A new ransomware family called ‘NamPoHyu Virus’ ransomware has been found targeting vulnerable Samba servers. Instead of running executables on a victim’s computer, the attackers are directly launching the malware on vulnerable Samba servers by brute forcing the passwords.
How dreadful can be the ransomware - Once the ransomware - also called MegaLocker Virus - manages to brute force a vulnerable Samba server, it remotely encrypts the files and then leaves a ransom note.
Shodan, the search engine, has found some 500,000 accessible Samba servers across the globe. This indicates that this ransomware infection can be massive if the attackers gain access to these vulnerable Samba servers.
How does the ransomware work - The ransomware was first detected in March 2019 after users complained that their NAS storage devices were suddenly encrypted by new ransomware called MegaLocker virus.
Once it completes the encryption process, it appends the encrypted files with .crypted extension. After that, it creates a ransom note named !DECRYPT_INSTRUCTION.TXT.
The ransom note contains instructions to contact alexshkipper@mail[.]ru. The note asks the prospective victim to send a photo from birthday, holiday, hobbies or some other personal event. If the victim is a single user, then the ransom amount stands at $250 otherwise it would be $1000 for companies.
What are the new changes - In early April 2019, the ransomware switched its name to NamPoHyu Virus and started appending the .NamPoHyu extension to encrypted files, Bleeping Computer reported.
While the ransom note continues to display the same message, it now includes a link to a Tor payment site.