LockCrypt ransomware

Next story
Olivia Storey

Hackers have been breaking into corporate servers with RDP brute force attacks and infecting them with LockCrypt.

The LockCrypt ransomware encrypts files and renames them with a .lock extension, installing itself on the system for constant attack and deletes backups and volume shadow copies to prevent easy recovery.

The ransomware then executes a batch file to kill all non-core processes, aggressively killing antivirus and sends encoded information about the infected machines over to a server in Iran.

The first versions of LockCrypt used an email address that was previously connected to the Satan ransomware – which is a ransomware-as-a-service.

The attacks started in June this year, but October saw an increase in infections across the US, UK, South Africa, India, and the Philippines. These attacks are not targeted attacks, just opportunistic, but they do interact manually with systems for maximum effect.

The ransom demand could put smaller companies out of business trying to pay the cyber criminals, with some businesses actually paying between 0.5-1 bitcoin per server. With the increased value of bitcoin reaching $10,000 apiece, it’s not exactly affordable. One company paid US$19,000 to recover three machines.

Mark James, ESET IT Security Specialist, explains the best way to prepare against ransomware attacks like this, and how best to recover if you have been infected.

“As these attacks are opportunistic in nature the best defence is a good security policy.

“Complex passwords are always a good choice when we are talking about servers, and if possible secure those accounts with two-factor authentication.

“Limit any internet RDP access to those servers and review your logs regularly for failed login attempts.

“One of LockCrypt’s tasks is to delete any volume shadow copies (backups) so it’s extremely important to have additional point-in-time offsite and offline backups for when things go horribly wrong.

“These of course should be tested on a regular basis right down to full restore to ensure they are working perfectly.

“One of the easiest ways to protect against RDP brute force attacks is to have a simple policy that locks out a user after a certain amount of failed login attempts.

“It’s a very simple task that’s configured through a local security policy.

“If you want extra protection you could consider changing the RDP ports you’re using, as most opportunistic attacks will target the default RDP port of 3389.

“This is done through editing the registry.

“Of course any work to the registry always comes with a warning as catastrophic consequences can occur if the registry is damaged, so always make backups before you start.

“Preventing ransomware is much better than dealing with it.

“If you are already infected then the only 100% recovery solution is restoring from a backup, but if you want to prevent the malware getting hold in the first place, then you should ensure your systems are patched and updated to the latest versions.

“Also do not underestimate the power of a good education for your staff and colleagues, as most malware is still delivered using email and dodgy links preventing those from being clicked should be your number one priority.”

Does your company have policies in place to prevent ransomware infection? Let us know on Twitter @ESETUK.

Join the ESET UK LinkedIn Group and stay up to date with the blog. If you are interested in seeing where ESET has been featured in the news then check out our ‘In the news’ section.