Attackers have been recently breaking into corporate servers via RDP brute force attacks to spread a new variant of ransomware dubbed “LockCrypt.” The attacks first started in June but in October there was an increase of attacks. The attackers first targeted small businesses in the US, UK, South Africa, India and the Philippines. The victims were asked to pay 0.5-1 Bitcoin per server which is $3295-$6591 per server. One business had to pay $19,000 to recover three of their servers.
LockCrypt will encrypt all files and rename them with a “.lock” extension. It will also install itself for persistence and deletes backups to prevent an easy recovery. LockCrypt will then send base64 encoded information about the infected machine to a server in Iran. As of now there are no primary targets, the attackers will infect the servers when they see the right opportunity.
Researchers claim the the RDP brute force could be prevented by enforcing more complex passwords along with two factor authentication on RDP access which will not allow incoming RDP connections from anywhere on the internet.
Our Counterintelligence Team gathers information and conducts operations to identify threats to an organization so that they can better protect against malicious activity. We accomplish this by combining advanced technology with skilled and experienced intelligence specialists. Our goal is to protect your data, your brand and your people.