What I am seeing lately is a rash of RDP ransomware infections. Next time you test a third party stand alone solution, enable RDP on your test rig. Make sure RDP ports are open. Test how the solution performs against RDP ransomware. I note this because most people have RDP disabled on their PCs but many corps. and SMBs have it enabled.
Are they trying to guess UN/PW when attacking or is there any unpatched vulnerability being exploited?
I so far have seen posts by people getting nailed by Spora and most recently AES-IN by RDP attacks. Also recent Cerber variants. These attacks have bypassed some conventional AV anti-ransomware protections; files were encrypted. Hence my curiosity of how effective the stand-alone anti-ransomware solutions are against brute force RDP attacks. Again this only applies to situation where RDP is being legitimately enabled by the user.
If brute force is conducted, then setting up proper lockout policy would probably thwart or at least slow down this attacks. Shouldn't that be one of first thing that admin should set when enabling RDP access?
Yes it is. People nailed appeared to be somewhat clueless as to how to properly secure for RDP access.