Brazilian cybercriminals are expanding their tactics and have recently adopted ransomware as a new means of attack, Kaspersky Lab reveals.

Security researchers from the Moscow-based security firm have analyzed a new variant of the Brazilian-made ransomware “Xpan” Trojan (Trojan-Ransom.Win32.Xpan). The malware has been used by the “TeamXRat” group, also identified as “CorporacaoXRat” (the Portuguese equivalent of “CorporationXRat”) to target local companies and hospitals. The ransomware’s signature is extension “.___xratteamLucked,” which is appended to encrypted files.

While Xpan isn’t the first ransomware to come out of Brazil – TorLocker and HiddenTear copycats were seen in local attacks – it packs code improvements that reveal increased interest in this type of malware. The threat is developed by an organized gang that uses targeted attacks via Remote Desktop Protocol (RDP) to infect systems, Kaspersky says.

When executed, the ransomware checks the system’s default language, sets a registry key, obtains the computer name from the registry, and deletes any Proxy settings defined in the system. During execution, Xpan logs all actions to the console, but clears it when the process is completed. It then informs victims that their files were encrypted using a RSA 2048-bit encryption.

Unlike the previous ransomware used by the TeamXRat group, Xpan doesn’t use persistence, has switched from Tiny Encryption Algorithm to AES-256, and encrypts all files on the system, except for .exe and .dll files, and those that include blacklisted substrings in the path. The malware, Kaspersky says, uses the implementation of cryptographic algorithms provided by MS CryptoAPI.

The security researchers have identified two versions of the Trojan, based on their extensions and the different encryption techniques. The first version uses the “___xratteamLucked” (3 ‘_’ symbols) extension and generates a single 255-symbol password for all files, while the second one uses the “____xratteamLucked” (4 ‘_’ symbols) extension and generates a new 255-symbol password for each file.

Before encryption, the ransomware attempts to stop popular database services, and deletes itself when the process has been completed. After encryption, the Trojan modifies the registry so that, when the victim double-clicks on a file with the extension “.____xratteamLucked,” the ransom note is displayed using msg.exe (a standard Windows utility).

The TeamXRat attacks are performed manually by hacking servers via RDP brute force and installing the ransomware on them. After gaining  access to a server, the attackers disable the installed anti-virus product and begin installing their malware.

“Connecting remote desktop servers directly to the Internet is not recommended and brute forcing them is nothing new; but without the proper controls in place to prevent or at least detect and respond to compromised machines, brute force RDP attacks are still relevant and something that cybercriminals enjoy,” Kaspersky researchers explain.

RDP vulnerabilities are also exploited for remote code execution when an attacker sends a specially crafted sequence of packets to a targeted system. Servers that haven’t been patched are extremely valuable to cybercriminals, as the reports on the xDedic server marketplace revealed.

“Not surprisingly, Brazil was the country with the most compromised servers being offered in the underground market to any cybercriminal,” Kaspersky notes.

The good news when it comes to the Xpan ransomware is that Kaspersky managed to break the malware’s encryption, allowing for free file decryption. In fact, the researchers already helped a hospital in Brazil to recover from an Xpan attack. The security researchers expect new ransomware variants to come from the same threat actor.

Source: Security Week