Researchers have uncovered a new ransomware family that is exploiting poor security credentials in remote desktop services and encrypting files.
Encryption keys used by the new ransomware family cannot be decrypted since they use new key generation, claims security researcher.
‘A new variant of what appears to be BTCWare ransomware is currently targeting victims and appending the .[email]-id-id.payday extension to encrypted files.
‘This family of ransomware targets its victims by hacking into poorly protected remote desktop services and manually installing the ransomware,’ said Bleeping Computer.
The site claims that the developer behind the new ransomware family is posting on its forums. The developer, named ‘payday_lock’, is asking affected users to make payments in BitCoins to get their files decrypted.
‘All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail Checkzip@india.com,’ the developer wrote.
‘You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.
‘Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam,’ he warned.
The developer is also offering affected users ways to purchase Bitcoins online and has warned them not to try decrypting their files using third party software as the same may cause permanent data loss.
According to security researcher Michael Gillespie, files decrypted by the BTCWare ransomware cannot be decrypted as they use new key generation. These keys establish secure shell sessions between remote computers over insecure networks and generate keys using one of three different digital signature algorithms.
Fraser Kyne, EMEA CTO at Bromium, believes that lack of security hygiene in ‘next-gen’ technologies is the root cause of such potent ransomware attacks. Trying to detect ransomware after an infection has already taken place is a futile exercise, he says.
‘The inherent failing in security today is that ‘detect to protect’ is fundamentally flawed. Detecting ransomware once it has already hit the endpoint is pointless, the damage is done.
‘This is why businesses need to focus on protection – let the ransomware come through, but isolate and contain it in a virtual environment, so that the hacker has nowhere to go and no data to exfiltrate. Only by accepting ransomware as a part of life, and limiting the damage and profits that can made by it, will we start to see any turning of the tide,’ he adds.