Ransomware spreads through weak remote desktop credentials

A new ransomware program in Brazil uses RDP brute-force attacks to infect hospitals

Stolen or weak remote desktop credentials are routinely used to infect point-of-sale systems with malware, but recently they've also become a common distribution method for file-encrypting ransomware.

In March, researchers discovered a ransomware program dubbed Surprise that was being installed through stolen credentials for TeamViewer, a popular remote administration tool. But the trend had started long before that, with some ransomware variants being distributed through brute-force password guessing attacks against Remote Desktop Protocol (RDP) servers since 2015.

While this method of infection was initially used by relatively obscure ransomware programs, recently it has been adopted by an increasing number of cybercriminals, including those behind widespread ransomware programs such as Crysis.

Security researchers from antivirus firm Kaspersky Lab have discovered a new ransomware program that affected hospitals and other organizations in Brazil. The researchers have named the threat Trojan-Ransom.Win32.Xpan and say it's the creation of a gang called TeamXRat, which previously specialized in remote access trojans (RATs).

According to Kaspersky Lab, the TeamXRat attackers peform brute-force attacks against internet-connected RDP servers and then manually install the Xpan ransomware on the hacked servers.

"Connecting remote desktop servers directly to the Internet is not recommended and brute forcing them is nothing new; but without the proper controls in place to prevent or at least detect and respond to compromised machines, brute force RDP attacks are still relevant and something that cybercriminals enjoy," the Kaspersky researchers said in a blog post. "Once the server is compromised, the attacker manually disables the Antivirus product installed on the server and proceeds with the infection itself."

Brazil has more compromised RDP servers being sold on the underground market than any other country. It is followed by Russia, Spain, the U.K. and the U.S.

Fortunately in the case of Xpan, the ransomware authors made an error in their encryption implementation that allowed Kaspersky Lab to develop a method of recovering affected files without paying the ransom. There's no downloadable decryption tool, but Xpan victims are advised to contact the security company's support department and ask for assistance.

Encryption implementation errors are not unusual in ransomware programs, especially in new ones. However, ransomware developers are typically quick to fix the flaws and sooner or later their program will end up using strong and unbreakable encryption.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?