Dealing with ransomware and remote access hacking

NetSafe has received reports from New Zealand SMEs affected by a particularly effective form of ransomware called Anti-Child Porn Spam Protection.

This form of malware is targeted at Windows servers and takes a system and any data stored on it hostage in an attempt to extort money.

Companies affected by the malware have found their systems locked out with all business and customer data encrypted by a hacker and a demand for payment of up to several thousand dollars to unlock the files affected.

The ransomware also suggests the systems have been spamming or contain child pornography and unless the ransom is paid a report will be made to the FBI.

How are companies affected?

NZ-Police-ransomware-screenshot

A screenshot shows an example ransomware lockout featuring the NZ Police logo

Instead of using drive-by download websites to exploit browser vulnerabilities, it would appear these latest ransomware infections are manually installed by a remote attacker using a tool named DUBrute against vulnerable Remote Desktop Protocol (RDP) connections on port 3389.

The tool undertakes dictionary attacks against common user accounts including admin, Administrator, backup, console, Guest, sales, user and many more.

If access is gained the attacker can disable anti-virus software and executes malware on the system that displays a ransom notice, locks genuine users out, deletes backups and encrypts any data found.

There have been recent media reports of companies in Australia paying the ransom to gain access back to their data.

How can I defend against this ransomware?

  • Backup Everything
    It is essential that companies make regular routine backups with data stored offsite as there is currently no known way to decrypt the files affected by the malware
  • Use Strong Passwords
    Make sure you have a proper password policy in place for all user accounts with remote access – review all system accounts and delete any that are no longer required
  • Consider disabling remote access
    If you do not need remote access then consider disabling Remote Desktop or Terminal Services, close port 3389 or use IP based restrictions or a VPN.
  • Update Everything
    Check the Microsoft Security Bulletins and ensure your systems are fully patched against known RDP vulnerabilities
  • Alert others to prevent more attacks
    Please forward this email to colleagues, friends and family who could be impacted by a ransomware infection at their company

What do I do if my company is infected?

  • Report the computer system attack
    Make a report to NetSafe’s ORB website – we have been communicating with the National Cyber Security Centre about recent incidents
  • Be prepared to wipe systems and restore from backups
    IT staff we have spoken with have spent several days dealing with the fallout from these infections
  • Do not pay the ransom
    Some companies affected have been forced to pay to have their data unlocked by the hacker – NetSafe would encourage you to not to follow this path

More help and advice: