RDP brute force attacks used to spread LockCrypt ransomware
RDP brute force attacks used to spread LockCrypt ransomware

Hackers have been breaking into corporate servers via RDP brute-force attacks and manually infecting them with a new variant of ransomware called LockCrypt.

Initial infections started in June, but October saw a marked increase in infections.

According to a blog post by security researchers at AlienVault, small businesses have been infected with LockCrypt in the US, UK, South Africa, India and the Philippines. The company said that victims have reported paying between 0.5 and 1 Bitcoin per server - which translates at current prices to over US$ 5,000 (£3,800) per server. One business reported paying approximately US$ 19,000 (£14,500) to recover three machines.

Researchers said that one victim was infected via RDP brute-forcing from a compromised mail server. “The attackers then manually killed business critical processes for maximum damage,” said Chris Doman, security researcher at AlienVault.

LockCrypt encrypts files and renames them with a .lock extension. It also installs itself for persistence and deletes back-ups (volume shadow copies) to prevent an easy recovery. LockCrypt then sends base64 encoded information about the infected machine to a server in Iran.

Doman said that LockCrypt doesn't have heavy code overlaps with other ransomware. “We've seen evidence that the attackers likely started out with easier-to-deploy “ransomware as a service” before re-investing in their own ransomware,” he said.

He said that LockCrypt ransomware doesn't appear to be targeted - the attackers just opportunistically infect servers with RDP. “But they do show an interest in manually interacting with systems for maximum impact, and the excessive fees they charge can put businesses that can't afford to pay out of operation,” he added.

Doman said that RDP brute-forcing could be prevented by enforcing complex passwords and two-factor authentication on RDP access, disallowing incoming RDP connections from anywhere on the internet, and locking out users that have numerous failed login attempts.

Speaking to SC Media UK, Doman for key systems says it may be worth implementing application white-listing as it makes the attackers job of deploying the ransomware one step more difficult.

“It's important to quickly detect when ransomware has been manually deployed. If you can detect the first deployment you may be able to react in time to prevent them deploying it to further systems,” he said.

Mark James, security specialist at ESET, told SC Media UK that as these attacks are opportunistic in nature, the best defence is a good security policy: "Complex passwords are always a good choice when we are talking about servers and if possible, secure those accounts with two-factor authentication. Limit any Internet RDP access to those servers, and review your logs regularly for failed login attempts.

“One of its tasks is to delete any volume shadow copies, so it's extremely important to have additional point-in-time offsite and offline backups for when things go horribly wrong - these of course should be tested on a regular basis, right down to full restore, to ensure they are working perfectly,” he said.

Alexander Ivanyuk, global director of product and technology positioning at hybrid cloud IT data protection business Acronis, told SC Media UK that organisations should control remote access.

“The less people have such access, the better. They should be able to access from fixed IP, so you can whitelist those and forbid all others. If you can't do this, you need to have intrusion detection and prevention systems in place or some kind of specialised solution against RDP brute forcing attack which are pretty simple actually and based on few rules like number of unsuccessful logins per time and blacklisting bad IPs if rule worked,” he said.