Monday, July 16, 2012
If you have allowed the Remote Desktop protocol direct access through your firewall (port 3389), and you have an answering RDP server behind it, you may soon be compromised with a very nasty ransomware takeover that encrypts your data files.
Picked up two new clients this week, both were attacked and taken over by a remote entity. Both lost substantial company data. One was saved by a rotating backup -- they were able to restore from that after the hack was shut down. The other did not have an offsite backup, and they lost data that we will never recover.
The hacker did the following:
1) Installed a process that began encrypting all docs, pdfs, jpgs, and several other file formats into a secure RAR archive form. It then secure deleted the originals. The encrypted files look like
yourfilename.txt(!! to decrypt email id 0000000 to email@example.com !!).exe
2) Installed a Group Policy script that enabled the Guest account, set an unknown password on it, and gave it carte blanche access to all administrative roles including RDP. That script was set to run on any users login, so disabling the Guest account would only hold until the next time the admin logged in.
3) Locked the login screen for all users on the server with a ransomware scare tactic screen claiming to be from the FBI. The ransom was listed at $1,000. Judging from a few forum posts on the topic, paying the ransom does not guarantee recovery of the lost data. This criminal is laughing all the way to the bank with the victims money and not actually delivering their locked data.
4) Uninstalled anti-virus products.
5) Deleted any backups that were connected to the server via USB or LAN. Also deleted any online backups through the service application (Carbonite in this case.)
6) Disabled the F8 start up key to prevent booting into safe mode.
7) Turned off Shadow Copies on all shares - and deleted the historical stored revisions of files.
8) Several other configuration settings were damaged to make the system more vulnerable to future attacks.
None of this was flagged by Anti-Virus protection because guess what? It looked like a virus but was not . . . it appears to be a direct hack to the system by an outside person(s).
If you need remote desktop access, reduce your risk;
- use a secure VPN connection to get to your LAN from the outside
- make sure your security policy includes strong passwords
- change the name of the default Administrator account
- check group policy and set the system to lock out failed passwords after 3 attempts for a minimum of 15 minutes (longer is better if your user base can stand it)
- confirm that the server patch MS12-020 was installed successfully earlier this year.
More info here: http://www.bleepingcomputer.com/forums/topic449398.html/