Hit by Sodinokibi (REvil) Ransomware now I am noticing Brute Force attacks through RDP. Best practices to prevent this?

[smitbret]

So, I use my personal workstation at home as the gateway for remote Window RDP into my home network. A month ago, it got hit by Sodinokibi Ransomware and all of my files got locked up. For some reason, I was only running the default Windows security software.

The one thing that slightly unnerved me was that I had some desktop shortcuts to my server and some of the files in those folders also got locked up. Nothing else on the system or network appeared or appears to have been affected.

No biggie. I have backup, I just moved the locked files to an external HDD, formatted the system and reinstalled. This time, I installed Norton Internet Security on it.

Now, every few days I will get Norton Alerts that it is blocking an RDP Brute Force Attack. It'll just pound it over and over and over again. Last time, I just reset the router and the modem (resetting my public IP address). Then I added the IP address to Norton's restricted list. I got another one today. I just restarted the system and again added the IP address to Norton's restricted list.

Question #1 - Am I overreacting and this is no big deal? Norton will keep it blocked?
Question #2 - Was I thorough in dealing with it the first time around? Did I miss something that is causing the attacks?
Question #3 - What about my setup can be tweaked to create additional security? Should I set up a cheap Windows box that does nothing except act as a Gateway and then just RDP from there to the different devices in my system?

I know some of this is pretty simple stuff and I will probably smack myself in the head and say "duh" but any guidance, even if it is "Hey dummy, why are you doing this instead of this" is greatly appreaciated.

 

[UsandThem]

I'm not a "networking guy", so I'm not sure what they are using to keep targeting your PC. It could be something like your router/modem settings aren't configured properly (firewall, UPnP, etc.), or it could be something like your router's firmware is vulnerable. My TP Link router was way out of date as they quickly dropped support for it, and there were some pretty severe vulnerabilities that were discovered on many routers over the last few years. I ended up replacing it with a newer Asus router solely for that reason (as the wireless performance was still good on the TP Link unit). I've always used a 3rd party security program as well (mostly Norton, but this last year I switched over to Bitdefender) just as an extra layer of security because my kids and wife don't always think of computer safety when on the internet.

That would be the first things I would take a look at and make sure everything is all good there. After that is accomplished, maybe someone else can come along and give some tips/advice on the whole gateway/RDP as I am pretty clueless when it comes to that stuff as I don't do that with any of my PCs.
Here's just a few bigger router security articles over the last year or so:

https://www.bleepingcomputer.com/ne...r-bug-lets-attackers-login-without-passwords/
https://www.tomsguide.com/news/netgear-security-firmware-patches

 

[VirtualLarry]

"Raw RDP" exposed directly on the internet can be quite a juicy target, as you've found out.

You should put it behind a VPN server, at least, this is my understanding for RDP "best practices". Or use something other than RDP, like AnyDesk or TeamViewer, that don't require exposing a listening port to the open internet.

 

[ch33zw1z]

Either use VPN or SSH into your house.

 

[Amol S.]

Most of the time, there are hackers that try to hack random IP addresses, and there are many that do that. You also are setting your security policy incorrectly. You should not be using a blacklist, but rather should use a whitelist. Just whitelist the IP Addresses you know you are going to connect from to the RDP.