Security firm Kaspersky Lab have revealed that cyber attackers based in Brazil have recently increased their tactics and have adopted a new ransomware to use against internet users as their new means of attack.
Some security researchers from the security firm which is based in Moscow, Russia analyzed a new variant of the Brazilian made malware named Xpan Trojan. The malware is Bing used by the TeamXrat hacking group. The group is also known by its other alias, CorporacaoXRat, and they are known to be targeting the local companies and hospitals in Brazil. The ransomware has the signature, xratteamLucked, and it is appended to the encrypted files.
The Xpan ransomware is not the first to come out of Brazil, with other copycats such as the TorLocker and the HiddenTear being seen in the country also. The threat of the ransomware is developed by the organized gang that has been making some targeted attacks through the Remote Desktop Protocol, so as to infect the systems, the security researchers noted. The Xpan is unlike the other malware which were used by the TeamXRat group in that it does not use the persistence which will be switched from the Tiny Encryption Algorithm to the AES-256.
The researchers said they had managed to identify about two versions of the Trojan solely based on the extensions and their different encryption techniques. The first version is known to use the ___xratteamLucked (3 _ symbols) and is able to generate a single 255 symbol password for all the files it gets. The second one makes use of the ____xratteamLucked (4_ symbols), extension and then generates a new 255 symbol password for each single file.
Before the encryption process, the ransomware will try to stop the popular databases and then delete itself after the completion of the process. After the device is infected, the Trojan then modifies the registry and when the victim then clicks on the file with the extension, the ransom note is then displayed using the msg.exe utility.
The Xpan attacks are also being performed manually by the RDP brute force methods and then installing the ransomware on the devices. When they gain access to a server, the attackers will then disable the antivirus installed on the device and starts to install the malware.
Kaspersky noted that Brazil was seen as the country where the most compromised servers were being offered in a recent study. Fortunately, Kaspersky managed to break the malware encryption for Xpan and therefore there is free file decryption available. The researchers have already managed to help one hospital in Brazil which had been attacked. The researchers also said that they expected more attacks to come from the same threat actor.