Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Apocalypse Ransomware Leverages RDP for Infection

One of the latest trends in ransomware is to leverage the Remote Desktop Protocol (RDP) to infect targeted machines, and a new malware family that uses this technique was recently discovered, Emsisoft researchers warn.

One of the latest trends in ransomware is to leverage the Remote Desktop Protocol (RDP) to infect targeted machines, and a new malware family that uses this technique was recently discovered, Emsisoft researchers warn.

Dubbed Apocalypse, the new ransomware was spotted in the wild in the beginning of May, using weak passwords on insecurely configured Windows servers running the remote desktop service as its main attack vector. Through RDP, the malware can brute force its way into a computer, while attackers can interact with the compromised system as if they had physical access to it.

According to Emsisoft researchers, early variants of the Apocalypse ransomware install to %appdata%windowsupdate.exe, after which they create a run key called windows update to both HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE. The threat appends the .encrypted extension to the encrypted files, creates a ransom note for every file, and uses the dr.compress(at)us1.l.a / dr.compress(at) / dr.jimbo(at) / dr.decrypter(at) email addresses in the ransom note.

A second malware variant emerged in early June, one that would install in %ProgramFiles%windowsupdate.exe, would create a run key called windows update svc, and would use the [email protected] email address. On June 22, a third variant emerged, installing to %ProgramFiles%firefox.exe and creating a run key called firefox update checker. It also uses the .SecureCrypted extension and the [email protected] email address.

Before infecting a system, the ransomware checks whether the default system language is set to Russian, Ukrainian, or Belarusian, and terminates itself if it does. If not, it copies itself to %ProgramFiles%firefox.exe, then sets the attributes for this executable to hidden and system, while also modifying the timestamp of this file using the explorer.exe timestamp. Next, it creates a run value to make sure that it runs on every startup.

After installation, the ransomware runs the newly created firefox.exe, which is responsible for two different tasks on the infected computer: it periodically checks whether certain Windows processes are running and then kills them, while also starting the encryption routine. The ransomware fetches a list of all removable, fixed or remote network drives, but doesn’t encrypt the latter, because of a bug in its encryption routine, researchers say.

After fetching the list, the ransomware proceeds to scanning all folders and encrypts all files in them, except for those in the Windows folder and those containing the following text strings in the end of their name: .exe, .dll, .sys, .msi, .com, .lnk, .tmp, .ini, .SecureCrypted, .bin, .bat, .dat, .Contact_Here_To_Recover_Your_Files.txt.

Before encrypting a file, the malware checks whether it hasn’t been already encrypted, then encrypts its content using a custom XOR-based algorithm (which is slightly different between the three observed variants). The ransomware then writes the magic value and encrypted content to the file and appends .SecureCrypted to the filename.

Apocalypse also restores the original file timestamp, after which it creates a ransom note for the file. Moreover, it creates a window which it displays to the user with a similar ransom note. Researchers also discovered that the ransomware authors hid an insulting message to Emsisoft within the code.

According to Emsisoft researchers, anti-malware software is rather ineffective against this threat, mainly because the attackers use remote control to gain access to the system, which means that they can also disable protection mechanisms. However, a dectypter is available for all Apocalypse victims, meaning that they can restore their files for free.

“The most important line of defense is a proper password policy that is enforced for all user accounts with remote access to the system. This does apply to rarely used accounts created for testing purposes or by applications as well. Even better would be to disable Remote Desktop or Terminal Services completely if not required or at least to use IP address based restrictions to allow the access to these services from trusted networks only,” Emsisoft notes.

Related: Bucbi Ransomware Spreading Via RDP Brute Force Attacks

Related: Minimizing Exposure to Ransomware Attacks

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Malware & Threats

A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery.