 3389 (RDP) or port 22 (SSH)
  2. Attempt login using brute force, credential stuffing (from data breaches), or known default credentials
  3. Gain access to a server or workstation inside the business network
  4. Move laterally through the network, escalating privileges
  5. Deploy ransomware across as many systems as possible
  6. Demand payment with the threat of data publication
The entire process from initial access to ransomware deployment can take as little as 4-6 hours for experienced operators. Some groups have automated the process to the point where human intervention is only needed for the final ransom negotiation.

Brute Force at Scale

Exposed RDP and SSH services receive automated brute force attacks constantly. Security researchers consistently observe:

  • Thousands of login attempts per day on exposed RDP services
  • Automated credential stuffing using usernames and passwords from data breaches
  • Targeted attacks using business-specific information (employee names, common username formats)
Without account lockout policies or rate limiting, attackers have unlimited attempts to guess credentials. And with cloud computing resources readily available, they can try hundreds of thousands of combinations per hour.

Vulnerability Exploitation

Beyond brute force, RDP and SSH have had their share of critical vulnerabilities:

  • BlueKeep (CVE-2019-0708) -- A wormable RDP vulnerability that allowed remote code execution without authentication. Despite being patched years ago, vulnerable systems are still found in the wild.
  • Various OpenSSH vulnerabilities -- Including authentication bypasses and privilege escalation flaws that are regularly patched but not always applied promptly.
  • RDP gateway vulnerabilities -- Multiple flaws in Windows RDP Gateway that allow authentication bypass.
If your exposed RDP or SSH service is running an unpatched version, an attacker may not even need credentials to gain access.

---

What Our Scan Reveals

When our scanning engine discovers open RDP or SSH services on your infrastructure, your security report includes:

  • Port and service identification -- Confirming which ports are open and what software version is running
  • Banner grabbing -- Extracting version information that indicates whether known vulnerabilities may be present
  • Risk classification -- RDP and SSH exposed directly to the internet are automatically flagged as high-risk findings
  • Associated IP and subdomain context -- Showing you exactly which server and subdomain the service is running on
  • CVE matching -- If the detected version has known vulnerabilities, they are listed with severity ratings
This information gives you the specific details you need to take action immediately.

---

Real-World Impact on Australian Businesses

The consequences of a ransomware attack through exposed remote services are severe:

Financial Cost

The average ransomware payment demanded from Australian SMBs ranges from $50,000 to $500,000. But the payment is only part of the cost. Recovery expenses typically include:
  • Incident response and forensic investigation
  • System rebuilding and data restoration
  • Legal counsel and breach notification compliance
  • Lost revenue during downtime (average 21 days)
  • Increased insurance premiums
The total cost of a ransomware incident for an SMB typically ranges from $100,000 to $2 million.

Operational Disruption

Ransomware does not just encrypt files. Modern ransomware operators:
  • Destroy backups before deploying the ransomware
  • Exfiltrate sensitive data for double-extortion (threatening to publish it)
  • Compromise Active Directory making recovery extremely complex
  • Target operational technology affecting physical systems and processes
Businesses that thought they had adequate backups often discover those backups were compromised or insufficient for a full recovery.

Regulatory Consequences

Under Australian law, ransomware incidents that involve personal data may trigger mandatory breach notification requirements. The Office of the Australian Information Commissioner (OAIC) has made it clear that ransomware attacks resulting in data access constitute notifiable data breaches.

---

How to Secure Your Remote Access

Immediate Actions (Do Today)

1. Identify and close exposed services. Run a free security scan to identify any RDP or SSH services exposed to the internet. If they are not actively needed, close the ports at your firewall immediately.

2. If you need remote access, put it behind a VPN. Remote access services should never be directly accessible from the internet. All remote connections should go through a VPN that provides:

  • Strong authentication (certificate-based or MFA)
  • Encryption of all traffic
  • Logging of all connections
  • IP whitelisting where possible
3. Enable account lockout policies. If RDP or SSH must remain accessible (even through a VPN), configure account lockout after 5-10 failed attempts. This prevents brute force attacks from succeeding.

4. Enforce multi-factor authentication. MFA should be required for all remote access connections. Even if credentials are compromised, MFA prevents the attacker from logging in.

Longer-Term Improvements

5. Consider a Zero Trust approach. Modern zero trust network access (ZTNA) solutions replace traditional VPNs with identity-aware access that verifies the user, the device, and the context of every connection before granting access to specific resources.

6. Implement network segmentation. Even if an attacker gains access to one system, proper network segmentation prevents them from moving laterally to other systems. Critical servers, workstations, and operational technology should be on separate network segments with controlled access between them.

7. Deploy endpoint detection and response (EDR). EDR solutions monitor for suspicious activity on endpoints and can detect and contain ransomware in its early stages, before it spreads across the network.

8. Maintain current patches. Ensure all systems running remote access services are patched promptly. Subscribe to vendor security advisories and apply critical patches within 48 hours of release.

---

How Affinity MSP Helps

We see exposed remote services in nearly one out of every five scans we run. It is one of the most immediately actionable findings we identify, and one of the highest-impact risks to remediate.

Our managed security services include:

  • Remote access architecture review -- Assessing your current remote access setup and recommending a secure architecture
  • VPN and ZTNA deployment -- Implementing secure remote access solutions that replace exposed services
  • Ongoing monitoring -- Continuous scanning to ensure no new services become exposed accidentally
  • Incident response planning -- Ensuring you have a tested plan in case a compromise does occur
  • Patch management -- Keeping all systems current with security updates
Book a free consultation to discuss your remote access security posture. If your scan found exposed RDP or SSH, this should be your top priority.

---

This article draws on anonymised data from our scanning platform and publicly available threat intelligence. For a broader view of what our scans are finding, read our platform insights article.

Check your business security now

Free external attack surface scan. 60 seconds. No installation.

Run Free Scan
ransomwarerdp-securityssh-securityremote-accessvpnzero-trustnetwork-securityexposed-services

Related Articles

Threat Intel

Your Business Email Is Probably in a Data Breach. Here's What to Do About It.

Our scanning data shows that over 40% of Australian business domains have at least one email address appearing in a known data breach. If you think your organisation is immune, the numbers suggest otherwise.

ReadThreat Intel

Why Unpatched WordPress Sites Are a Hacker's Favourite Target (And Why Your MSP Should Manage It)

WordPress powers over 40% of the web, and that popularity makes it the most targeted CMS on the planet. If your business runs WordPress, here is why patching is not optional and why we include it in every security scan.

ReadAttack Surface

What Our Free Security Scans Have Revealed: Anonymised Insights from Australian Businesses

We analysed anonymised data from thousands of security assessments run through our free scanning platform. The results paint a sobering picture of Australian business security posture heading into 2026.

Read

Protect Your Australian Business Today

Join hundreds of Australian businesses that have discovered their hidden security vulnerabilities with our free scan.

Get Your Free Security Report