Light Dark
April 23, 2019 By David Bisson 2 min read

Security researchers discovered that a new DLL CryptoMix ransomware variant is reportedly using Windows Remote Desktop Services (RDS) to install itself on unsuspecting users’ machines.

Bleeping Computer first learned about the ransomware when someone revealed in its forums that they had suffered an infection. The user went on to note how those responsible for the attack had exploited their machine’s publicly exposed RDS to infiltrate their computer and install the DLL CryptoMix variant. As part of this infection chain, the attackers also apparently enabled the computer’s default admin account and changed its password.

The sample analyzed by Bleeping Computer modified each file it encrypted by appending the .DLL extension to its file name. It then saved a ransom note to the compromised machine informing the victim to send their infection ID number to multiple email addresses, such as dllteam@protonmail[dot]com, dllpc@mail[dot]com and others. The attackers promised in their note that they would send over payment instructions immediately upon hearing from the victim at all of these email addresses.

The Changing Face of CryptoMix

At the beginning of the year, Coveware observed a similar CryptoMix attack that claimed all ransom payments would go to a fictitious children’s charity. And in March, Bleeping Computer spotted a variant using .CLOP or .CIOP extensions as it apparently shifted its focus to target entire networks instead of individual computers.

This attack also comes amid the growing costs associated with a ransomware attack. In April, Coveware observed that the average payment associated with ransomware in Q1 2019 had risen to $12,762 — an 89 percent increase from Q4 2018’s average of $6,733.

How to Defend Against DLL CryptoMix

Security professionals can help defend their organizations against a DLL CryptoMix infection by implementing a robust data backup strategy and vetting backup policies, including regular testing to make sure the organization can obtain viable backups. Security teams should also use an endpoint management solution to ensure all endpoints’ software is up to date and to acquire greater visibility into the production environment.

 |  |  |  |  |  |  | 
David Bisson
Contributing Editor

More from

November 4, 2024

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

November 1, 2024

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

October 31, 2024

Quishing: A growing threat hiding in plain sight

4 min read - Our mobile devices go everywhere we go, and we can use them for almost anything. For businesses, the accessibility of mobile devices has also made it easier to create more interactive ways to introduce new products and services while improving user experiences across different industries. Quick-response (QR) codes are a good example of this in action and help mobile devices quickly navigate to web pages or install new software by simply scanning an image.However, legitimate organizations aren’t the only ones…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature