RDP Brute Force is Used to Spread LockCrypt Ransomware

Delaware, USA – November 10, 2017 – On October, the hacker group which infects corporate servers with LockCrypt Ransomware increased the number of attacks. Researchers from Alien Vault report that for the first time this Ransomware strain was seen in June and linked it with the same group that used Satan Ransomware in previous attacks. Unlike many other groups that use phishing and spam campaigns for infection, this threat actor performs brute-force RDP attacks on companies worldwide. After gaining access to the targeted server, adversaries install LockCrypt Ransomware, which encrypts and renames files deleting their shadow copies. Also, cybercriminals kill all critical business processes on the server to inflict maximum damage to the company. Ransom payment is about $ 5000 per encrypted server.

RDP Brute-force attacks to gain access to critical servers and install Ransomware on them is a common type of attack that does not cause such a resonance in the news as Locky massive spam campaigns or Bad Rabbit outbreak. Such attacks are directed against companies of different sizes, to whom the interruption of business processes can cause vaster losses than paying the ransom. To protect your company, you can use Brute Force Detection use case for QRadar, ArcSight and Splunk. This SIEM content analyzes all authentication events and notifies the administrator when it detects any attempts of password guessing, so he can timely take countermeasures.