DXXD Ransomware Encrypts Files on Unmapped Network Shares

A new ransomware family has emerged that targets servers and encrypts files on network shares even if they haven’t been mapped to the infected computer.

Dubbed DXXD, the new piece of ransomware appends the .dxxd extension to the encrypted files, after which it drops a ransom note onto the infected computers. The malware won’t search for and encrypt only files on the local machine, but it would also target network shares, both mapped and unmapped, a feature that was previously seen in Locky.

While the ransomware’s infection vector isn’t clear at the moment, the attackers are believed to be abusing Remote Desktop Services and are brute-forcing passwords to spread the DXXD ransomware, BleepingComputer’s Lawrence Abrams notes.

The ransom note dropped by the new threat instructs users to contact the operators via two email addresses to receive payment instructions: rep_stosd[at]protonmail.com and rep_stosd[at]tuta.io. However, as it usually happens in the event of ransomware infections, users are advised not to give in and pay the ransom.

Unlike other ransomware families out there, DXXD was configured to change a Windows Registry setting to display a so called “legal notice” to users when they log in. Because of this, the ransomware author ensures that any user attempting to log into an infected computer sees the ransom note.

The “legal notice” informs users that the computer they are logging into “is attacked by hackers.” It also claims that users should contact experts at said emails and various other email addresses, such as shellexec[at]protonmail.com or null_ptr[at]tutanota.de “for more informations [sic!] and recommendations.”

To display the notice, the ransomware changes the HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonLegalNoticeCaption registry key. It also changes HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonLegalNoticeText to display the following: “When you start Windows, Windows Defender works to help protect your PC by scanning for malicious or unwanted software.”

According to Abrams, the ransomware’s alleged author decided to taunt victims and researchers by creating an account on BleepingComputer and claiming that a newer version of the ransomware has been developed and that it is more difficult to decrypt. The developer also claimed that a new zero-day vulnerability was used to compromise servers and install the ransomware.

Researchers say that paying the ransom isn’t a solution in the event of an attack, because that doesn’t guarantee that the data will be recovered. To keep their data safe, users are advised to constantly back up their files, keep their software up to date, use a reputable anti-malware solution, avoid opening attachments or clicking on links coming from unknown sources, and disable Remote Desktop Protocol (RDP) and files running from AppData/LocalAppData folders.

Related: Brazilian Hackers Using RDP to Spread Xpan Ransomware

Related: Cry Ransomware Uses Google Maps to Find Victim Locations

view counter
image
Ionut Arghire is an international correspondent for SecurityWeek.
Previous Columns by Ionut Arghire:
Tags:
Original author: Ionut Arghire