LockCrypt Ransomware Spreading via RDP Brute-Force Attacks [source: alienvault]

We previously reported on SamSam ransomware charging high ransoms for infected servers. But SamSam isn’t the only ransomware out there charging eye-watering amounts to decrypt business servers.

Initial reports of a new variant of ransomware called LockCrypt started in June of this year. In October we saw an increase in infections.

LockCrypt doesn’t have heavy code overlaps with other ransomware. We’ve seen evidence that the attackers likely started out with easier-to-deploy “ransomware as a service” before re-investing in their own ransomware.

We have seen small businesses infected with LockCrypt in the US, UK, South Africa, India and the Philippines.

Initial Compromise

One target reported they were infected via RDP brute-forcing from a compromised mail server. The attackers then manually killed business critical processes for maximum damage.

For more, click here.