This graph shows the difference between the attacks on a publicly published RDP server, and one that is not published on port 3389. On the left, we have the report from 1 year ago before deciding to close the port, on the right we have the graph on the same address today. Not shown here: the number of attacks have decreased significantly.

Ref: SingCERT advisory "Kaspersky Report on Compromised RDP Servers - "The xDedic Marketplace" https://www.csa.gov.sg/singcert/news/advisories-alerts/kaspersky-report-on-compromised-rdp-servers In essence a number of public facing IP addresses, notably some in Singapore, are on a list for sale in the black market, presumably because their administrator passwords have been compromised through brute force.