New Ransomware Hitting Systems
Wednesday, October 28, 2015 @ 12:10 PM gHale
A new strain of ransomware is infecting computers, encrypting files, and then demanding a ransom of 4 Bitcoin.
The ransomware first came on the scene in Bulgaria and Greece. It uses the Windows built-in Remote Desktop Services or Terminal Services, said malware researcher Nathan Scott, who took a closer look and found some interesting things.
Attackers are manually installing the ransomware on all infected devices by brute-forcing user account passwords on machines that have left Remote Desktop or Terminal Services connections open, he said.
Once they manage to get a foothold on infected systems, the attackers run the ransomware executable, which first maps all local and network drives.
After it creates a virtual map of all drives and files, the ransomware searches for data files that have a specific extension, and goes on to encrypt them with a powerful 2048-bit RSA key, the same system used by CryptoLocker.
To make sure users notice its work and pay up the ransom, in each folder where the ransomware encrypts files, it also drops a file named “help recover files.txt,” which contains information on where to pay the ransom and have the encryption removed.
All encrypted files also ended up prepended with the “oorr.” string. Additionally, to protect itself from security researchers and reverse engineering, the ransomware cleans up after itself and removes application, security, and system event logs.
There are some ways to recover some of the encrypted files. For starters, if some of the encrypted files have also ended up synchronized and hosted on cloud services like Dropbox or Google Drive, users can simply remove the oorr. prefix, and use the Web interface for those services to revert to the file’s previous version.
A second method is to recover a hard drive’s shadow volume copies, which the ransomware does not delete, using an application like ShadowExplorer.
These methods do not allow a recovery of all files, but they may help some users get back at least some of their data, if they do not intend to pay the ransom.