A Spin-Off of LockCrypt Ransomware hits 48 Servers in North Carolina

LockCrypt has again made the headlines after affecting 48 out of 500 servers in Mecklenburg Country, North Carolina. A new version of the LockCrypt ransonware caused inconvenience in tax payment, child support, and other services by forcing people to use paper and pens. The affected servers were either encrypted or slowed down by the infection, the authors of which demanded for a ransom of 2 BTC, which is worth over $26,000. During the day of infection, the rate of Bitcoin changed, so the sum of the ransom in US dollars varied from $23,000 to $26,00. It has been confirmed that citizens' personal information stored on the affected servers was not compromised.

The county manager Dena Diorio announced that the county was not planning on paying the ransom because the paying up would not guarantee a fix. Instead of paying the ransom, the county would restore the locked data from back-ups. The majority of the affected data had back-ups and could be recovered.

The havoc was caused after a county employee received an email from a co-worker's account. The email contained an obfuscated file attachment, which, when downloaded and opened, infected the whole network. The attacker set a deadline, which was ignored by the county government. After the deadline passed, another attack on the computer systems was recorded. The county manager informed employees that deceptive email attachments are used to get access to their machines.

LockCrypt targets random countries

The attack on the servers in North Carolina is not the first attempt of this threat to gain financial gain. LockCrypt has been known to security experts since June. In October, the number of infections proliferated.

It is believed that the attackers' first attempt was to launch LockCrypt as "ransomware-as-a-service" and only when invest in it as a privately owned piece of ransowmare.

LockCrypt is known to have infected small businesses in South Africa, India, the US and UK. Victims were reportedly asked to pay between 0.5 to 1 Bitcoin per server.

In order to push victims into paying the ransom demanded, the infection deletes volume shadow copies so that the affected data cannot be restored. Affected files are renamed by adding the extension .lock. After the file encryption, LockCrypt sends information about the affected machine to a server located in Iran. However, it is also believed that the infection might originate from Ukraine.

The users of infected computers get a warning in which they are told to open a .txt file named Readme, where they are instructed to purchase Bitcoin and make a payment. Security researchers have purportedly discovered that LockCrypt has already collected other $175,000 in revenue.

Security experts have also found that the first versions of theLockCrypt ransomware share some features with Satan Ransomware. The Satan threat would require a victim to reach out to the attackers at Satan-Stn@bitmessage.ch. The same email address was used by early variants of Locky. Other email addresses used by LockCrypt includes enigmax_x@aol.com, djekr@aol.com, jajanielse@bitmessage.ch, jajanielse@aol.com, jekr@aol.com, and stnsatan@aol[.]com.

It was reported that LockCrypt infected machines via RDP configurations. Once connected to the machine, the attacker would manually end critical processes to cause maximum damage.

How to prevent ransomware

In general, poor RDP settings have lately been used by ransomware, and security experts are raising awareness of potential consequences that may be cause due to unprotected RDP access. Security experts warn that that brute-forcing attacks through RDP could be prevented by setting complex passwords and using two-factor authentication. It is also advisable to deny incoming RDP connections. Moreover, it is recommend to lock out users that fail to log in to the machine multiple times. Making offline back-up copies is also important so that affected data could be restored whenever it is necessary. Back-ups should be checked regularly to ensure that they will be usable when in need.

RDP access aside, it is essential to keep computers protected by professional antimalware software. The operating system and software alike should be keep updated so that malware, including ransomware, does not find its way to the computer through any vulnerabilities. Additionally, ignoring spam and phishing emails, the latter of which refer to emails that are made to look like sent by reputable institutions or agencies, is a essential to avert malware installation and security-related issues.

References

Bonderud, Douglas. New Ransomare Attacks: LockCrypt Emerges Drom Satan's Shadow. Security Intelligence. November 13, 2017

Doman, Chris. LockCrypt Ransomware Spreading via RDP Brute-Froce Attacks. Alient Vault.

Human Resources. 48 Servers Of North Caroline County Held Hostage by LockCrypt Ransomware. KnowBe4. December 7, 2017

MIllman, Rene. RDP Brute Force Attacks Used to Spread LockCrypt ransomware. SC Media. November 13, 2017

Stanglin, Doug. N.C. County Rejects Hackers' $26K Ransom demand to Unlock Infected Computers. USA TODAY. December 7, 2017