Malware researchers from Kaspersky have spotted the TeamXRat gang spreading a new ransomware in Brazil via RDP brute-force attacks.

Cyber criminals are using stolen or weak remote desktop credentials to access systems and deliver file-encrypting ransomware.

This is not a novelty in the criminal ecosystem, in March experts discovered a ransomware dubbed Surprise that was installed via TeamViewer and executes from memory.

In October 2015, experts at BleepingComputer blog reported a strain of ransomware dubbed LowLevel04 that was spreading via Remote Desktop and Terminal Service.

The hackers in both circumstances used stolen credentials for RDP software.

Now security researchers from the security firm Kaspersky Lab have spotted a new strain of ransomware, called Trojan-Ransom.Win32.Xpan, that was used in campaigns against hospitals and other organizations in Brazil.

According to Kaspersky, the new ransomware was developed by a gang called TeamXRat that was known for the development of remote access trojans (RATs).

The members of the TeamXRat perform brute-force attacks on the machine in order to access it via RDP and then manually install the Xpan ransomware on the hacked servers.

“Connecting remote desktop servers directly to the Internet is not recommended and brute forcing them is nothing new; but without the proper controls in place to prevent or at least detect and respond to compromised machines, brute force RDP attacks are still relevant and something that cybercriminals enjoy,” reads a blog post published by  Kaspersky. “Once the server is compromised, the attacker manually disables the Antivirus product installed on the server and proceeds with the infection itself.”

The experts also highlighted that crooks exploit MS15-067 and MS15-030 vulnerabilities in the RDP protocol. Crooks could exploit them to remotely execute code by sending a specially crafted sequence of packets to a targeted system.

According to Kaspersky, Brazil is the country with the highest number of compromised RDP servers being sold on the underground market.

This summer experts from Kaspersky revealed the existence of the xDedic marketplace that was offering everyone from entry-level cybercriminals to APT groups fast, cheap and easy access to legitimate organizational servers.

The good news is that the TeamXRat has made an error while developing the encryption functionality of ransomware that has been exploited by the experts at Kaspersky Lab to recover the encrypted files without paying the ransom.

The victims of the Xpan have to contact Kaspersky to receive instructions and assistance to recover the files.

“But the good news is that the Kaspersky Anti-Ransom team was able to break the encryption used by the Xpan Trojan. This effort made possible the decryption of files belonging to a Hospital in Brazil, which was hit by this Ransomware family.” closes Kaspersky.

“If you’re a victim of this new Ransomware family and need help to decrypt your files, please DON’T PAY the ransom. Instead, contact us via support.”

Pierluigi Paganini