New Accdfisa Ransomware Targets Windows Servers

[ritchie58]

Emsisoft experts have tracked a group of hackers that have been launching targeted attacks on Windows servers running publicly accessible Remote Desktop and Terminal Services. If the attack is successful, the ransomware ACCDFISA is installed and moves important files into encrypted RAR archives. Access to such encrypted files is only possible after paying ransom. There is nothing anti-virus or anti-malware software can do: Windows servers that can be accessed via RDP from the Internet are currently the No. 1 target of some criminals. If the server relies on weak or no password policies at all, it is easy to crack commonly used user names via dictionary-based brute-force attacks and thus gain access to the system. The hackers can then easily disable any active security software.

 

Afterwards, they install the malware ACCDFISA that consists of three malicious parts. The most dangerous of them: a crypto malware component, installed as a service. It deletes backups and "hijacks" important data by locking it into encrypted RAR archives. The only way to regain access to your data is by prompt payment of the ransom. Small companies, in particular, are the victims of this trick due to their low IT security level and end up paying the ransom to get their data back.

 

 

Important tips for Windows server administrators

• It is vitaly important to use only secure, highly complex password for all user accounts.
• Apply all available updates. Microsoft published an important patch for Remote Desktop service in mid-March.

For a detailed analysis of all ACCDFISA types discovered so far please see:

 

Emsisoft Blog: The ACCDFISA malware family