Threat Watch

Brrr Ransomware

A new variant of the Dharma ransomware has surfaced in the wild dubbed Brrr ransomware. Brrr is manually installed by attackers who break into Remote Desktop services that are connected directly to the internet. The attacker will scan the internet for machines running RDP, typically on TCP port 3389 and then try to brute force the password for the machine. Once the attacker gains access to the machine, the ransomware will be installed. When Brrr is first installed, it will scan for files and encrypt them with the format of “.id-[id].[email].brrr.” It is worth noting that Brrr will encrypt shared virtual machine and host drives, mapped network drives, and unmapped network shares. It’s important to ensure that network shares are locked down so that attackers can’t access this. The ransomware will generate two different ransom notes on the infected machine. One of the notes will be a “Info.hta” file and is launched by an autorun when the victim logs into the machine. The other is a “FILES ENCRYPTED.txt” which can be found on the victim’s desktop. Lastly, Brrr will configure itself to automatically run when the victim logs into Windows, allowing it encrypt new files that are created since it was last executed. Users are advised to always be cautious when opening attachments and clicking links from unfamiliar sources.

ANALYST NOTES