Larry Abrams at tech blog Bleeping Computer was the first one to report on this new wrinkle. The ransomware is called LowLevel04 and encrypts data using RSA-2048 encryption, the ransom is double from what is the normal $500 and demands four Bitcoin. This ransomware strain has been reported under various names including Trojan-Ransom.NSIS.ONION.air.
Specifically nasty is how it gets installed: brute force attacks on machines that have Remote Desktop or Terminal Services installed and have weak passwords.
Larry stated that “Many of the victims have also reported that the machines affected were servers, which makes sense as this type of attack would cause major disruption for a company,” He continued with: “It appears that once the attacker gains access to a target computer, they download and install a package that generates the encryption keys, encrypts the data files, and then uploads various files back up to the hacker's temp folder via a terminal services client drive mapping file."
LowLevel04 scans all mapped drives, including removable and network drives, for data files to encrypt. “When it encounters a file that contains certain file extensions it will encrypt them using AES encryption and then add the oorr. string to the beginning of the file name. As an example, test.doc will be renamed to oorr.test.doc,” Abrams said. When done, the malware cleans up after itself and deletes a number of files used in the encryption process as well as removing application, security and system logs.
In each folder a ransom note is left titled help recover files.txt which has instructions for the victim to follow if they want to decrypt their files. Here is how it looks:
Abrams also mentioned LowLevel04 does not delete Shadow Volume Copies (yet), so you could use that to get original, unencrypted versions of files back. More info on how to restore files from Shadow Volume Copies at Bleeping Computer.
What To Do About It:
Ransomware coders in the past have tried to get a foot in the door using RDP exploits because many businesses make use of remote desktop functionality on a daily basis.
Chris Boyd, malware analyst at MalwareBytes said: “If they don't need RDP, they should disable it - otherwise, keeping Windows patched will help ward off potential RDP exploits. Organizations should also consider moving to other remote desktop software if uncomfortable with the out of the box functionality provided by Windows. As with all things Ransomware, the surest solution is a sensible backup plan as no defense is foolproof.”
I would add to that using 2-factor authentication for any and all remote logins is a must-have safety measure in place at this point in time! And obviously stepping your end-users through effective security awareness training is essential since many ransomware attacks still arrive via email. Find out how affordable this is and be pleasantly surprised.