Brazilian cybercriminals are using the original version of the XPan ransomware, targeting small to medium-sized business based in Brazil with the malware.
XPan works by penetrating poorly protected remote desktop protocol (RDP) connections. Hackers use those connections to manually install the ransomware and encrypt files, according to a report by Kaspersky Lab’s Global Research and Analysis Team.
“XPan is a very targeted attack against servers with RDP connections exposed to the internet. The bad guys do a brute force attack, enter, and run the ransomware manually in most cases,” said Fabio Assolini, a Kaspersky Lab researcher.
After infection, Assolini said, attackers can erase any evidence on infected computers, including the installer of the malware.
The XPan variant dates back to October 2016 when it was discovered. Since then, Kaspersky Lab researchers say there have been several incarnations of XPan, such as XPan hakunamatata and 7zipper. “This sample is what could be considered as the ‘father’ of other XPan ransomware variants,” researchers said.
The file encryption algorithm is identical to the original XPan variant, researchers said. “Every bit of executable code remains the same, which is quite surprising, because since that time there were several newer versions of this malware with an updated encryption algorithm,” wrote authors of the report.
Kaspersky Lab said it has successfully reverse engineered a sample of the malware and can help XPan victims decrypt locked files. The security firm said it has already helped approximately 50 companies impacted by the ransomware. But, it believes the actual infection numbers are greater when factoring in companies working with other security firms and businesses that dealt with the matter privately.
“Brazilian cybercriminals are focusing their efforts in creating new and local ransomware families, attacking small companies and unprotected users. We believe this is the next step in the ransomware fight: going from global scale attacks to a more localized scenario,” according to the Global Research and Analysis Team.
Kaspersky Lab said XPan is indicative of future ransomware attacks where cybercriminals “will create new families from scratch, in their own language, and resort to ransomware-as-a-service as a way to monetize their attacks.” Researchers point to HiddenTear as an example of ransomware that also focuses on regional attacks.
With these most recent XPan infections, researchers said, extensions for encrypted files are “.one.” Victims are asked to pay 0.3 bitcoin (or $380).
“The file encryption algorithm also remains the same. For each target file the malware generates a new unique 255-byte random string S (which contains the substring “NMoreira”), turns it into a 256-bit key using the API CryptDeriveKey, and proceeds to encrypt the file contain using AES-256 in CBC mode with zero IV,” wrote Kaspersky Lab researchers.
One of the only differences between the XPan variant used in the Brazilian campaign and more recent versions is the configuration block that includes instructions on what file extensions to target, the actual ransom note, commands to execute before encryption and the public RSA key used by the attackers, according to researchers.