CommonRansom Ransomware Demands RDP Access to Decrypt Files (Oct 30, 2018)
A researcher named Michael Gillespie has identified a new ransomware dubbed "CommonRansomware" that stands out from other malware with similar functionalities in that it makes an unusual request of the victim to decrypt their files. To note, the initial infection vector for CommonRansomware has not yet been reported at the time of this writing. Once a machine has been infected, the ransom note appears that requests 0.1 bitcoins (approximately $633.42 USD). The strange factor of this malware comes with another request in which the note asks to send an email to "old@nuke[.]africa" with various forms of information including: IP address and RDP port number, username and password of administrator account, time when Bitcoin payment was made, and victim ID number.
Recommendation: Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place, in addition to a business continuity policy in place. In the unfortunate case a reproducible backup is not in place, make sure to check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.