More bad news for the business community: Aspiring cybercriminals who lack technical expertise can now configure ransomware campaigns—and ultimately launch ransomware attacks—from an easy-to-use interface.The tool is known as WYSIWYE (“What You See Is What You Encrypt”). So far, it’s helped coordinate ransomware attacks in Germany, Belgium, Sweden, and Spain. Most of those campaigns have demanded a minimum of €500 (approximately $534) in ransom from each user successfully infected.
The best way for consumers and businesses to defend against ransomware-spreading tools like WYSIWYE is to focus on ransomware prevention—and be sure to back up your data just in case all else fails.
Ransomware spreads via brute force
WYSIWYE is different from other types of ransomware because it doesn’t spread to users via malicious links or email attachments. Instead, its operators establish a foothold on a computer via an RDP brute forcing attack.
RDP is short for Remote Desktop Protocol. It’s a tool developed by Microsoft that allows administrators and users to access servers and other machines remotely. Organizations with a geographically dispersed workforce often set up RDP servers. This allows each user to sign into a machine with an RDP client and access Windows as if they were using the computer locally.
Attackers don’t usually select specific targets for RDP brute forcing, according to IT security firm Kaspersky Lab. Instead, they scan the open web for RDP servers. When they find one, they make upwards of more than 100,000 sign-on attempts to access the connected computer. All they need is a tool that can fabricate likely password combinations that blend numbers and common dictionary terms. This works because many users fail to choose sophisticated passwords or use sophisticated measures like two-factor authentication. Of course, all these guesses take time, which is why many individuals wait to launch their brute force attacks until after normal working hours.
Once they successfully brute-force the RDP credentials, attackers get to work by deploying their malware of choice. In this case, bad actors load up WYSIWYE, which allows them to set the parameters of a ransomware infection all the way down to the contact email that’s displayed on the ransom note.
Spanish security firm Panda Security explains more in a blog post:
“With this customized attack, it’s possible to hand-pick the network computers whose information the attacker would like to encrypt, choose files, self-delete upon completing the encryption, enter stealth mode, etc.”
The attackers then sit back and wait for the ransom payments to roll in.
Not the first Ransomware-as-a-Service (RaaS)
WYSIWYE is a form of Ransomware-as-a-Service (RaaS), software designed to make it easy to launch ransomware campaigns. RaaS packages, which are sold from one cybercriminal to another, allow criminals with low levels of technical expertise to reap the benefits of computer crime. Concurrently, ransomware authors use RaaS plans to monetize their creations and raise the profiles of their software. It’s a highly lucrative and increasingly competitive field, which might explain why the players sometimes don’t get along.
To defend against WYSIWYE, organizations should protect their RDP servers with additional security measures such as 2FA and create a password that doesn’t contain easily guessable dictionary words. Doing so will help block brute-force attacks. Businesses should also prepare for a ransomware infection by backing up their business-critical data and testing their backups on a regular basis.
For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.