NamPoHyu Virus' Ransomware Targets Remote Samba Servers (Apr 16, 2019)
A new ransomware family, “NamPoHyu Virus” or “MegaLocker Virus,” has been observed infecting users via vulnerable Samba servers. The ransomware searches for accessible servers, and attempts to brute force the passwords. If it successfully brute forces the device, it then remotely encrypts the files on the server and displays a ransom note. Users are instructed to email a provided address for payment instructions, which are $250 USD in Bitcoin for individual users or $1000 USD in Bitcoin for companies.
Recommendation: It is crucial that your company ensure that servers are always running the most current software version. Your company should have policies in place in regards to the proper configurations needed for your servers in order to conduct your business needs safely. Any device that connects to the internet must be treated as a security liability, and default usernames and passwords must be disabled. Additionally, always practice Defence-in-Depth (do not rely on single security mechanisms; security measures should be layered, redundant, and fail-safe). In the case of ransomware infection, the affected systems should be wiped and reformatted; do not pay the ransom as it does not guarantee receiving your files back. Other machines on the same network should be scanned for other potential infections. Furthermore, a business continuity plan should be in place in the case of a ransomware infection.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.