After analyzing the infected systems of the company that suffered damage from the recent Lockis ransomware infection, the ASEC analysis team discovered that the attacker executed the ransomware after RDP accessing the infected systems with local Administrator accounts.
An investigation of local Administrator information of the infected systems showed that their passwords have not been changed for 1-2 years and that they were all set with the same password.
Furthermore, upon decrypting the NTLM Hash, the team discovered that the password of the Administrator account was `1qazxcv in plain text.
This password string meets the standards for complexity as it includes alphabetical characters, numbers, and special characters. However, as this is a frequently-used password pattern, it can be classified as an unsafe password as it is easy to guess.
Although the company was running Microsoft ActiveDirectory, local Administrator accounts were enabled in all infected systems, allowing the attacker to RDP access via the local Administrator accounts.
Unfortunately, as this company immediately formatted and reused the system without storing the breached system, the team could not figure out the extent of damage, the breach path of the attacker, how the local Administrator account was obtained, etc. However, judging from the situation and the traces of the breach, it appears that the attacker obtained the local Administrator account after succeeding to hack the internal system, then scan for systems that are available for RDP access via the local Administrator account using the Network Scanner tool and ran the ransomware after RDP access.
Past analysis experiences of various breach cases show that many other companies also set the same, unchanged password for internally-operated servers or IT devices distributed to the employees for convenient management. To reduce such damages, it is necessary to set different passwords for admin accounts for each device and change them regularly. It is also important to constantly monitor the admin account verification history for any suspicious access via monitoring.
Conclusion
- For the safety, it is advised to disable local Administrator accounts.
- Passwords for the admin accounts of each system should be different.
- The maximum use period for passwords should be set to three months or below, and complexity of the passwords must be enhanced.
- Verification history of accounts with admin privilege must be frequently monitored.
- Disk and memory of the breached systems should be stored separately or imaged before formatting.
[File Detection]
- Trojan/Win32.FileCoder
- HackTool/Win.ProcHack
- HackTool/Win.NetScan
- HackTool/Win.Disabler
- Trojan/BAT.Delete
[Relevant IOC Info]
- 58c8c8c3038a5fbca2202248a1101da0
- 48755f2d10f7ff1050fbd081f630aaa3
- 230c143d283842061b14967d4df972d0
- 0a50081a6cd37aea0945c91de91c5d97
- 116e1e7a0c8d3ff9175b87927d188835
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Categories:Malware Information
[…] Cases of attacks using RDP are commonly found in APT attacks in particular. In the ASEC blog post “Case of Ransomware Infection in a Company Using Local Administrator Accounts Set with Same Password,” the team covered a case where the attacker obtained the credentials of the local administrator of the target system before connecting to it using RDP and installing the Lockis ransomware.[1] […]