One Open Port: How Ransomware Gets Into Small Businesses

Every week, thousands of small businesses unknowingly advertise an open door to ransomware attackers. The door is called RDP — Remote Desktop Protocol — and it listens on port 3389.

What Is RDP and Why Is It Used?

Remote Desktop Protocol is a Microsoft technology that lets you control a Windows computer over a network connection. It’s genuinely useful: an accountant can work from home, an IT contractor can fix problems remotely, a practice manager can access the booking system from another location.

The problem is how it’s exposed. Many businesses configure RDP by simply opening port 3389 on their router — pointing it directly at an internal machine. From that moment, anyone on the internet can attempt to log in.

How Attackers Find It in Minutes

Tools like Shodan and Censys continuously scan the entire internet and index every device with an open port. Searching for port:3389 on Shodan returns millions of results — including dental clinics, accounting firms, and small offices in Poland and across Europe.

Attackers don’t manually browse these results. They run automated scripts that:

1. Pull the list of IPs with open port 3389
2. Attempt login with thousands of common username/password combinations (credential stuffing)
3. Try credentials found in data breach databases — if your staff reuse passwords, this works often
4. Exploit known RDP vulnerabilities like BlueKeep (CVE-2019-0708) on unpatched systems

The entire process from port discovery to successful login can take under an hour.

What Happens After They’re In

Once an attacker has RDP access, they have the same level of control as the legitimate user — often more. The typical sequence:

• Reconnaissance: they map your network, identify file servers, backup drives, and connected systems
• Lateral movement: they move to other machines using the same or harvested credentials
• Ransomware deployment: they run the ransomware binary, which encrypts files across all accessible drives simultaneously
• Ransom demand: your screens display a payment demand, typically in cryptocurrency

For a dental clinic or accounting firm, the encrypted files mean patient records, X-rays, client tax data, contracts — everything — is inaccessible. Recovery without paying the ransom typically requires restoring from backup, which most small businesses don’t have in a usable state.

The Fix: Three Steps

1. Disable public RDP exposure. If remote access is needed, close port 3389 on your public router entirely. This removes the open door immediately.

2. Use a VPN instead. Remote workers should connect via a VPN first, then use RDP within the private network. This means port 3389 is never visible to the public internet.

3. Enable Network Level Authentication (NLA) and MFA. NLA requires credentials before a session is established, blocking unauthenticated exploitation. Adding multi-factor authentication makes credential stuffing attacks ineffective even if a password is compromised.

---

Not sure if your business has port 3389 exposed? Our free pre-scan checks this as part of every assessment — along with five other critical external exposure points. Results in 24 hours.