Connect with us

Hi, what are you looking for?


Malware & Threats

Apocalypse Ransomware Leverages RDP for Infection

One of the latest trends in ransomware is to leverage the Remote Desktop Protocol (RDP) to infect targeted machines, and a new malware family that uses this technique was recently discovered, Emsisoft researchers warn.

One of the latest trends in ransomware is to leverage the Remote Desktop Protocol (RDP) to infect targeted machines, and a new malware family that uses this technique was recently discovered, Emsisoft researchers warn.

Dubbed Apocalypse, the new ransomware was spotted in the wild in the beginning of May, using weak passwords on insecurely configured Windows servers running the remote desktop service as its main attack vector. Through RDP, the malware can brute force its way into a computer, while attackers can interact with the compromised system as if they had physical access to it.

According to Emsisoft researchers, early variants of the Apocalypse ransomware install to %appdata%windowsupdate.exe, after which they create a run key called windows update to both HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE. The threat appends the .encrypted extension to the encrypted files, creates a ransom note for every file, and uses the dr.compress(at)us1.l.a / dr.compress(at) / dr.jimbo(at) / dr.decrypter(at) email addresses in the ransom note.

A second malware variant emerged in early June, one that would install in %ProgramFiles%windowsupdate.exe, would create a run key called windows update svc, and would use the [email protected] email address. On June 22, a third variant emerged, installing to %ProgramFiles%firefox.exe and creating a run key called firefox update checker. It also uses the .SecureCrypted extension and the [email protected] email address.

Before infecting a system, the ransomware checks whether the default system language is set to Russian, Ukrainian, or Belarusian, and terminates itself if it does. If not, it copies itself to %ProgramFiles%firefox.exe, then sets the attributes for this executable to hidden and system, while also modifying the timestamp of this file using the explorer.exe timestamp. Next, it creates a run value to make sure that it runs on every startup.

After installation, the ransomware runs the newly created firefox.exe, which is responsible for two different tasks on the infected computer: it periodically checks whether certain Windows processes are running and then kills them, while also starting the encryption routine. The ransomware fetches a list of all removable, fixed or remote network drives, but doesn’t encrypt the latter, because of a bug in its encryption routine, researchers say.

After fetching the list, the ransomware proceeds to scanning all folders and encrypts all files in them, except for those in the Windows folder and those containing the following text strings in the end of their name: .exe, .dll, .sys, .msi, .com, .lnk, .tmp, .ini, .SecureCrypted, .bin, .bat, .dat, .Contact_Here_To_Recover_Your_Files.txt.

Advertisement. Scroll to continue reading.

Before encrypting a file, the malware checks whether it hasn’t been already encrypted, then encrypts its content using a custom XOR-based algorithm (which is slightly different between the three observed variants). The ransomware then writes the magic value and encrypted content to the file and appends .SecureCrypted to the filename.

Apocalypse also restores the original file timestamp, after which it creates a ransom note for the file. Moreover, it creates a window which it displays to the user with a similar ransom note. Researchers also discovered that the ransomware authors hid an insulting message to Emsisoft within the code.

According to Emsisoft researchers, anti-malware software is rather ineffective against this threat, mainly because the attackers use remote control to gain access to the system, which means that they can also disable protection mechanisms. However, a dectypter is available for all Apocalypse victims, meaning that they can restore their files for free.

“The most important line of defense is a proper password policy that is enforced for all user accounts with remote access to the system. This does apply to rarely used accounts created for testing purposes or by applications as well. Even better would be to disable Remote Desktop or Terminal Services completely if not required or at least to use IP address based restrictions to allow the access to these services from trusted networks only,” Emsisoft notes.

Related: Bucbi Ransomware Spreading Via RDP Brute Force Attacks

Related: Minimizing Exposure to Ransomware Attacks

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.