LockCrypt Ransomware Spreading Via RDP Brute-Force Attacks

LockCrypt is a new server-focused ransomware with similarities to the Satan ransomware-as-a-service. It reportedly infects targets via a Remote Desktop Protocol (RDP) brute-force attack and has targeted smaller businesses.

The creators of the malware are manually infecting devices using an RDP brute-force attack performed on compromised servers. Once they have access to a system they terminate all non-core processes before deploying LockCrypt to ensure maximum damage. Files are encrypted with .lock extension, with backups and shadow volumes deleted to prevent easy recovery.

Affected Platforms

Windows and Linux Servers


If RDP is not used, then ensure port 3389 is blocked by your internet firewall.

To protect against RDP attacks:

  • Ensure only authorised users are granted RDP permissions.
  • Authorised users have a strong password.
  • RDP connections are protected with multifactor authentication.
  • For additional security only allow RDP to run through VPN connections.


Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: