A new strain of ransomware has been discovered. This one, called LowLevel04, is being circulated by targeted Remote Desktop or Terminal Services hacks. Unlike ransomware in the Cryptolocker family which encrypts the files on a computer when its user clicks on a malicious link (and which encrypts the whole network if the user runs the computer in administrator mode), the method of attack for this new ransomware is through weak passwords in Remote Desktop Services (RDS). The Remote Desktop app allows you to connect to a remote PC from almost anywhere using a network connection. RDS is known as Terminal Services in Windows Server 2008 and earlier. Ransomware prevents users from accessing their files until they pay a ransom through online payment systems. This strain of ransomware got its name from the lowlevel04 string that identifies that the file was infected with the malware.
The Story Behind This Ransomware
This ransomware was initially reported in early October by a panicked user requesting help on the support forum on bleepingcomputer.com. His request for help was quickly followed by requests from several other users who had been hit by the same ransomware. The first user wrote that his business server was hit by ransomware which left a txt message “help recover files.txt.” He reported that his most important files were renamed starting with “oor.” followed by the original file name, and the virus affected the backup drive and Dropbox as well. The virus was not detected when he ran scans with security essentials and malware bytes.
The message from the hacker started “Good day, isn’t it? What happened to your files? All your files were protected by a strong encryption with RSA-2048…. This mean[s] that the structure and data within your files have been irrevocably changed[d] and only we can help you to restore it.” The message went on to say that the victim could buy the hackers’ tool with the private key to recover his files at a cost of 4 bitcoins, and it specified that 1 bitcoin equals about $240. The ransom note concluded “you can send one small file (not bigger than 1 megabyte) before payment and we will recover it. It will be proof that we have decryption tool.” (Note: Misspellings in the ransom note were corrected in this rewritten excerpt.)
Nathan Scott, a security expert, analyzed this ransomware for BleepingComputer. It appears that the attacker brute forces weak passwords on computers and servers running Remote Desktop or Terminal Services. The malware scans all mapped drives, including removable and network drives, for data files with specific file extensions. It then encrypts them using AES encryption, adding the “oorr” string to the beginning of the file name. It leaves a ransom note .txt file in each folder that a file was encrypted, with instructions for paying the ransom. Finally, it performs a cleanup of all created files and removes the Application, Security, and System event logs so that they cannot be used to perform forensics on the attack.
Restoring Your Files
Two victims of this ransomware reported that they sent the bitcoins to pay the ransom and the hackers actually did eventually send the “decrypter.” Yet, in the sample analyzed, the ransomware “did not delete Shadow Volume Copies or securely delete the original files.” Thus, in place of the (not very good) option of paying the ransom to recover files, BleepingComputer.com blogger Lawrence Abrams states that “you may be able to use a file recovery tool to recover your files or a program like Shadow Explorer to restore your files from the Shadow Volume Copies.” DarkMatters suggests that “for cloud services affected – such as Dropbox – remove the oorr prefix from the encrypted file(s) and revert back to a previous version.”
Protect Your Business from a Ransomware Disaster
Big Idea Technology can help you protect your business from ransomware so you don’t need to go through this type of ordeal. Our Business Continuity solution, when put in place before an incident like this, has been proven to quickly and completely recover all files as they were before the attacker encrypted them. In implementing this solution, we work with you to determine your ideal Recovery Point Objective (RPO) – how much data you can afford to lose, and your ideal Recovery Time Objective (RTO) – how much time your business can afford to be down. We use a multi-layered approach to security, patch our clients’ systems with the latest security patches, and ensure that weak or default passwords are not used. We can also set up two-factor authentication (2FA) for remote login and, through our blog posts, we remind our clients about using cyber-security practices. A potential disaster like being hit by ransomware does not have to be a disaster for your business. No one needs this type of “Good day.”