The Brazilian TeamXRat hacking team has decided to try creating they own piece of ransomware. They are infecting local healthcare institutions and other companies by taking control over their networks and servers with Remote Desktop Protocol (RDP) brute-force attacks.
Previously, the crew has developed and sold banking malware and this is their fists attempt at ransomware creation. According to Kaspersky Lab, it is derived from the Xorist ransomware which was discovered and cracked in March this year.
The researchers also say that the ransomware is rough and not fully developed as it doesn’t use a Tor-based payment website, needs to be installed manually and asks victims to contact the creators via email.
The crooks launch brute-force attacks against Internet-exposed RDP servers to achieve a position from where they can install their malware on Brazilian companies and state institutions.
Bigger firms often use the RDP protocol so sysadmins are able to log in and manage remote workstations. However, most of the time they are exposed to Interned and use weak easily breakable passwords.
Kaspersky was informed about this new ransomware by a Brazilian hospital which has asked them for help with recovering their encrypted data.
Detected as Trojan-Ransom.Win32.Xpan (Xpan in this article), the ransomware uses dual AES-256 CBC and RSA-2048 encryption. Luckily, Kaspersky has managed to find a vulnerability in the encryption, which they used to create a free decryption key.
Xpan operates like any other threat of this kind. It encrypts the victims` files, changes the wallpaper and demand 1 Bitcoin ($600) ransom. It also adds a registry key which opens a ransom note every time the user tries to open a locked file.
Users should be able to easily recognize Xpan from the extension it appends to the encrypted data: “.____xratteamLucked”.
This is not the first time a Brazilian hacking group gives the ransomware creation a try. Security companies have detected others in the past like TorLocker and numerous ransomware families based on the Hidden Tear open source ransomware starter kit.
Currently, the Brazilian malware marker is mostly known for boleto spam and a flourishing banking Trojan scene. Moreover, Brazil is the country with most hacked RDO servers and, in June, Kaspersky discovered xDedix – a marketplace for selling compromised servers.