Apocalypse Ransomware Leverages RDP for Infection

One of the latest trends in ransomware is to leverage the Remote Desktop Protocol (RDP) to infect targeted machines, and a new malware family that uses this technique was recently discovered, Emsisoft researchers warn.

Dubbed Apocalypse, the new ransomware was spotted in the wild in the beginning of May, using weak passwords on insecurely configured Windows servers running the remote desktop service as its main attack vector. Through RDP, the malware can brute force its way into a computer, while attackers can interact with the compromised system as if they had physical access to it.

According to Emsisoft researchers, early variants of the Apocalypse ransomware install to %appdata%windowsupdate.exe, after which they create a run key called windows update to both HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE. The threat appends the .encrypted extension to the encrypted files, creates a ransom note for every file, and uses the dr.compress(at)us1.l.a / dr.compress(at)bk.ru / dr.jimbo(at)bk.ru / dr.decrypter(at)bk.ru email addresses in the ransom note.

A second malware variant emerged in early June, one that would install in %ProgramFiles%windowsupdate.exe, would create a run key called windows update svc, and would use the [email protected] email address. On June 22, a third variant emerged, installing to %ProgramFiles%firefox.exe and creating a run key called firefox update checker. It also uses the .SecureCrypted extension and the [email protected] email address.

Before infecting a system, the ransomware checks whether the default system language is set to Russian, Ukrainian, or Belarusian, and terminates itself if it does. If not, it copies itself to %ProgramFiles%firefox.exe, then sets the attributes for this executable to hidden and system, while also modifying the timestamp of this file using the explorer.exe timestamp. Next, it creates a run value to make sure that it runs on every startup.

After installation, the ransomware runs the newly created firefox.exe, which is responsible for two different tasks on the infected computer: it periodically checks whether certain Windows processes are running and then kills them, while also starting the encryption routine. The ransomware fetches a list of all removable, fixed or remote network drives, but doesn’t encrypt the latter, because of a bug in its encryption routine, researchers say.

After fetching the list, the ransomware proceeds to scanning all folders and encrypts all files in them, except for those in the Windows folder and those containing the following text strings in the end of their name: .exe, .dll, .sys, .msi, .com, .lnk, .tmp, .ini, .SecureCrypted, .bin, .bat, .dat, .Contact_Here_To_Recover_Your_Files.txt.

Before encrypting a file, the malware checks whether it hasn’t been already encrypted, then encrypts its content using a custom XOR-based algorithm (which is slightly different between the three observed variants). The ransomware then writes the magic value and encrypted content to the file and appends .SecureCrypted to the filename.

Apocalypse also restores the original file timestamp, after which it creates a ransom note for the file. Moreover, it creates a window which it displays to the user with a similar ransom note. Researchers also discovered that the ransomware authors hid an insulting message to Emsisoft within the code.

According to Emsisoft researchers, anti-malware software is rather ineffective against this threat, mainly because the attackers use remote control to gain access to the system, which means that they can also disable protection mechanisms. However, a dectypter is available for all Apocalypse victims, meaning that they can restore their files for free.

“The most important line of defense is a proper password policy that is enforced for all user accounts with remote access to the system. This does apply to rarely used accounts created for testing purposes or by applications as well. Even better would be to disable Remote Desktop or Terminal Services completely if not required or at least to use IP address based restrictions to allow the access to these services from trusted networks only,” Emsisoft notes.

Related: Bucbi Ransomware Spreading Via RDP Brute Force Attacks

Related: Minimizing Exposure to Ransomware Attacks