Russian anti-virus company Doctor Web has released a warning of an active ransomware effort executed through brute force attack via the RDP protocol on target machines.
Once connected to the victim’s PC, cyber-criminals establish a variant of the ArchiveLock Trojan, which uses the popular archiver, WinRAR to encrypt all files located on the system.
“Trojan.ArchiveLock.20 creates a list of files to be encrypted, empties the Recycle Bin, and deletes all backups stored on the computer. The Trojan uses the console version of WinRAR to place files on the compiled list into password-protected, self-extracting archives and employs a special utility to delete original files, after which they simply can’t be restored,” Researchers a Dr. web explain in an article.
“A significant number of systems have now been compromised by the Trojan in Spain and France: over the past 48 hours, Doctor Web’s technical support has gotten dozens of requests from people whose files have been encrypted by Trojan.ArchiveLock.20, and such requests are still being received,” they added.