CryptoMix ransomware makes a comeback with a new attack campaign targeting weak RDP ports
- The CryptoMix hackers use brute force attack on the weak RDP ports in order to gain access to the target network.
- Once inside the network, the attackers would harvest the admin credentials and encrypt the backup files.
Researchers have discovered a new cyber-espionage campaign that is being used to distribute the old and infamous CryptoMix ransomware. The malware, first discovered in early 2016, is using a new trick to coerce the victims to pay the ransom.
The CryptoMix hackers brute force the weak RDP ports in order to gain access to networks. Once inside the network, the attackers would harvest the admin credentials to move easily across the network, while encrypting the files and removing the backup data.
After encryption, the victims are presented with a ransom note that tells them to make a donation for a fictitious crowdfunding charity website. It also warns the victims not to run any security software as this could permanently damage the systems.
“The ransom notes go so far as to include the names, diagnosis, and even pictures of young children that the ransom payments will support. The information appears to be lifted from crowdfunding websites and local news stories that raised genuine awareness and funds for a specific child’s treatment,” said researchers from Coverware in a blog post.
Victims are asked to engage with the attackers over email and failing to make the payment within 24 hours can result in a dire consequence. The victims would end up in paying two times the original amount.
"They are naive about the level of intelligence of the people and companies they attack. Even if the victims believed that the hackers were donating the ransom proceeds to charity, it would not alter how they thought about paying or not paying," Bill Seigal, CEO of Coverware told ZDNet.
Users are advised to secure the RDP ports with robust and unpredictable passwords. Implementing two-factor authentication also prevents attackers from breaching the network and encrypting backups.