There are over 500,000 accessible Samba servers that are listed across the globe, meaning if done correctly, it could be a massive campaign. Back in March, many users complained about their NAS storage devices being infected with the MegaLocker ransomware and this was believed to be the first time it was seen. After a further look, it was discovered that the ransomware brute forces the Samba servers and once the files are encrypted, it drops a ransom note titled !DECRYPT_INSTRUCTION.TXT. Inside that note is a contact email alexshkipper@mail[.]ru, followed by an odd request for the victim the send photos of an event like a birthday, holiday, or while doing a hobby. Payment is also requested and if it is a single user that is infected, the attackers request $250 dollars, but if it’s a company, they ask for $1000 dollars. Since its emergence in March, the ransomware changed its name to NamPoHyu virus but the ransom note remains the same. The only difference now is that it sends users to a Tor payment site.
Analyst Notes
Users should always back up their servers, especially ones that contain important information. Attachments should not be opened unless the source is known. Tools can be used to scan the attachments to verify their legitimacy. Users should also never connect their remote desktop servers to an open internet connection, access should only be allowed if they log into a VPN first.
