RDP Credential Theft
New Qilin ransomware variant uses PowerShell to extract stored RDP credentials from Windows registries, enabling lateral movement in healthcare networks and raising risks for medical device security and patient data protection.
Healthcare Risk Profile
A new Qilin ransomware variant now includes a PowerShell module designed to extract stored Remote Desktop Protocol (RDP) connection records from Windows registries, specifically targeting healthcare environments where remote desktop access is widespread for clinical and administrative workflows. Researchers have confirmed that the ransomware scans the registry for credentials tied to previous RDP sessions, capturing usernames and domain addresses of trusted connections. For hospital IT teams and healthcare CISOs, this tactic is particularly dangerous because RDP is frequently used for remote patient monitoring, EHR access, and medical device management. Once Qilin gains initial access, it deploys a PowerShell script to enumerate the ‘Terminal Server Client’ registry entries, writing the harvested data to a text file that is exfiltrated before encryption. No specific CVEs are associated with this technique (see https://cve.org for general RDP vulnerabilities), as it abuses legitimate system functions. The ability to harvest RDP history amplifies the threat to healthcare organizations by enabling lateral movement toward critical systems like PACS, laboratory information systems, and connected medical devices. This increases the risk of reaching patient data stores and operational technology before encryption is triggered, potentially disrupting surgeries, emergency response, and telemedicine services.
Source: https://cybersecuritynews.com/qilin-ransomware-enumerates-rdp-authentication/
