A new type of ransomware dubbed WYSIWYE (What You See Is What You Encrypt) has been detected by researchers at PandaLabs.
As explained in a post on the firm’s website, the standard ransomware technique cyber-crooks employ is to gain access to a computer and then imply execute the corresponding malware automatically to start encryption and ultimately display the ransom message.
However, in an analysis of a recent intrusion, PandaLabs discovered a more personalized type of malware generator which allows attackers “the chance to customize the malware using a user-friendly interface prior to launching it. Making it even easier for those with little technical knowledge to target companies.”
With this customized attack, PandaLabs adds, it’s possible to hand-pick the network computers whose information the attacker would like to encrypt, choose files, self-delete upon completing the encryption, enter stealth mode, etc.
“Usually ransomware has its own configuration, it only has to be executed and it will work in the same way everywhere,” Luis Corrons, PandaLabs technical director, Panda Security, told Infosecurity. “This one is designed for more custom attacks, mainly in corporate networks. In all cases we have studied (talking about this particular attack) attackers are gaining access to the different corporate networks after a brute-force attack against the remote desktop connection. Then they manually drop the ransomware, run it and can configure it in different ways depending on each victim, carefully picking what they want to encrypt.”
According to Corrons, this shows how cyber-criminals are evolving and changing their methods of attack: “Of course we still see the typical automated/unattended attacks, however it is noticeable the amount of hacking attacks to corporate networks, where cyber-criminals are fighting in real time against the defenses in place, bypassing one by one and changing strategies and adapting every time they are blocked.”
For users looking to protect themselves and avoid falling victim to this new attack technique, Corrons had the following advice:
• For all these attacks through RDP, never have remote desktop connections opened to the internet in your corporate network. If it is needed you can setup a VPN so users first have to access the internal network and afterwards they can use the remote desktop
• Always change the default port (TCP 3389), and block all connections in the corporate firewall to this port