Network latency spikes in Remote Desktop Protocol (RDP) sessions often serve as a precursor to ransomware deployment.
When bad actors gain access to a network, they typically perform internal reconnaissance, move laterally between systems, and exfiltrate sensitive data before the final encryption phase begins. These background activities consume significant bandwidth and processing power, which can manifest as noticeable lag or delays for legitimate users.
In this article, we’ll examine why latency occurs during the pre-encryption phase, which specific behaviors to monitor, and how to respond when your remote environment begins to underperform.
Why Latency Precedes Data Encryption
Ransomware activation is rarely the first step in a cyberattack. Modern threat actors spend days or even weeks inside a network to maximize their impact.
During this period, the overhead of their tools creates a digital footprint that shows up in RDP performance.
Lateral Movement and Scanning
Once an attacker compromises a single workstation via RDP, they must find their targets (such as backup servers or database clusters). To that end, they use automated scanners to map the network.
These scans generate a high volume of small packets that can saturate network interfaces, leading to increased ping times and jitter for remote employees.
Data Exfiltration Overhead
The most significant latency usually occurs when attackers begin moving data out of your environment. To increase their leverage, hackers steal sensitive files to threaten the organization with a public data leak (double or triple extortion).
Uploading hundreds of gigabytes of data to a cloud storage service — while the attacker is simultaneously tunneling through your RDP gateway — creates a massive bottleneck.
Performance Indicators of an Imminent Attack
Network administrators should treat consistent, unexplained performance degradation as a security event rather than a simple IT glitch. While many factors can cause lag, certain patterns are highly suspicious.
Unexplained Peak-Hour Slowdowns
If RDP sessions become sluggish during periods of low legitimate usage (such as 2:00 AM on a Sunday), it suggests an automated process or a manual intruder is active. Attackers often prefer these windows to minimize the chance of a physical user noticing the system slowdown.
Increased CPU and Disk I/O
Ransomware attackers frequently use built-in Windows tools or specialized scripts to compress data before exfiltrating it. Some modern variants like LockBit 3.0 and BlackCat also use intermittent encryption (encrypting only every other 16 or 64 bytes) to maximize speed and bypass some heuristic detection — but this still causes massive disk I/O spikes
In our labs, we have observed that high CPU utilization on a domain controller or file server, paired with RDP lag, is a major red flag. If the server is struggling to respond to basic UI commands, it’s a cause for concern.
Account Lockouts and Failed Logins
Latency is often accompanied by a surge in Event ID 4625 (failed logon) entries in the Windows Security Log. If the attacker is moving laterally using valid but stolen credentials, admins should also look for Event ID 4624 (successful logon), specifically focusing on Logon Type 3 (Network) or Logon Type 10 (Remote Interactive).
Ransomware Response: Minimizing Data Loss
If you suspect that RDP latency is being caused by malicious activity, take immediate action. We recommend following these steps:
- Terminate All Active RDP Sessions: Immediately disconnect all remote users and disable the RDP service or close Port 3389 at the firewall level. Note that many enterprise environments use an RDP Gateway (Port 443); latency can also manifest as an HTTPS/443 bottleneck if the gateway is being used to tunnel exfiltration traffic.
- Audit Active Processes: Look for unrecognized executables or legitimate tools being used in unusual ways (such as PowerShell scripts running with administrative privileges for extended periods).
- Check Outbound Traffic: Consult your firewall logs to see if massive amounts of data are being sent to unfamiliar IP addresses.
- Isolate Backups: Ensure your backups are air-gapped. Attackers will almost always attempt to delete or encrypt backups before they trigger the main ransomware payload.
Note: Do not restart servers or clear logs until you’ve discussed your case with a ransomware specialist. Volatile memory contains artifacts that are essential for digital forensics and determining how the attackers entered the system.
Recovering After a Ransomware Event
Detecting latency is a vital early warning, but sometimes the encryption phase begins remediation is possible.
At Datarecovery.com, we provide comprehensive support for organizations facing ransomware attacks. We operate purpose-built laboratories equipped to handle large-scale server recoveries and complex RAID arrays. In addition to ransomware recovery, we provide dark web monitoring, penetration (PEN) testing and additional services to help organizations restore operations quickly and securely.
If you’ve encountered ransomware, we’re here to help. To get started, submit a case online or call us at 1-800-237-4200 to speak with a recovery specialist.
