New Ransomware Infection Technique Allows Hackers To Encrypt Individual Files

Computer Ransomware Virus Image

Security specialists discovered a new trend among new ransomware threats where the hackers allow for hand-picked file encryption.

Hand-Picked File Encryption Is A Rising Trend

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Computer security researchers discovered a new trend among ransomware creators dubbed as WYSIWYE encryption which stands for What You See Is What You Encrypt. Unlike most other malware during the infection phase a radical new change has been imposed. Instead of the usual user data encryption by reading from a predefined list of user file type extensions, the generated ransomware strains can be customized to target specific files. The specialists detected several different iterations which appear to have been programmed using a “builder” application which is able to create the individual ransomware versions using an easy to use graphical user interface. Such malware can have a devastating effect upon the targets. Some of the consequences include the following:

  • The new ransomware iterations can be used to create efficient and personalized ransomware which can be used to infiltrate specific networks and even individual hosts.

  • The use of easy-to-use GUI builder toolkits can lead to a large proliferation of ransomware attacks.

  • The hackers can hand-pick the affected hosts and choose exactly which files to delete and also execute various functions associated with the main malware such as various forms of stealth protection and extra features.

So far the detected samples are very small in number and the analysts cannot determine if they are being made by a single individual or a hacker collective. At the moment it is presumed that some of the primary targets are corporate networks. According to the initial security analysis the following attack scenario has been used in their attack campaign:

  1. The attackers have used the RDP (Remote Desktop Protocol) to initiate a brute force attack against the target hosts. In many cases the default configuration of the operating systems allow for such connections.

  2. Upon successful intrusion the ransomware strain is deployed. Depending on the configuration it can start the encryption engine automatically and target the individual files.

  3. Some of the ransomware variants include a network worm capability which can attempt to infiltrate other hosts available on the internal network.

A rudimentary builder was discovered which can create such strains using only a few mouse clicks and options. The toolkit can be customized by filling out the following fields and check boxes:

  • Contact Email – Customizes the contact email address supplied in the ransomware note.

  • Worker ID – Individual ID.

  • HID – Unique assigned Hardware ID.

  • Encryption Mode – The following modes are available: Encrypt folders with subfolders, Encrypt all, Autodelete after encrypt, NOD mode.

  • File Extension Options – Here the hackers can opt to specify file type extensions which should be skipped by the encryption engine.

  • Folders List – Specifies specific folders or mount points where the victim files can be found.

  • Network Computers List – Allows the hackers to specify available network hosts which can be targeted as well.

The ongoing attack campaign gives a clear sign that the remote attackers are trying to bypass active security measures on corporate networks by attempting to create new infection strategies. There are several key factors that are associated with the malware:

  1. The hackers use the RDP protocol as entry point as the ports and services available for remote desktop sessions are whitelisted by the company’s firewalls and other security measures. At the same time there is a real possibility of running outdated software servers which can be exploited using manual or automated vulnerability testing.

  2. The fact that the ransomware builders have so many customization options reveals that the generated strains can be used against predefined targets. Detailed information about the internal network and exact sensitive data locations can be acquired via the underground black markets.

  3. Updates to the builder toolkit can introduce advanced features such as stealth protection ,persistence, screenlocker installation and advanced system modification.

A limited number of attacks have been reported that target companies located in Belgium, Germany, Sweden and Spain. Security administrators can protect their systems by creating security rules that allow a remote desktop connection only after a successful two-factor authentication with the network. This would prevent protocol abuse by malicious parties. In addition a good rule would be to change the default RDP port (3389) to a more obscure one and block all connections to the most commonly used ones. All malware (including ransomware) can be prevented by running a quality anti-spyware solution that can both remove existing infections and protect the hosts against possible hacks.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Was this content helpful?

Author : Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.


Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *