LOGBOOK

HELP

Quiz Entry - updated: 2026.06.24

A company left a provisional Terminal Server reachable from the internet, protected by only a password. Why did that become a ransomware crew's initial-access point ("Initial Compromise")?

Because there was no MFA — a single guessable, phishable, or reusable password was the only barrier, so the attacker simply logged in.

This was the literal entry point ("Patient 0") in a documented case, and the pattern is general: any internet-exposed remote-access service (RDP, Terminal Server, VPN) protected by a single factor is a front door. With only one password to beat — guessable, phishable, or reused — the attacker walks straight in. No exotic exploit required.

Why MFA would have mattered: even a stolen or guessed password is useless without the second factor. The single most impactful control against this exact entry path is MFA on every internet-facing service (RDP, VPN, webmail).

Tip: Internet-exposed RDP/Terminal Services with weak auth are one of the most common ransomware entry points in the real world. If it must be reachable, it must have MFA — and ideally sit behind a VPN.

From Quiz: ISF / Foundations, Key Terms & Ransomware | Updated: Jun 24, 2026