New Ransomware Focuses on Servers
Friday, October 14, 2016 @ 05:10 PM gHale
New ransomware focuses on servers and encrypts files on network shares even if they haven’t been mapped to the infected computer.
DXXD ransomware appends the .dxxd extension to the encrypted files, after which it drops a ransom note onto infected computers.
The malware won’t search for and encrypt only files on the local machine, but it would also target network shares, both mapped and unmapped.
While the ransomware’s infection vector isn’t clear at the moment, the attackers appear to be going after Remote Desktop Services and are brute-forcing passwords to spread the DXXD ransomware, BleepingComputer’s Lawrence Abrams said in a blog post.
The ransom note dropped by the new threat instructs users to contact the operators via two email addresses to receive payment instructions: rep_stosd[at]protonmail.com and rep_stosd[at]tuta.io.
Unlike other ransomware families, DXXD ended up configured to change a Windows Registry setting to display a “legal notice” to users when they log in. Because of this, the ransomware author ensures any user attempting to log into an infected computer sees the ransom note.
The “legal notice” informs users the computer they are logging into “is attacked by hackers.” It also claims users should contact experts at said emails and various other email addresses, such as shellexec[at]protonmail.com or null_ptr[at]tutanota.de “for more informations [sic!] and recommendations.”