Ransomware using Remote Desktop to spread itself

A new strain of ransomware has been discovered that is being circulated by targeted Remote Desktop or Terminal Services hacks. LowLevel04 malware also propagates via Terminal Services

the SC Magazine UK take:

 

LowLevel04 malware also propagates via Terminal Services

A new strain of ransomware has been discovered that is being circulated by targeted Remote Desktop or Terminal Services hacks.

The ransomware was discovered by tech blog Bleeping Computer. According to Lawrence Abram, the malware, dubbed LowLevel04, encrypts data using AES encryption and then demands a 4 Bitcoin, or $1000 USD, ransom to get files back.

The blog was alerted to the malware by users on its support forum. The ransomware appears to be installed directly by the attacker who brute forces weak passwords on computers running Remote Desktop or Terminal Services.

“Many of the victims have also reported that the machines affected were servers, which makes sense as this type of attack would cause major disruption for a company,” said Abrams.

“It appears that once the attacker gains access to a target computer, they download and install a package that generates the encryption keys, encrypts the data files, and then uploads various files back up to the hacker's temp folder via the terminal services client drive mapping \\tsclient\c\temp\.”

The blog called security guru Nathan Scott to analyse the malware. Analysis showed that the ransomware scans all mapped drives, including removable and network drives, for data files to encrypt. “When it encounters a file that contains certain file extensions it will encrypt them using AES encryption and then add the oorr. string to the beginning of the file name. As an example, test.doc will be renamed to oorr.test.doc,” said Abrams.

The file is also encrypted to contain different layers of information. In each folder a ransom note is left titled help recover files.txt. This contains instructions for the victim to follow if they want to decrypt their files. The malware finally carries out a clean up to delete a number of files used in the encryption process as well as removing application, security and system logs.

Abrams said that the malware didn’t delete Shadow Volume Copies, so a file recovery tol could be used to get original, unencrypted versions of files back.

David Kennerley, threat research manager at Webroot, told SC Magzine that this ransomware strain has been reported under a number of different aliases including Trojan-Ransom.NSIS.ONION.air.

“The ransomware is using the now standard RSA-2048 encryption – if implemented correctly there will be no way to decrypt the files without a decryption key,” he warned.

He said while there have been reports this ransomware is spread due to terminal services and remote desktop hacks, “I’d be a little surprised if this was the case”.

“It would be a very interesting next step for an attacker after establishing a beachhead on the network. Of course this is very possible, but also very opportunist, for those concerned with a quick win not a long haul. Their skill level needn’t be as advanced, especially with the rise in Ransomware as a Service (RaaS),” said Kennerley.

“If the details are accurate I would separate this attack into two separate parts: infiltration, (possibly due to weak passwords) and infection. As such it’s not a new weapon in the ransomware arsenal – an interesting tactic by the bad guys none the less.”

Chris Boyd, malware intelligence analyst at Malwarebytes told SC Magazine that ransomware coders have often tried to get a foot in the door using RDP exploits, and many businesses make use of remote desktop functionality on a daily basis.

“If they don't need RDP, they should disable it - otherwise, keeping Windows patched will help ward off potential RDP exploits,” he said. “Organisations should also consider moving to other remote desktop software if uncomfortable with the out of the box functionality provided by Windows. As with all things Ransomware, the surest solution is a sensible backup plan as no defence is foolproof.”

Gavin Reid, vice president of threat intelligence, Lancope told SC Magazine that as this variant uses remote desktop to spread, “it is more likely targeted at individuals, as organisations usually block and restrict the remote desktop protocol.”

Paul Ducklin, senior security advisor at Sophos, told SC Magazine that organisations should consider enforcing two-factor authentication (2FA) for all remote logins.

“That means a crook can't connect to your remote desktop system simply by stealing or guessing a password, because there's a one-time login code he'll need every time. 2FA doesn't solve your remote access security problem but it can make attacks much harder for the crooks,” he added.

Dominik Samociuk, IT security engineer at Future Processing, told SC Magazine that organisation should never use weak or default passwords and instead rely on a password policy prepared by CSO (Chief Security Officer) and imposed by IT administration staff. “Before making server visible from the Internet, hardening of each device and its operating system should be performed and checked by the experienced user,” he said.

Kennerley added that if a user becomes infected, if possible do not pay the ransom. “By doing so you are sustaining the criminal business model. Inviting more crooks to party, and also leaving your company open to future attacks.”

Ransom note
Ransom note

The ransomware was discovered by tech blog Bleeping Computer. According to Lawrence Abram, the malware, dubbed LowLevel04, encrypts data using AES encryption and then demands a four Bitcoin, or US$ 1,000, ransom to get files back.

The blog was alerted to the malware by users on its support forum. The ransomware appears to be installed directly by the attacker who brute forces weak passwords on computers running Remote Desktop or Terminal Services.

“Many of the victims have also reported that the machines affected were servers, which makes sense as this type of attack would cause major disruption for a company,” said Abrams.

“It appears that once the attacker gains access to a target computer, they download and install a package that generates the encryption keys, encrypts the data files, and then uploads various files back up to the hacker's temp folder via the terminal services client drive mapping file://tsclient/c/temp/.”

The blog called security guru Nathan Scott to analyse the malware. Analysis showed that the ransomware scans all mapped drives, including removable and network drives, for data files to encrypt. “When it encounters a file that contains certain file extensions it will encrypt them using AES encryption and then add the oorr. string to the beginning of the file name. As an example, test.doc will be renamed to oorr.test.doc,” said Abrams.

The file is also encrypted to contain different layers of information. In each folder a ransom note is left titled help recover files.txt. This contains instructions for the victim to follow if they want to decrypt their files. The malware finally carries out a clean up to delete a number of files used in the encryption process as well as removing application, security and system logs.

Abrams said that the malware didn't delete Shadow Volume Copies, so a file recovery tool could be used to get original, unencrypted versions of files back.

David Kennerley, threat research manager at Webroot, told SCMagzineUK.com that this ransomware strain has been reported under a number of different aliases including Trojan-Ransom.NSIS.ONION.air.

“The ransomware is using the now standard RSA-2048 encryption – if implemented correctly there will be no way to decrypt the files without a decryption key,” he warned.

He said while there have been reports this ransomware is spread due to terminal services and remote desktop hacks, “I'd be a little surprised if this was the case”.

“It would be a very interesting next step for an attacker after establishing a beachhead on the network. Of course this is very possible, but also very opportunist, for those concerned with a quick win not a long haul. Their skill level needn't be as advanced, especially with the rise in Ransomware as a Service (RaaS),” said Kennerley.

“If the details are accurate I would separate this attack into two separate parts: infiltration, (possibly due to weak passwords) and infection. As such it's not a new weapon in the ransomware arsenal – an interesting tactic by the bad guys nonetheless.”

Chris Boyd, malware intelligence analyst at Malwarebytes told SCMagazineUK.com that ransomware coders have often tried to get a foot in the door using RDP exploits, and many businesses make use of remote desktop functionality on a daily basis.

“If they don't need RDP, they should disable it - otherwise, keeping Windows patched will help ward off potential RDP exploits,” he said. “Organisations should also consider moving to other remote desktop software if uncomfortable with the out of the box functionality provided by Windows. As with all things Ransomware, the surest solution is a sensible backup plan as no defence is foolproof.”

Gavin Reid, vice president of threat intelligence, Lancope told SCMagazineUK.com that as this variant uses remote desktop to spread, “it is more likely targeted at individuals, as organisations usually block and restrict the remote desktop protocol.”

Paul Ducklin, senior security advisor at Sophos, told SC that organisations should consider enforcing two-factor authentication (2FA) for all remote logins.

“That means a crook can't connect to your remote desktop system simply by stealing or guessing a password, because there's a one-time login code he'll need every time. 2FA doesn't solve your remote access security problem but it can make attacks much harder for the crooks,” he added.

Dominik Samociuk, IT security engineer at Future Processing, told SC that organisation should never use weak or default passwords and instead rely on a password policy prepared by CSO (Chief Security Officer) and imposed by IT administration staff. “Before making server visible from the Internet, hardening of each device and its operating system should be performed and checked by the experienced user,” he said.

Kennerley added that if a user becomes infected, if possible do not pay the ransom. “By doing so you are sustaining the criminal business model. Inviting more crooks to party, and also leaving your company open to future attacks.”