Jump to content

Apocalypse Ransomware Spreads via Unsecured RDP Connections


Batu69

Recommended Posts

Apocalypse coders don't react like gentlemen when an Emsisoft researcher cracks their ransomware, twice

apocalypse-ransomware-spreads-via-unsecu

   Apocalypse ransom note

 

A ransomware variant that first appeared two months ago is making a name for itself with constant updates, improved functionality, and an inability to concoct a proper encryption algorithm that Emsisoft's Fabian Wosar can't break.

Called Apocalypse, the ransomware stands apart from similar tools because it uses a manual distribution method, relying on its authors brute-forcing unsecured RDP servers and installing Apocalypse by hand.

Fox-IT experts warned at the start of May about an increase in RDP brute-force attacks specifically aimed at installing ransomware. Apocalypse appeared for the first time about a week after this report came out.

Before Apocalypse, malware analysts also discovered new versions of the older Bucbi ransomware, which was also employing RDP brute-force attacks to spread to corporate networks.

Both Apocalypse and ApocalypseVM were cracked

As for Apocalypse, the ransomware uses a simplistic XOR-based encryption algorithm, which is why Emsisoft's Fabian Wosar managed to crack it at the start of the month, and then offer a free decrypter that can unlock files without paying the ransom.

Apocalypse's authors counteracted by updating their code and obfuscating it with VMProtect, an application for protecting software against reverse engineering and code cracking.

Wosar didn't let up, and he released a decrypter for this version as well, which was named ApocalypseVM.

Emsisoft manages to annoy a second ransomware coder

A week after that, the Apocalypse ransomware authors released a new version, and this one contained some "kind" words for Emsisoft researchers.

This is not the first time that Emsisoft and Fabian Wosar get on the nerves of ransomware coders, as something similar happened when he created a decrypter for the Radamant ransomware this winter.

At the time of writing, the latest version of the Emsisoft Decrypter for Apocalypse and ApocalypseVM will allow infected users to recover their files for free.

"Due to the nature of the attack protection software is rather ineffective. If the attacker manages to get access to the system via remote control, they can simply disable any protection software installed or add the malware to the protection software’s exclusion list," Emsisoft explains. "It therefore is imperative to prevent the attacker from gaining access to the system to begin with."

For this, it is recommended that sysadmins use strong passwords for their RDP connections, or better yet, just disable the protocol if not needed.

Article source

Link to comment
Share on other sites


  • Replies 1
  • Views 678
  • Created
  • Last Reply

As I understand, having Remote Desktop and Terminal Services disabled should avoid any possibility to get accessed by this ransomware; simply, there should be neither secured nor unsecured connectons. Actually, I have these services disabled since appeared in early versions of Windows XP, mostly to save CPU/Memory usage by these options not used by me.

 

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...