NamPoHyu aka MegaLocker Virus Ransomware Found Remotely Encrypting Samba Servers
A ransomware family was recently spotted targeting vulnerable Samba servers: NamPoHyu Virus aka MegaLocker Virus. NamPoHyu Virus is unlike typical ransomware families that are delivered locally and launched as executables. Instead, it searches for publicly accessible Samba servers, brute-forces them, and runs the ransomware locally to encrypt the exposed servers.
[READ: What You Need to Know About the LockerGoga Ransomware]
Samba is an open-source implementation of the Server Message Block (SMB) networking protocol used for providing services such as file and print sharing. It is run on most systems with Unix and Unix-like operating systems, and enables these systems to communicate with Windows-based clients.
Given how Samba provides interoperability between different platforms, NamPoHyu Virus’ adverse impact could be pervasive. According to a report by BleepingComputer, search results in Shodan, a search engine for internet-connected devices, show that there are over 500,000 unauthenticated and publicly accessible Samba servers.
[READ: Examining Ryuk Ransomware Through the Lens of Managed Detection and Response]
The NamPoHyu Virus ransomware is said to have first emerged in March as MegaLocker Virus, encrypting victims’ network-attached storage (NAS) devices. Files encrypted by the MegaLocker Virus would be appended with the .crypted extension. The ransom note would demand a payment of US$250 from users, and ask them to send their private or personal photos as proof that they are not a business. Affected companies, meanwhile, would be coerced to pay US$800.
By early April, it was reported that MegaLocker Virus had changed its name to NamPoHyu Virus. From then on, it has appended the .NamPoHyu extension to encrypted files. NamPoHyu Virus now demands US$1,000 from affected companies, while the ransom for personal users remains at US$250. Victims are given a grace period of 10 days to pay. NamPoHyu Virus now also has a Tor payment website.
[READ: Ransomware Attack Hinders Michigan County Operations]
Threats targeting Samba aren’t new. In July 2017, Trend Micro researchers uncovered Linux malware that exploited the notorious SambaCry vulnerability (CVE-2017-7494), which was also used to deliver cryptocurrency-mining malware. The SambaCry-exploiting threat targeted and hijacked NAS devices. Despite being a relatively old flaw, SambaCry continued to be a persistent security risk, particularly to internet-of-things (IoT) and connected devices.
[READ: Erebus Linux Ransomware: Impact to Servers and Countermeasures]
Ransomware may be plateauing, but its destructive impact poses significant risks to users and businesses. In June 2017, for instance, a South Korean company incurred losses of at least US$1 million when more than a hundred of its Linux servers were affected by the Erebus ransomware. There’s also the server-targeting Samsam ransomware, which has been a perennial threat especially to the healthcare, education, and transportation industries.
All it could take is a single vulnerable or exposed gateway, network, endpoint, or server for ransomware to affect many systems and devices. Users and organizations should thus proactively practice security hygiene, which includes:
- Regular backups of data
- Updated programs, applications, and operating systems (or use of virtual patching for legacy systems)
- Caution against unsolicited emails
- Restriction or secure use of system administration tools
- Defense in depth, or security at each layer of a system or server, such as sandboxing, behavior monitoring, application control, and firewall
Trend Micro Ransomware Solutions
Enterprises can benefit from a multilayered approach to best mitigate the risks brought by ransomware such as NamPoHyu Virus aka MegaLocker Virus. At the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like high-fidelity machine learning, behavior monitoring and application control, and vulnerability shielding that minimize the impact of this threat. Trend Micro Deep Discovery Inspector detects and blocks ransomware on networks, while Trend Micro™ Deep Security™ stops ransomware from reaching enterprise servers — whether physical, virtual, or in the cloud. Trend Micro™ Deep Security™, Vulnerability Protection, and TippingPoint provide virtual patching that protects endpoints from threats that exploit unpatched vulnerabilities to deliver ransomware.
Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security prevent ransomware from ever reaching end users. Trend Micro’s Cloud App Security (CAS) can help enhance the security of Office 365 apps and other cloud services by using cutting-edge sandbox malware analysis for ransomware and other advanced threats.
These solutions are powered by Trend Micro XGen™ security, which provides a cross-generational blend of threat defense techniques against a full range of threats for data centers, cloud environments, networks, and endpoints. Smart, optimized, and connected, XGen™ powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Ransomware Spotlight: TargetCompany
- Email Threat Landscape Report: Cybercriminal Tactics, Techniques That Organizations Need to Know
- Preventing an Imminent Ransomware Attack With Early Detection and Investigation
- Inside the Halls of a Cybercrime Business
- Securing Cloud-Native Environments with Zero Trust: Real-World Attack Cases