Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Apocalypse Ransomware Leverages RDP for Infection

One of the latest trends in ransomware is to leverage the Remote Desktop Protocol (RDP) to infect targeted machines, and a new malware family that uses this technique was recently discovered, Emsisoft researchers warn.

One of the latest trends in ransomware is to leverage the Remote Desktop Protocol (RDP) to infect targeted machines, and a new malware family that uses this technique was recently discovered, Emsisoft researchers warn.

Dubbed Apocalypse, the new ransomware was spotted in the wild in the beginning of May, using weak passwords on insecurely configured Windows servers running the remote desktop service as its main attack vector. Through RDP, the malware can brute force its way into a computer, while attackers can interact with the compromised system as if they had physical access to it.

According to Emsisoft researchers, early variants of the Apocalypse ransomware install to %appdata%windowsupdate.exe, after which they create a run key called windows update to both HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE. The threat appends the .encrypted extension to the encrypted files, creates a ransom note for every file, and uses the dr.compress(at)us1.l.a / dr.compress(at)bk.ru / dr.jimbo(at)bk.ru / dr.decrypter(at)bk.ru email addresses in the ransom note.

A second malware variant emerged in early June, one that would install in %ProgramFiles%windowsupdate.exe, would create a run key called windows update svc, and would use the [email protected] email address. On June 22, a third variant emerged, installing to %ProgramFiles%firefox.exe and creating a run key called firefox update checker. It also uses the .SecureCrypted extension and the [email protected] email address.

Before infecting a system, the ransomware checks whether the default system language is set to Russian, Ukrainian, or Belarusian, and terminates itself if it does. If not, it copies itself to %ProgramFiles%firefox.exe, then sets the attributes for this executable to hidden and system, while also modifying the timestamp of this file using the explorer.exe timestamp. Next, it creates a run value to make sure that it runs on every startup.

After installation, the ransomware runs the newly created firefox.exe, which is responsible for two different tasks on the infected computer: it periodically checks whether certain Windows processes are running and then kills them, while also starting the encryption routine. The ransomware fetches a list of all removable, fixed or remote network drives, but doesn’t encrypt the latter, because of a bug in its encryption routine, researchers say.

After fetching the list, the ransomware proceeds to scanning all folders and encrypts all files in them, except for those in the Windows folder and those containing the following text strings in the end of their name: .exe, .dll, .sys, .msi, .com, .lnk, .tmp, .ini, .SecureCrypted, .bin, .bat, .dat, .Contact_Here_To_Recover_Your_Files.txt.

Before encrypting a file, the malware checks whether it hasn’t been already encrypted, then encrypts its content using a custom XOR-based algorithm (which is slightly different between the three observed variants). The ransomware then writes the magic value and encrypted content to the file and appends .SecureCrypted to the filename.

Advertisement. Scroll to continue reading.

Apocalypse also restores the original file timestamp, after which it creates a ransom note for the file. Moreover, it creates a window which it displays to the user with a similar ransom note. Researchers also discovered that the ransomware authors hid an insulting message to Emsisoft within the code.

According to Emsisoft researchers, anti-malware software is rather ineffective against this threat, mainly because the attackers use remote control to gain access to the system, which means that they can also disable protection mechanisms. However, a dectypter is available for all Apocalypse victims, meaning that they can restore their files for free.

“The most important line of defense is a proper password policy that is enforced for all user accounts with remote access to the system. This does apply to rarely used accounts created for testing purposes or by applications as well. Even better would be to disable Remote Desktop or Terminal Services completely if not required or at least to use IP address based restrictions to allow the access to these services from trusted networks only,” Emsisoft notes.

Related: Bucbi Ransomware Spreading Via RDP Brute Force Attacks

Related: Minimizing Exposure to Ransomware Attacks

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.