Remote Desktop Server Owners beware, new HC7 GOTYA Ransomware Installed via Remote Desktop Services

 In Backdoor, Breach, Malware, News, Ransomware, Threat Intelligence

There was a time when most Server Administrations/Network Administrators would just change the port 3389 to any other and/or change default login username to a RDP server and assume its secure. While this may best practice, it doesnt really help as a simple nmap scan reveals the listening port and there are enough breached user:pass wordlists available on the internet. Both clear and dark!

A new ransomware called HC7 is infecting victims by hacking into Windows computers that are running publicly accessible Remote Desktop services. Once the developers gain access to the hacked computer, the HC7 ransomware is then installed on all accessible computers on the network.

Originally released as HC6, victims began posting about it in the BleepingComputer forums towards the end of November.  As this is a Python-to-exe executable, once the script was extracted ID Ransomware creator Michael Gillespie was able determine that it was decryptable and released a decryptor.

Unfortunately, a few days later, the ransomware developers released a new version called HC7 that was not decryptable. Thi sis because they removed the hard coded encryption key and instead switched to inputting the key as a command line argument when the attackers run the ransomware executable. Thankfully, there may be a way to get around that as well so that victims can recover their keys.

Currently the attackers are hacking into exposed remote desktop services, and once inside, use PsExec to install the ransomware on other computers in the network.

A simple shodan search reveals 1,7 Million devices with port 3389 exposed.

 

The use of PsExec is evident in the source code below, which specifically looks for the PsExec.exe and skips it from being encrypted.

 

Finding Files to Encrypt Source Code

Image from BleepingComputer: Finding Files to Encrypt Source Code

As previously stated, when the attacker executes the ransomware they will provide the encryption key as a command line argument.  This key is then used to encrypt files that match the following extensions with AES-256 encryption.

.001, .3fr, .3gp, .7z, .ARC, .DOT, .MYD, .MYI, .NEF, .PAQ, .SQLITE3, .SQLITEDB, .accdb, .aes, .ai, .apk, .arch00, .arw, .asc, .asf, .asm, .asp, .asset,
 .avi, .bar, .bay, .bc6, .bc7, .big, .bik, .biz, .bkf, .bkp, .blob, .bmp, .brd, .bsa, .cas, .cdr, .cer, .cfr, .cgm, .class, .cmd, .cpp, .cr2, .crt, .crw,
 .csr, .css, .csv, .d3dbsp, .das, .dazip, .db0, .dbf, .dbfv, .dch, .dcr, .der, .desc, .dif, .dip, .djv, .djvu, .dmp, .dng, .doc, .docb, .docm, .docx, .dotm,
 .dotx, .dwg, .dxg, .epk, .eps, .erf, .esm, .exe, .ff, .fla, .flv, .forge, .fos, .fpk, .frm, .fsh, .gdb, .gho, .gpg, .hkdb, .hkx, .hplg, .htm, .html,
 .hvpl, .hwp, .ibank, .ibd, .icxs, .indd, .itdb, .itl, .itm, .iwd, .iwi, .jar, .java, .jpeg, .jpg, .js, .kdb, .kdc, .key, .kf, .lay, .lay6, .layout,
 .lbf, .ldf, .litemod, .log, .lrf, .ltx, .lvl, .m2, .m3u, .m4a, .map, .max, .mcgame, .mcmeta, .mdb, .mdbackup, .mddata, .mdf, .mef, .menu, .mid, .mkv,
 .mlx, .mml, .mov, .mp3, .mpeg, .mpg, .mpqge, .mrwref, .ms11 (Security copy), .ncf, .nrw, .ntl, .ocx, .odb, .odc, .odm, .odp, .ods, .odt, .orf, .otg,
 .ots, .ott, .p12, .p7b, .p7c, .pak, .pas, .pdd, .pdf, .pef, .pem, .pfx, .php, .pkpass, .pl, .png, .ppam, .ppsm, .ppsx, .ppt, .pptm, .pptx, .psd, .psk,
 .pst, .ptx, .py, .qcow2, .qdf, .qic, .r3d, .raf, .rar, .raw, .rb, .re4, .rgss3a, .rim, .rofl, .rtf, .rw2, .rwl, .sav, .sb, .sc2save, .sch, .sid, .sidd,
 .sidn, .sie, .sis, .sldm, .sldx, .slk, .slm, .snx, .sql, .sr2, .srf, .srt, .srw, .stc, .stw, .sum, .svg, .swf, .sxc, .sxm, .sxw, .syncdb, .t12, .t13,
 .tar, .tar.bz2, .tar.gz, .tax, .tbk, .tgz, .tif, .tiff, .tor, .txt, .unity3d, .uot, .upk, .upx, .vbs, .vdf, .vdi, .vfs0, .vmdk, .vmx, .vob, .vpk,
 .vpp_pc, .vtf, .w3x, .wav, .wb2, .wma, .wmo, .wmv, .wotreplay, .wpd, .wps, .x3f, .xf, .xlc, .xlk, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xlw, .xml,
 .xxx, .zip, .ztmp, wallet.dat

When the ransomware encrypts a file it will append the .GOTYA extension on the encrypted file’s name. For example, the file test.jpg would be encrypted and renamed to test.jpg.GOTYA.

Unlike most ransomwares who also encrypt the file names, this can help you find out which files are encrypted and if you have a backup for it.

While encrypting a computer, the ransomware will create a ransom note named RECOVERY.txt in each folder that a file was encrypted. This ransom note will contain a bitcoin address, a victim ID, payment instructions, and an email address that the victim can use to contact the ransomware developer. This email address is m4zn0v@keemail.me. Currently, the ransom demands are $700 in BTC for one machine or $5,000 in BTC for all the infected computers on the network. Which if a company wants to pay the ransom can actually save money. In May this year, there were a lot of news stories about companies stockpiling bitcoins in anticipation of ransomware.

In May 2017, 1 BTC was roughly USD 2000. Today at the time of writing it is USD 17651, if a company is to pay 5000 in BTC today, they would actually save money. Not that we recommend paying ransom but it is a little more economical today.

How to protect yourself from HC7 Ransomware

As the attackers are targeting remote desktop servers, it is important that all servers are behind a firewall and cannot be connected to unless the user is using a VPN. If you leave a remote desktop server directly connected to the Internet, it will be hacked at some point or another.

While a good AV software and good computing habits are important for the well being of any computer, as this infection is manually installed by the attacker, it is more important to get your computer’s out of their reach.

Indicators of Compromise

category type value
Payload delivery sha256 81a0ecf7ebec8f86d8042e3a3dbd756f6b8992c6cf3b4f94a9026d0192153b85
Payload delivery filename RECOVERY.txt
Payload delivery email-src m4zn0v@keemail.me
Payload delivery sha1 ec2ddc2f992945715666d0d039baf07bca4c5753
Payload delivery md5 d7a8a80c8c30378a5f460989e0f50dc3

References

  • https://www.bleepingcomputer.com/news/security/hc7-gotya-ransomware-installed-via-remote-desktop-services-spread-with-psexec/
  • https://www.nbcnews.com/storyline/hacking-of-america/companies-stockpiling-bitcoin-anticipation-ransomware-attacks-n761316
  • https://medium.com/4iqdelvedeep/1-4-billion-clear-text-credentials-discovered-in-a-single-database-3131d0a1ae14
  • https://www.shodan.io/search?query=port%3A3389
  • https://www.cyber.nj.gov/threat-profiles/ransomware-variants/hc7
  • https://live.paloaltonetworks.com/t5/Featured-Articles/Best-Practices-for-Ransomware-Prevention/ta-p/74148
Recommended Posts

Start typing and press Enter to search