Other issues in this category (67)
You're working from home? Then they are coming for you
Wednesday, July 8, 2020
People who use other anti-viruses can contact our technical support too (however, services like data decryption are only available to them on a paid basis). Interestingly, they often don't even indicate that they’re using a different anti-virus. This is the sort of scenario we’ll see:
My computer got infected about a week ago. I never turn it off. After finishing up with my work, I went to bed. It was the next day that I discovered the PC was turned off. I powered it on and saw a ransom demand on the screen (file attached). All the desktop shortcut icons had vanished, and I wasn't able to start any of the programs. Please help me recover my files.
Naturally, in situations like this, we request additional information. We provide users with our special utility (since finding out which anti-virus version is installed on a user's computer is more time-consuming).
First, the compromised machine must be disconnected from the network.
If the computer is off, back up the data from this machine before powering it on again.
To determine how your data has been encrypted, we need additional information from the PC on which the encryption ransomware was launched.
- Please download the utility dwsysinfo.exe (…/dwsysinfo.exe), run the utility on the infected PC to generate a report, and attach it to your next message.
Press Win+R and in the Run dialogue, execute this command:
cmd /c dir c:\ /a/s > "%userprofile%\dirc.log"
— the command output will be written to "%userprofile%\dirc.log". Please send us this file (the lists of all the files on the system drive).
And then we get this clarification:
Please note that the system is protected by AVAST, not Dr.Web.
But that's beside the point. How did the system get infected?
This ransomware species is often deployed on target machines by mounting a brute-force attack and cracking a user account password to gain unauthorised RDP access to the system (or establish a terminal session).
The same story of weak passwords and remote access that had been enabled (note that Windows has this option enabled by default).
And now for an important note. With many people working remotely at this time, companies are granting their employees remote access to their infrastructures. And system administrators are configuring their PCs remotely. This is normal procedure, but because so many employees are working from home, the number of computers using remote access has increased manifold. And then it began: Statistics indicate an upsurge in the number of brute-force attacks over RDP. It is also noteworthy that those are not targeted attacks. Rather, intruders are trying their luck with all the addresses they can access.
If we consider only servers, which are supposedly in the care of IT professionals, this picture emerges:
In the very first week after people had switched to working remotely, the number of vulnerable servers in Russia increased by 15% and reached 75,000. The number worldwide increased by more than 20%.
And here’s what’s happening with PCs:
In Russia, the number of Windows PCs that are vulnerable to attacks targeting open RDP ports has increased by 230%.
As the number of open ports has grown, so has the number of attacks. The number of attempts being made to crack RDP account passwords has increased from 3-5 to 9-12. Furthermore, the duration of each attack has increased from two hours to three.
The Anti-virus Times recommends
How to protect systems against attacks on RDP ports:
- If you do not use remote access features, disable them by closing the respective port (3389).
- Set a strong password (at least 8 characters long and with lower- and uppercase characters as well as digits and symbols).
- Block the user accounts you don't need and ensure that a remote connection can only be established for specific addresses.
- Make sure that you have installed all operating system updates.
If you access a corporate infrastructure:
- Ensure that Remote Desktop connections can only be established over your corporate VPN tunnel.
- Use the NLA (Network Level Authentication) and two-factor authentication.