MegaLocker Virus Attacks Samba Servers

Delaware, USA – April 17, 2019 – ‘MegaLocker Virus’ ransomware first discovered about a month ago now attacks accessible Samba servers. The first file infections happened presumably via FTP and all attacks were aimed solely at NAS devices. The owners of the compromised devices received instructions to contact the cybercriminals via email and pay the ransom in bitcoins. The adversaries demand $250 from private persons and $1000 from organizations. More recently, MegaLocker Virus switched from a NAS device to Samba servers and started to cause greater inconveniences. Unlike most ransomware families, MegaLocker is not required to be installed on the server, instead, it conducts brute force attack on accessible Samba server and remotely encrypts files. So far, there is no way to decrypt files for free, but researchers are working on the creation of decryptor. According to Shodan, there are over 500,000 servers worldwide which are potential victims of this ransomware family.

The research of Coveware company shows that the average ransom amount that attacked organizations pay has almost doubled in recent months (from $6,733 to $12,762). This figure was, of course, influenced by the destructive attacks of Ryuk gang requiring astronomical ransom payments (the average payment is over $280,000). Moreover, in recent months, the average recovery period after the attack has also increased from 6.2 days in 2018 to 7.3 days. One of the main vectors of attacks on organizations is brute forcing of RDP connections. To successfully protect against such attacks, you can use the VPN Security Monitor and Brute Force Detection rule packs.