Remote Desktop Used to Spread Ransomware
Posted by: Timothy Weaver on 10/22/2015 10:02 AM
[
Comments
]
A new strain of ransomware is targeting computers running Remote Desktop and/or Terminal Services.
According to Bleeping Computers Lawrence Abram, the malware, dubbed LowLevel04, encrypts data using AES encryption and then demands a 4 Bitcoin, or $1000 USD, ransom to get files back.
The attack is made possible by the hacker brute forcing a weak password.
"Many of the victims have also reported that the machines affected were servers, which makes sense as this type of attack would cause major disruption for a company,” said Abrams. “It appears that once the attacker gains access to a target computer, they download and install a package that generates the encryption keys, encrypts the data files, and then uploads various files back up to the hacker's temp folder via the terminal services client drive mapping \\tsclient\c\temp\.”
Chris Boyd, malware intelligence analyst at Malwarebytes said many institutions use Remote Desktop on a daily basis. However: "if they don't need RDP, they should disable it - otherwise, keeping Windows patched will help ward off potential RDP exploits. Organisations should also consider moving to other remote desktop software if uncomfortable with the out of the box functionality provided by Windows. As with all things Ransomware, the surest solution is a sensible backup plan as no defence is foolproof.”
As with any ransomware, it is advised to not pay the ransom as this only encourages the hackers to continue, inviting more crooks to party, and also leaving your company open to future attacks.
Source: SCMagazine
According to Bleeping Computers Lawrence Abram, the malware, dubbed LowLevel04, encrypts data using AES encryption and then demands a 4 Bitcoin, or $1000 USD, ransom to get files back.The attack is made possible by the hacker brute forcing a weak password.
"Many of the victims have also reported that the machines affected were servers, which makes sense as this type of attack would cause major disruption for a company,” said Abrams. “It appears that once the attacker gains access to a target computer, they download and install a package that generates the encryption keys, encrypts the data files, and then uploads various files back up to the hacker's temp folder via the terminal services client drive mapping \\tsclient\c\temp\.”
Chris Boyd, malware intelligence analyst at Malwarebytes said many institutions use Remote Desktop on a daily basis. However: "if they don't need RDP, they should disable it - otherwise, keeping Windows patched will help ward off potential RDP exploits. Organisations should also consider moving to other remote desktop software if uncomfortable with the out of the box functionality provided by Windows. As with all things Ransomware, the surest solution is a sensible backup plan as no defence is foolproof.”
As with any ransomware, it is advised to not pay the ransom as this only encourages the hackers to continue, inviting more crooks to party, and also leaving your company open to future attacks.
Source: SCMagazine
Comments
