Home Malware Programs Ransomware NamPoHyu Ransomware

NamPoHyu Ransomware

Posted: April 17, 2019

The NamPoHyu Ransomware is an update of the MegaLocker Ransomware that searches for servers with weak login credentials and encrypts their files remotely. Users should ignore the instructions in the ransoming text it drops since there is a chance of their work being recoverable for free. While having rigorous password maintenance is critical, anti-malware products can protect your PC against other intrusion methods and should identify and remove the NamPoHyu Ransomware, if it alters its strategy.

MegaLocker Ransomware Re-Brands Itself

Although it's indefinite what's prompting the update, the MegaLocker Ransomware campaign that extorts money from website owners is changing its name, along with some of its ransoming infrastructure and favorite targets. The new version, the NamPoHyu Ransomware, is making a point of targeting Samba servers – with Samba being a re-implementation of SMB that runs in Linux environments. The attacks seem opportunity-based since malware experts are connecting them to brute-forcing attempts that only are viable against victims without secure passwords.

The NamPoHyu Ransomware runs its brute-forcing routine against targets of the above subset seemingly randomly until it correctly 'guesses' the login credentials of a target. After that, it starts encrypting the server's contents with AES encryption, which is one of the more favored algorithms in use by file-locking Trojans. As a finale, it gives victims a text file with its Bitcoin ransoming demands, which ask a relatively affordable price for individuals, or a much higher one for businesses. Another minor change is the addition of a link to a TOR site that gives out the threat actor's e-mail, again, for reasons that malware experts could speculate at but can't verify.

This new version of MegaLocker Ransomware has no substantial security upgrades to how it encrypts data and blocks files. Unlike most file-locker Trojans, it's possible that a free decryption service will help users with data recovery. Users should be ready for giving samples to interested cyber-security researchers for facilitating this research.

Stopping the NamPoHyu Ransomware from Scoring a 'Mega' Ransom

Site administrators should use secure passwords that a threat actor's brute-force tools can't break pointedly, which calls for avoiding 'default' or short, low-complexity credentials. Disabling RDP (Remote Desktop Protocol) features, closing ports that don't require staying open, and making use of VPNs will help with lowering the risk to any server. While eliminating all infection vectors isn't possible, the NamPoHyu Ransomware is targeting already-convenient and unprotected servers, and any attacks should be easily preventable.

Even though public decryption may not be an unreachable goal, victims shouldn't gamble on the possibility. Most file-locking Trojans include secondary encryption methods that stop any convenient retrieval of files, along with taking steps against locally-saved backups. Save your backups onto other, secure devices, and have anti-malware tools available for removing the NamPoHyu Ransomware in case a variant uses different exploits.

The NamPoHyu Ransomware only hurts those who are already hurting themselves by not taking proper care of their websites. Like the MegaLocker Ransomware, before it, its attacks are mostly problems for website admins that are inviting them inside unknowingly.

Loading...