GlobeImposter use new ways to spread to the globe [source: 360totalsecurity]
Recently, there have been many incidents of ransomware attacks. Once users are infected by ransomware, it is almost impossible to decrypt it by technical means that users can only be forced to abandon data or pay ransom to solve. Therefore, unlike other virus Trojans, the “pre-defense strategy” is different from the “after-the-fact killing strategy”.
Today, we would like to make a brief summary of the intrusion methods used by the popular ransomware on the Internet, and hope that users can take precautions.
With the transfer of the target of ransomware, the spreading method is also changing. In the early days when ordinary users were the main target of ransomware, the spreading way of ransomware was similar to traditional Trojan virus, which mainly used phishing emails, instant messaging (IM) and drive by downloads to spread. Although these kinds of spreading methods have a high degree of automation and a large range of influence, the corresponding pertinence is low. Besides, most ordinary users choose to directly discard the encrypted data because of the low importance of data, which leads the low success rate to ransomware.
In the past two years, the ransomware has turned to more targeted attacks on various servers. Therefore, the original mode of spreading is no longer applicable to the attacks against servers. Correspondingly, RDP weak password cracking has become the main mode of intrusion.
Hackers who use this method to invade would firstly use network tools to perform an indiscriminate scan on the Internet to find servers with available ports exposed on the Internet. Once found, the dictionary tool can be used to crack service login password corresponding to the port. If the login password set by the administrator is not strong enough, the hacker may easily crack and successfully log-in in a short time.
In the process of handling user feedback, 360 Security Center captured cases in which hackers used Intercepter-NG, NetworkShare and other network scanning tools to conduct initial network scanning attacks.
For more, click here.