One of the latest trends in ransomware is to leverage the Remote Desktop Protocol (RDP) to infect targeted machines, and a new malware family that uses this technique was recently discovered, Emsisoft researchers warn.
Dubbed Apocalypse, the new ransomware was spotted in the wild in the beginning of May, using weak passwords on insecurely configured Windows servers running the remote desktop service as its main attack vector. Through RDP, the malware can brute force its way into a computer, while attackers can interact with the compromised system as if they had physical access to it.
According to Emsisoft researchers, early variants of the Apocalypse ransomware install to %appdata%windowsupdate.exe, after which they create a run key called windows update to both HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE. The threat appends the .encrypted extension to the encrypted files, creates a ransom note for every file, and uses the dr.compress(at)us1.l.a / dr.compress(at)bk.ru / dr.jimbo(at)bk.ru / dr.decrypter(at)bk.ru email addresses in the ransom note.
A second malware variant emerged in early June, one that would install in %ProgramFiles%windowsupdate.exe, would create a run key called windows update svc, and would use the [email protected] email address. On June 22, a third variant emerged, installing to %ProgramFiles%firefox.exe and creating a run key called firefox update checker. It also uses the .SecureCrypted extension and the [email protected] email address.
Before infecting a system, the ransomware checks whether the default system language is set to Russian, Ukrainian, or Belarusian, and terminates itself if it does. If not, it copies itself to %ProgramFiles%firefox.exe, then sets the attributes for this executable to hidden and system, while also modifying the timestamp of this file using the explorer.exe timestamp. Next, it creates a run value to make sure that it runs on every startup.
After installation, the ransomware runs the newly created firefox.exe, which is responsible for two different tasks on the infected computer: it periodically checks whether certain Windows processes are running and then kills them, while also starting the encryption routine. The ransomware fetches a list of all removable, fixed or remote network drives, but doesn’t encrypt the latter, because of a bug in its encryption routine, researchers say.
After fetching the list, the ransomware proceeds to scanning all folders and encrypts all files in them, except for those in the Windows folder and those containing the following text strings in the end of their name: .exe, .dll, .sys, .msi, .com, .lnk, .tmp, .ini, .SecureCrypted, .bin, .bat, .dat, .Contact_Here_To_Recover_Your_Files.txt.
Before encrypting a file, the malware checks whether it hasn’t been already encrypted, then encrypts its content using a custom XOR-based algorithm (which is slightly different between the three observed variants). The ransomware then writes the magic value and encrypted content to the file and appends .SecureCrypted to the filename.
Apocalypse also restores the original file timestamp, after which it creates a ransom note for the file. Moreover, it creates a window which it displays to the user with a similar ransom note. Researchers also discovered that the ransomware authors hid an insulting message to Emsisoft within the code.
According to Emsisoft researchers, anti-malware software is rather ineffective against this threat, mainly because the attackers use remote control to gain access to the system, which means that they can also disable protection mechanisms. However, a dectypter is available for all Apocalypse victims, meaning that they can restore their files for free.
“The most important line of defense is a proper password policy that is enforced for all user accounts with remote access to the system. This does apply to rarely used accounts created for testing purposes or by applications as well. Even better would be to disable Remote Desktop or Terminal Services completely if not required or at least to use IP address based restrictions to allow the access to these services from trusted networks only,” Emsisoft notes.
Related: Bucbi Ransomware Spreading Via RDP Brute Force Attacks
Related: Minimizing Exposure to Ransomware Attacks

More from SecurityWeek News
- SecurityWeek to Host Cyber AI & Automation Summit
- US Marks 22 Years Since 9/11 Terrorist Attacks
- In Other News: LastPass Vault Hacking, Russia Targets Ukraine Energy Facility, NXP Breach
- Webinar Today: Scaling Software Supply Chain Security
- In Other News: Hacking Encrypted Linux Computers, Android Fuzzing, Skype Leaking IPs
- Webinar Today: ZTNA Superpowers CISOs Should Know
- In Other News: US Hacking China, Unfixed PowerShell Gallery Flaws, Free Train Tickets
- In Other News: macOS Security Reports, Keyboard Spying, VPN Vulnerabilities
Latest News
- Critical Infrastructure Organizations Warned of Snatch Ransomware Attacks
- Omron Patches PLC, Engineering Software Flaws Discovered During ICS Malware Analysis
- MGM Resorts Computers Back Up After 10 Days as Analysts Eye Effects of Casino Cyberattacks
- Intel Launches New Attestation Service as Part of Trust Authority Portfolio
- Tor-Based Drug Marketplace Piilopuoti Shut Down by Law Enforcement
- Staying on Topic in an Off Topic World
- Discern Security Emerges From Stealth Mode With $3 Million in Funding
- DHS Publishes New Recommendations on Cyber Incident Reporting
