WYSIWYE, or What You See Is What You Encrypt, is a Ransomware-as-a-Service (RaaS) tool that is currently being sold to criminals and used to target Windows OS users in Germany, Belgium, Sweden, and Spain. It is distributed by malicious actors who conduct brute-force attacks against enabled and exposed Remote Desktop Protocol (RDP) ports. Once an available RDP port is located, the attacker will use tools to make more than 100,000 sign-on attempts in rapid succession. Default login credentials or passwords that are weak can easily be cracked, providing the attacker with the opportunity to deploy WYSISYE across the network. Using the WYSIWYE RaaS platform, the attack can be customized, allowing the attacker to choose the types of files to encrypt, whether or not to delete the original files after the infection, and what contact email address and ID number to provide to each victim. At the date of this posting, the NJCCIC is unaware of any ransomware attacks in the US that have been attributed to the use of WYSIWYE, specifically, although RDP compromise is becoming an increasingly used attack vector in ransomware campaigns. To protect networks against this threat, we recommend disabling port 3389 (RDP) if remote access is not needed. If remote access is required, make sure passwords are lengthy and complex, account access is monitored, and a two-factor authentication solution is implemented. We also recommend disabling TCP/UDP port 22 (SSH) and TCP port 23 (Telnet) as malicious actors have been known to use these ports to gain unauthorized access to networks as well.

  • Panda Security provides more information about WYSIWYE here.
  • The NJCCIC is not currently aware of any free decryption tools available for WYSIWYE.


Image Source: Panda Security