DXXD Ransomware, displays legal notice and encrypts files on unmapped network shares

Share this…

The DXXD ransomware specifically targets servers and is able to encrypt files on network shares even if they haven’t been mapped.

Malware continues to evolve, the last threat in order of time that implemented a singular feature is the DXXD ransomware.  The peculiarities of this threat is that it encrypts also file on network shares, even if they are, unmapped ( a feature already implemented by the Locky ransomware) and displays a legal notice.

The DXXD ransomware appends the. dxxd extension to the encrypted files, then it leaves a ransom note onto the infected machine. The DXXD ransom note contains instructions for the victims that need to contact rep_stosd@protonmail.com or rep_stosd@tuta.io.to the encrypted files, then it leaves a ransom note onto the infected machine. The DXXD ransom note contains instructions for the victims that need to contact rep_stosd@protonmail.com or rep_stosd@tuta.io.

Another interesting feature of the malware is its ability to configure a Windows Registry setting in order to display a sort of  “legal notice” when people log into a computer. The VXers used this feature to allow a user who tries to login to the server to see the ransom note.

The DXXD ransomware changes the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption registry key and the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText to display the following note.

“When you start Windows, Windows Defender works to help protect your PC by scanning for malicious or unwanted software.”

dxxd ransomware legal-notice

It is still unclear the infection vector, Abrams speculate the threat is spread by abusing Remote Desktop Services.

“Based on information discovered, I believe that the ransomware developer is hacking into servers using Remote Desktop Services and brute forcing passwords. If you have been affected by the DXXD Ransomware, you should reset all the passwords for the affected machine.” wrote Lawrence Abrams.

According to Abrams, the author of the DXXD ransomware decided to taunt victims and experts who help victims by creating an account on BleepingComputer and claiming that a newer version of the threat it is more difficult to decrypt. The developer also claimed to have exploited a zero-day vulnerability to compromise servers and deliver the malware.

dxxd ransomware developer-no-rdp

As usual, let me discourage from paying the ransomware because there is no guarantee that you will receive back your files. Don’t forget to back up your data frequently and use anti-malware solutions. In the specific case, it could be better to disable Remote Desktop Protocol (RDP) and files running from AppData/LocalAppData folders.

Source:https://securityaffairs.co/