Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

DXXD Ransomware Encrypts Files on Unmapped Network Shares

A new ransomware family has emerged that targets servers and encrypts files on network shares even if they haven’t been mapped to the infected computer.

A new ransomware family has emerged that targets servers and encrypts files on network shares even if they haven’t been mapped to the infected computer.

Dubbed DXXD, the new piece of ransomware appends the .dxxd extension to the encrypted files, after which it drops a ransom note onto the infected computers. The malware won’t search for and encrypt only files on the local machine, but it would also target network shares, both mapped and unmapped, a feature that was previously seen in Locky.

While the ransomware’s infection vector isn’t clear at the moment, the attackers are believed to be abusing Remote Desktop Services and are brute-forcing passwords to spread the DXXD ransomware, BleepingComputer’s Lawrence Abrams notes.

The ransom note dropped by the new threat instructs users to contact the operators via two email addresses to receive payment instructions: rep_stosd[at]protonmail.com and rep_stosd[at]tuta.io. However, as it usually happens in the event of ransomware infections, users are advised not to give in and pay the ransom.

Unlike other ransomware families out there, DXXD was configured to change a Windows Registry setting to display a so called “legal notice” to users when they log in. Because of this, the ransomware author ensures that any user attempting to log into an infected computer sees the ransom note.

The “legal notice” informs users that the computer they are logging into “is attacked by hackers.” It also claims that users should contact experts at said emails and various other email addresses, such as shellexec[at]protonmail.com or null_ptr[at]tutanota.de “for more informations [sic!] and recommendations.”

To display the notice, the ransomware changes the HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonLegalNoticeCaption registry key. It also changes HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonLegalNoticeText to display the following: “When you start Windows, Windows Defender works to help protect your PC by scanning for malicious or unwanted software.”

Advertisement. Scroll to continue reading.

According to Abrams, the ransomware’s alleged author decided to taunt victims and researchers by creating an account on BleepingComputer and claiming that a newer version of the ransomware has been developed and that it is more difficult to decrypt. The developer also claimed that a new zero-day vulnerability was used to compromise servers and install the ransomware.

Researchers say that paying the ransom isn’t a solution in the event of an attack, because that doesn’t guarantee that the data will be recovered. To keep their data safe, users are advised to constantly back up their files, keep their software up to date, use a reputable anti-malware solution, avoid opening attachments or clicking on links coming from unknown sources, and disable Remote Desktop Protocol (RDP) and files running from AppData/LocalAppData folders.

Related: Brazilian Hackers Using RDP to Spread Xpan Ransomware

Related: Cry Ransomware Uses Google Maps to Find Victim Locations

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.