Apocalypse Ransomware is Manually Installed via Unsecured RDP Connections

Apocalypse ransomware showed up only a couple of months ago, though it’s already making a name for itself with constant updates, improved functionality, and an inability to concoct a proper encryption algorithm.

Unlike other similar tools, this ransomware uses a manual distribution method, which relies on its developers brute-forcing unsecured RDP servers and installing Apocalypse by hand.

Last month, security researchers from Fox-IT warned about an increase in RDP brute-force attacks specifically aimed at installing ransomware. A week after this warning was released, Apocalypse ransomware appeared for the first time.

Before the appearance of Apocalypse, malware experts discovered new versions of the older Bubci ransomware, which was also employing RDP brute-force attacks to spread to corporate networks.

Apocalypse uses a simplistic XOR-based encryption algorithm, which is the reason why Fabian Wosar from Emisoft managed to crack it at the start of the month. After that, Worsar offered victims a free decrypter which can unlock files without paying the ransom.

The creators of Apocalypse ransomware immediately updated their code and obfuscated it with VMProtect, an application for protecting software against reverse engineering and code cracking. However, Wosar didn’t give up, and released a decrypter for this version as well, called ApocalypseVM.

A week after that, the creators of Apocalypse ransomware released a brand new version, which contained some “kind” words for Emsisoft experts. Despite this fact, the latest version of the Emisoft Decrypter for Apocalypse and Apocalypse VM can help infected users to recover their files for free.

Due to the nature of the attack protection software is rather ineffective. If the attacker manages to get access to the system via remote control, they can simply disable any protection software installed or add the malware to the protection software’s exclusion list,” Emisoft stated. “It therefore is imperative to prevent the attacker from gaining access to the system to begin with.”

Considering all the above-mentioned, it is highly recommended that sysadmins use strong passwords for their RDP connections, or better yet, just disable the protocol if not needed.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.