There are over 500,000 accessible Samba servers that are listed across the globe, meaning if done correctly, it could be a massive campaign. Back in March, many users complained about their NAS storage devices being infected with the MegaLocker ransomware and this was believed to be the first time it was seen. After a further look, it was discovered that the ransomware brute forces the Samba servers and once the files are encrypted, it drops a ransom note titled !DECRYPT_INSTRUCTION.TXT. Inside that note is a contact email alexshkipper@mail[.]ru, followed by an odd request for the victim the send photos of an event like a birthday, holiday, or while doing a hobby. Payment is also requested and if it is a single user that is infected, the attackers request $250 dollars, but if it’s a company, they ask for $1000 dollars. Since its emergence in March, the ransomware changed its name to NamPoHyu virus but the ransom note remains the same. The only difference now is that it sends users to a Tor payment site.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased