14 DAY TRIAL // A new strain of ransomware is using the Windows built-in Remote Desktop Services or Terminal Services to infect computers, encrypt files, and then demand a ransom of 4 Bitcoin (~$1,000).
The ransomware was first seen for users in Bulgaria and Greece, a few of whom asked for help online, on the Bleeping Computer tech forums. Malware researcher Nathan Scott took a closer look at this new ransomware family and found some interesting things.
Attackers are brute-forcing passwords on PCs running Remote Desktop Services
According to his findings, the attackers are manually installing the ransomware on all infected devices by brute-forcing user account passwords on machines that have left Remote Desktop or Terminal Services connections open.
Once they manage to get a foothold on infected systems, the attackers run the ransomware executable, which first maps all local and network drives.
After it creates a virtual map of all drives and files, the ransomware searches for data files that have a specific extension, and goes on to encrypt them with a powerful 2048-bit RSA key, the very same system used by CryptoLocker, probably the most known, dangerous and nefarious ransomware family around.
To make sure users notice its work and pay up the ransom, in each folder where the ransomware encrypts files, it also drops a file named "help recover files.txt," which contains information on where to pay the ransom and have the encryption removed (see image below article). The email addresses used in this campaign are: [email protected] and [email protected].
There are some methods of recovering at least some of the files
All encrypted files are also prepended with the "oorr." string. Additionally, to protect itself from security researchers and reverse engineering, the ransomware cleans up after itself and removes Application, Security, and System event logs.
Fortunately, there are some ways to recover some of the encrypted files. For starters, if some of the encrypted files have also been synchronized and hosted on cloud services like Dropbox or Google Drive, users can simply remove the oorr. prefix, and use the Web interface for those services to revert to the file's previous version.
A second method is to recover a hard drive's shadow volume copies, which the ransomware does not delete, using an application like ShadowExplorer.
These methods do not allow a recovery of all files, but they may help some users get back at least some of their data, if they do not intend to pay the ransom.
