Jump to content

New Ransomware Infects Computers via Windows Remote Desktop Services


Recommended Posts

New Ransomware Infects Computers via Windows Remote Desktop Services

There are some ways to go around the malware's file encryption and recover at least some sensitive files

A new strain of ransomware is using the Windows built-in Remote Desktop Services or Terminal Services to infect computers, encrypt files, and then demand a ransom of 4 Bitcoin (~$1,000).

The ransomware was first seen for users in Bulgaria and Greece, a few of whom asked for help online, on the Bleeping Computer tech forums. Malware researcher Nathan Scott took a closer look at this new ransomware family and found some interesting things.

Attackers are brute-forcing passwords on PCs running Remote Desktop Services

According to his findings, the attackers are manually installing the ransomware on all infected devices by brute-forcing user account passwords on machines that have left Remote Desktop or Terminal Services connections open.

Once they manage to get a foothold on infected systems, the attackers run the ransomware executable, which first maps all local and network drives.

After it creates a virtual map of all drives and files, the ransomware searches for data files that have a specific extension, and goes on to encrypt them with a powerful 2048-bit RSA key, the very same system used by CryptoLocker, probably the most known, dangerous and nefarious ransomware family around.

To make sure users notice its work and pay up the ransom, in each folder where the ransomware encrypts files, it also drops a file named "help recover files.txt," which contains information on where to pay the ransom and have the encryption removed (see image below article). The email addresses used in this campaign are: [email protected] and [email protected].

There are some methods of recovering at least some of the files

All encrypted files are also prepended with the "oorr." string. Additionally, to protect itself from security researchers and reverse engineering, the ransomware cleans up after itself and removes Application, Security, and System event logs.

Fortunately, there are some ways to recover some of the encrypted files. For starters, if some of the encrypted files have also been synchronized and hosted on cloud services like Dropbox or Google Drive, users can simply remove the oorr. prefix, and use the Web interface for those services to revert to the file's previous version.

A second method is to recover a hard drive's shadow volume copies, which the ransomware does not delete, using an application like ShadowExplorer.

These methods do not allow a recovery of all files, but they may help some users get back at least some of their data, if they do not intend to pay the ransom.



Link to comment
Share on other sites

  • Replies 2
  • Views 1.1k
  • Created
  • Last Reply

Have always maintained that your first line of defending anything...including your computer and stuff on it ....is your brain...use it first and never rely JUST on software

case in point...my brother called me up the other day to tell me Microsoft phoned him to let him know he had a virus on his computer.and he called me to let me know i might be in danger incase the virus emailed me itsself form his computer and "microsoft" said that may have taken place already... long story short "Microsoft" sold him an antivirus program for a discounted price of 40 dollars...sure enough when i told him to check his credit card use on the phone mediately ...the card had already had a 500.00 charge whithin seconds of him giving the information.... he falls for this stuff often enough that one would think he would have learned his lesson....in fact 4 days later he phoned me up to tell me he won a 70 inch tv on a scratch card he got in the mail... it took me 10 minutes to convince him that this was yet more scam like he just experienced...my sister-in-law later told me he ended calling the phone number on the scratch to claim his prize anyway and then realized that when they started asking for personal info he was being scammed ....again

Link to comment
Share on other sites

Have always maintained that your first line of defending anything...including your computer and stuff on it ....is your brain...use it first and never rely JUST on software

35 years ago that was true but there are so many self proclaimed experts today trying to push software and opinions on people and people are so lazy they take the easy way out and listen to them. Personally I don't care what YOU do, I know how to secure my computer and my data, and I will assist when asked but I really don't care if anyone else gets hacked or not.

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...