Malware News Brazilian Hospitals Infected with Ransomware After RDP Brute-Force Attacks

Exterminator

Community Manager
Thread author
Verified
Staff Member
Well-known
Oct 23, 2012
12,527
Members of TeamXRat, a hacking crew based in Brazil, have created their own ransomware variant that they spread to local companies and hospitals after taking control over their servers and networks via RDP (Remote Desktop Protocol) brute-force attacks.

The group, which has previously created and sold banking malware, is at its first attempt at creating ransomware, which based on a Kaspersky Lab analysis, seems to be derived from the Xorist ransomware, detected and decrypted back in March.

Researchers say the ransomware is crude, since it doesn't work with a Tor-based payment site, asks users to contact the crooks via email, and needs manual installation.

TeamXRat hacks into servers via unprotected RDP services
To achieve a position from where they can install their malware, the crooks carry out brute-force attacks against Internet-exposed RDP servers found at Brazilian companies and state institutions.

RDP is a protocol often employed at larger companies to allow sysadmins to log in and manage remote workstations. Most of the times, they are exposed to the Internet, not only the company's Intranet, and sometimes use weak, easy to break passwords.

Kaspersky says it was alerted to the existence of this new ransomware variant after an unnamed Brazilian hospital has asked the company for help in unlocking their files.

Xpan ransomware can be decrypted
The ransomware, which is detected as Trojan-Ransom.Win32.Xpan, uses dual AES-256 CBC and RSA-2048 encryption to lock files, but Kaspersky said it identified weaknesses in its encryption that allowed its staff to create a decrypter. Victims who need this decrypter should contact Kaspersky via their support section.

The rest of Xpan's behavior is similar to most other ransomware variants. Xpan locks the user's files, changes his wallpaper, asks for 1 Bitcoin (~$600) ransom, and adds a registry key that opens a custom ransom note every time the user tries to open an encrypted file.

Xpan victims can detect an infection based on the custom file extension the ransomware appends to all locked files: .____xratteamLucked.

TeamXRat is not the first Brazilian-based crew to try its hand at ransomware. In the past, security firms have detected TorLocker and numerous ransomware families based on the Hidden Tear open source ransomware starter kit. The Brazilian malware scene is generally known for boleto spam and a flourishing banking trojan scene.

When in June Kaspersky revealed the existence of xDedic, a marketplace for selling compromised servers, Brazil was the country with the most hacked RDP servers.

 
L

LabZero

What happened is serious because many structures: hospitals, companies, etc, are not ready to deal with these situations. Many companies use an approach that is "install and forget" setting up the security systems at the time of the installation, and leaving them unmanaged. The problem is obviously most severe in the health sector, since a malfunction in a hospital can make the difference between life and death.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top