The attacks are aimed at Windows Servers running publicly accessible Remote Desktop and Terminal Services. They are infiltrated via dictionary based brute-force attacks on several common user names. Especially servers operated by smaller or one man companies do not always insist on enforcing rigid password policies or IP-restricted access to sensitive services, making them easy prey for the hacker group.
Once the hackers have gained access to the system, they install the ransomware ACCDFISA, which was recently released in its 4th generation. ACCDFISA drops three malicious components on the system. The most dangerous one of them: A crypto malware, installed as a service.
The crypto malware used by ACCDFISA attempts to delete backups on the infected system and uses the popular packer WinRAR to move important files belonging to certain industry software solutions as well as files with certain file extensions into encrypted RAR archives. The ransom note, left by the hackers in the form of a screen locker that stops victims from accessing their systems and the installed program. After 24 hours the initial ransom doubles from US $500 to US $1000 and after another 48 hours the passwords are supposedly deleted from the hackers records as well. As AES encryption is used, it is rather unlikely to gain access to the files without the correct password.
Christian Mairoll, CEO of Emsisoft, a Windows security software company, says: "Installed anti-virus or anti-malware software is of little use here. The hackers log onto the server via remote desktop connection. They are interacting with the system as if they were directly sitting in front of the PC. They disable anti-virus software and install the malware. We therefore advise all administrators to only use secure passwords complex enough for remote access."
For more information visit: http://blog.emsisoft.com