LockCrypt is a new server-focused ransomware with similarities to the Satan ransomware-as-a-service. It reportedly infects targets via a Remote Desktop Protocol (RDP) brute-force attack and has targeted smaller businesses.
The creators of the malware are manually infecting devices using an RDP brute-force attack performed on compromised servers. Once they have access to a system they terminate all non-core processes before deploying LockCrypt to ensure maximum damage. Files are encrypted with .lock extension, with backups and shadow volumes deleted to prevent easy recovery.
Windows and Linux Servers
If RDP is not used, then ensure port 3389 is blocked by your internet firewall.
To protect against RDP attacks:
- Ensure only authorised users are granted RDP permissions.
- Authorised users have a strong password.
- RDP connections are protected with multifactor authentication.
- For additional security only allow RDP to run through VPN connections.