CommonRansom Demands Remote Desktop Access to Encrypted System

Delaware, USA – October 31, 2018 — New Ransomware strain not only requires a ransom payment in bitcoins but also demands the victim to provide remote access to the infected system to decrypt the data. Security researcher Michael Gillespie discovered CommonRansom ransomware yesterday, and it is still not known how it is distributed. This ransomware encrypts documents, databases, media and archives using AES, and then requires a ransom of 0.1 BTC to return files. Ransom note demands victims to pay the ransom within 12 hours; otherwise, the key to restoring the data will be lost. After payment, the victim must notify via email ransomware ID, IP and port for connecting via RDP, as well as username and password to access the system with admin rights. To confirm the ability to decrypt files, attackers offer to send them up to 5 text files. The investigation of the bitcoin wallet specified in ransom note showed that it was previously used for undefined operations, and before the start of the campaign, 65 BTC were transferred to the wallet used by cybercriminals as a mixer to complicate tracking of the further movement of funds.

It is possible that the requirement to provide access to an infected machine through the RDP targets at employees willing to pay a ransom to conceal the incident from the management. With access to the system, CommonRansom operators will be able to install additional malware and tools to compromise the entire organization’s network. You can detect similar attacks at the early stages and prevent severe damage using SIEM and the Ransomware Hunter rule pack: https://my.socprime.com/en/integrations/ransomware-hunter-arcsight