Attackers have been recently breaking into corporate servers via RDP brute force attacks to spread a new variant of ransomware dubbed “LockCrypt.” The attacks first started in June but in October there was an increase of attacks. The attackers first targeted small businesses in the US, UK, South Africa, India and the Philippines. The victims were asked to pay 0.5-1 Bitcoin per server which is $3295-$6591 per server. One business had to pay $19,000 to recover three of their servers.
LockCrypt will encrypt all files and rename them with a “.lock” extension. It will also install itself for persistence and deletes backups to prevent an easy recovery. LockCrypt will then send base64 encoded information about the infected machine to a server in Iran. As of now there are no primary targets, the attackers will infect the servers when they see the right opportunity.
Researchers claim the the RDP brute force could be prevented by enforcing more complex passwords along with two factor authentication on RDP access which will not allow incoming RDP connections from anywhere on the internet.