LockCrypt Ransomware Campaign Actively Targeting Remote Desktop Services
The NJCCIC has received open source and closed source reports indicating there is an active ransomware campaign targeting victims in New Jersey and throughout the US with the LockCrypt ransomware variant. This campaign is distributing LockCrypt to new victims by targeting unsecured Windows enterprise servers that have their Remote Desktop Protocol (RDP) ports open and exposed to the internet. Once a vulnerable server is located, a brute-force attack is launched against the login credentials used for remote access. If the attack is successful, the LockCrypt ransomware variant is then manually deployed across as many Windows systems on the network as possible. LockCrypt leverages strong encryption, gains boot persistence, deletes shadow volume copies, and executes a batch file that kills all non-Windows core processes to make removing and recovering from the infection difficult. Once encrypted, the ransomware appends .1btc to the names of files and drops a ransom note named ReadMe.TxT onto the infected system. It demands a ransom payment ranging from 0.5 to 1 Bitcoin per infected system and there is currently no free decryption tool available for this variant. More information about this campaign is available via Bleeping Computer. The NJCCIC recommends all administrators of Windows enterprise servers review the NJCCIC Threat Analysis titled Remote Access: Open Ports Create Targets of Opportunity, Undue Risk and take proactive steps to reduce their exposure to network compromise as a result of insecure remote access configurations. We also recommend all members and organizations download our PDF titled Ransomware: Risk Mitigation Strategies to learn how to protect data, systems, and networks from ransomware.