Delaware, USA – December 28, 2018 – Adversaries have found a new way to infect servers through unsecured Intelligent Platform Management Interface cards. JungleSec ransomware appeared almost two months ago, cybercriminals use it to encrypt files on systems running Linux, MacOS and Windows, and Mac demanding a ransom of 0.3 bitcoin, but many users who paid for decrypting the data reported that they had not received any response from cybercriminals. Experts from BleepingComputer conducted an investigation and found that adversaries use IPMI devices to access the Linux servers and install JungleSec ransomware manually. IPMI allows remote administration of the server, and admins do not always disable the default credentials, so cybercriminals can easily compromise the server and install malware. In at least one case of infection, adversaries compromised the IPMI device through an unknown vulnerability, so disabling the Admin user does not guarantee the security of the server.
After accessing the machine, cybercriminals reboot it to gain admin rights and then download and compile the ccrypt tool. Also, adversaries try to encrypt mounted VM disks and leave the backdoor for further access to the server. It has not yet been known how cybercriminals infect Windows and Mac systems and it is worth mentioning that last month the pack of 23 ransomware strains was sold on underground forums and several samples are also installed manually. To detect attacks in the early stages before severe damage is caused, you can use the Ransomware Hunter rule pack: https://my.socprime.com/en/integrations/ransomware-hunter-hpe-arcsight