Afternoon February 14, Bkav's virus surveillance system has issued a warning on a targeted attack campaign by foreign hackers targeting Public Servers of Viet Nam. Particularly, hackers in this campaign only attack servers, unlike previous ransomwares that usually targeted workstations.
Hackers' addresses that launch the attacks come from Russia, Europe and America. Hackers have attacked many agencies and organizations in Viet Nam, hacked into servers, then encrypted all data on servers. Currently, there are not accurate statistics, but according to Bkav's estimate, by the end of afternoon February 14, the number of victims may have reached hundreds of agencies and organizations.
The method used by hackers is to scan servers of agencies and organizations in Viet Nam that install Windows operating system, and crack passwords of these servers in a brute force attack. If successful, hackers will remotely log in via remote desktop service, install ransomware on the victim's device.
The data encrypted include text files, document files, database files, executable files, etc. Victims who want to retrieve data must pay ransom to hackers. Hackers do not disclose the amount of money victims have to pay as usual ransomwares, but require victims to contact via email for specific discussion and agreement. According to Bkav's record, for each server that has data encrypted, hackers are leaving a different email to contact.
Currently Bkav has updated the sample of W32.WeakPass ransomware into all versions of Bkav antivirus software, including the free version, administrators can download Bkav to scan and check servers. However, in order to thoroughly prevent this type of attack, Bkav recommends administrators immediately review all servers in their management, especially public servers on the Internet, set strong passwords for servers, and turn off the remote desktop service for servers if not really necessary. In case remote desktop is still needed, it is necessary to limit access, configure remote access for only fixed and known IPs.