Dealing with ransomware and remote access hacking

Dealing with ransomware and remote access hacking

NetSafe has received reports from New Zealand SMEs affected by a particularly effective form of ransomware called Anti-Child Porn Spam Protection.

This form of malware is targeted at Windows servers and takes a system and any data stored on it hostage in an attempt to extort money.

Companies affected by the malware have found their systems locked out with all business and customer data encrypted by a hacker and a demand for payment of up to several thousand dollars to unlock the files affected.

The ransomware also suggests the systems have been spamming or contain child pornography and unless the ransom is paid a report will be made to the FBI.

How are companies affected?
NZ-Police-ransomware-screenshot

A screenshot shows an example ransomware lockout featuring the NZ Police logo

Instead of using drive-by download websites to exploit browser vulnerabilities, it would appear these latest ransomware infections are manually installed by a remote attacker using a tool named DUBrute against vulnerable Remote Desktop Protocol (RDP) connections on port 3389.

The tool undertakes dictionary attacks against common user accounts including admin, Administrator, backup, console, Guest, sales, user and many more.

If access is gained the attacker can disable anti-virus software and executes malware on the system that displays a ransom notice, locks genuine users out, deletes backups and encrypts any data found.

There have been recent media reports of companies in Australia paying the ransom to gain access back to their data.
How can I defend against this ransomware?

Backup Everything
It is essential that companies make regular routine backups with data stored offsite as there is currently no known way to decrypt the files affected by the malware
Use Strong Passwords
Make sure you have a proper password policy in place for all user accounts with remote access – review all system accounts and delete any that are no longer required
Consider disabling remote access
If you do not need remote access then consider disabling Remote Desktop or Terminal Services, close port 3389 or use IP based restrictions or a VPN.
Update Everything
Check the Microsoft Security Bulletins and ensure your systems are fully patched against known RDP vulnerabilities
Alert others to prevent more attacks
Please forward this email to colleagues, friends and family who could be impacted by a ransomware infection at their company

What do I do if my company is infected?

Report the computer system attack
Make a report to NetSafe’s ORB website – we have been communicating with the National Cyber Security Centre about recent incidents
Be prepared to wipe systems and restore from backups
IT staff we have spoken with have spent several days dealing with the fallout from these infections
Do not pay the ransom
Some companies affected have been forced to pay to have their data unlocked by the hacker – NetSafe would encourage you to not to follow this path

More help and advice:

New ransomware called Anti-Child Porn Spam Protection
The Bleeping Computer forum thread with comments from the alledged ransomware creator on how the encryption cannot be broken
Hackers ransom $3000 from NT business
SC Magazine report from last week on an Australian business forced to pay a $3000 ransom to hackers who had encrypted its financial records.
The ACCDFISA malware family – Ransomware targeting Windows servers
A very detailed technical look at how systems are affected by the ransomware.
Close port 3389 (Remote Desktop) on your firewalls NOW
An American blog on how two small companies lost data to the ransomware and advice on locking out failed password attempts.
Microsoft Security Bulletins
Search security bulletins for your company systems and ensure you remain fully patched.
NetSafe Security Central
Cyber security advice for New Zealand SMEs
Report cyber incidents to the Orb website
Attacks on computer systems can be reported at www.theorb.org.nz and we will work with NCSC to respond
Watch Paul Ducklin from Sophos
His YouTube video discusses another form of ransomware called Reveton that can be cleaned from computers: