A ransomware family was recently spotted targeting vulnerable Samba servers: NamPoHyu Virus aka MegaLocker Virus. NamPoHyu Virus is unlike typical ransomware families that are delivered locally and launched as executables. Instead, it searches for publicly accessible Samba servers, brute-forces them, and runs the ransomware locally to encrypt the exposed servers.
Samba is an open-source implementation of the Server Message Block (SMB) networking protocol used for providing services such as file and print sharing. It is run on most systems with Unix and Unix-like operating systems, and enables these systems to communicate with Windows-based clients.
Given how Samba provides interoperability between different platforms, NamPoHyu Virus’ adverse impact could be pervasive. According to a report by BleepingComputer, search results in Shodan, a search engine for internet-connected devices, show that there are over 500,000 unauthenticated and publicly accessible Samba servers.
The NamPoHyu Virus ransomware is said to have first emerged in March as MegaLocker Virus, encrypting victims’ network-attached storage (NAS) devices. Files encrypted by the MegaLocker Virus would be appended with the .crypted extension. The ransom note would demand a payment of US$250 from users, and ask them to send their private or personal photos as proof that they are not a business. Affected companies, meanwhile, would be coerced to pay US$800.
By early April, it was reported that MegaLocker Virus had changed its name to NamPoHyu Virus. From then on, it has appended the .NamPoHyu extension to encrypted files. NamPoHyu Virus now demands US$1,000 from affected companies, while the ransom for personal users remains at US$250. Victims are given a grace period of 10 days to pay. NamPoHyu Virus now also has a Tor payment website.
Threats targeting Samba aren’t new. In July 2017, Trend Micro researchers uncovered Linux malware that exploited the notorious SambaCry vulnerability (CVE-2017-7494), which was also used to deliver cryptocurrency-mining malware. The SambaCry-exploiting threat targeted and hijacked NAS devices. Despite being a relatively old flaw, SambaCry continued to be a persistent security risk, particularly to internet-of-things (IoT) and connected devices.
Ransomware may be plateauing, but its destructive impact poses significant risks to users and businesses. In June 2017, for instance, a South Korean company incurred losses of at least US$1 million when more than a hundred of its Linux servers were affected by the Erebus ransomware. There’s also the server-targeting Samsam ransomware, which has been a perennial threat especially to the healthcare, education, and transportation industries.
These solutions are powered by Trend Micro XGen™ security, which provides a cross-generational blend of threat defense techniques against a full range of threats for data centers, cloud environments, networks, and endpoints. Smart, optimized, and connected, XGen™ powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).