A ransomware variant that first appeared two months ago is making a name for itself with constant updates, improved functionality, and an inability to concoct a proper encryption algorithm that Emsisoft’s Fabian Wosar can’t break.
Called Apocalypse, the ransomware stands apart from similar tools because it uses a manual distribution method, relying on its authors brute-forcing unsecured RDP servers and installing Apocalypse by hand.
Fox-IT experts have warned at the start of May aboutspecifically aimed at installing ransomware. Apocalypse appeared for the first time about a week after this report came out.
Before Apocalypse, malware analysts also discovered new versions of the older, which was also employing RDP brute-force attacks to spread to corporate networks.
Both Apocalypse and ApocalypseVM were cracked
As for Apocalypse, the ransomware uses a simplistic XOR-based encryption algorithm, which is why Emsisoft’s Fabian Wosar managed to crack it at the start of the month, and then offering a free decrypter that can unlock files without paying the ransom.
Apocalypse’s authors counteracted by updating their code and obfuscating it with VMProtect, an application for protecting software against reverse engineering and code cracking.
Wosar didn’t let up, and he released a decrypter for this version as well, which was named ApocalypseVM.
Emsisoft manages to annoy a second ransomware coder
A week after that, the Apocalypse ransomware authors released a new version, and this one contained some “kind” words for Emsisoft researchers.
This is not the first time that Emsisoft and Fabian Wosar get on the nerves of ransomware coders,when he created a decrypter for the Radamant ransomware this winter.
At the time of writing, the latest version of theand will allow infected users to recover their files for free.
“Due to the nature of the attack protection software is rather ineffective. If the attacker manages to get access to the system via remote control, they can simply disable any protection software installed or add the malware to the protection software’s exclusion list,”. “It therefore is imperative to prevent the attacker from gaining access to the system to begin with.”
For this, it is recommended that sysadmins use strong passwords for their RDP connections, or better yet, just disable the protocol if not needed.
I have a new friend now! 😀 Sad though that they butchered the name again— Fabian Wosar (@fwosar)