top of page

NamPoHyu encrypter provides remote encryption of Samba servers

Writer's picture: Roman SologubRoman Sologub

The new encrypter family called NamPoHyu Virus or MegaLocker Virus attacks its victims slightly differently than other encrypters. Instead of launching the encrypter on the victim's computer, phishers launch it locally on their systems and allow it to encrypt remotely accessible Samba servers.

Usually, traditional encrypters are delivered to the victims’ computers via phishing emails, portable storage devices, etc. In the present case, the encrypter searches for accessible Samba servers, brute forces passwords and remotely encrypts their files.

Samba is an open-source implementation of the network protocol Server Message Block (SMB) used to provide services such as file and print sharing. It works in most systems with Unix or Unix similar operating systems and allows these systems to interact with clients on the Windows basis.

BleepingComputer researchers report that currently there are 500,000 unauthorized and publicly accessible Samba servers. They received this data via the Shodan service.


Accessible Samba servers worldwide

In Ukraine, ISSP researchers found 739 accessible Samba servers. Organizations which have the largest number of actuations include: Ukrtelecom, Triolan, Kyivstar, Uarnet and NTUU "KPI".


Search data of accessible Samba servers in Ukraine

During the encryption, the .NamPoHyu extension is added to the extension of the encrypted files and a ransom demand file !DECRYPT_INSTRUCTION.TXT is created.


Encrypted files

Ransom demand file

Recommendations

To guard against this type of encrypter, you need to comply with the following recommendations:

- make backup copies of the systems;

- close all the unused ports in the systems;

- do not connect services of remote desktops directly to the Internet. Instead, make sure that they can only be accessed via VPN:

- update all potentially vulnerable applications;

- carry out continuous monitoring of abnormal activity in your network;

- use special software for behavioral identification of threats and white list technologies.

16 views0 comments

Recent Posts

See All

Commenti


CONTACT US

WE ARE HERE TO HELP

Please get in touch by completing the form or calling one of our offices listed below.  

Your message has been sent successfully!

footer01.png

Washington DC

1300 I Street NW

Suite 400E, Washington

District of Columbia, 20005

+1 202 749 8432

Kyiv

10/14 Radyscheva St., Kyiv

Ukraine, 03124

+380 44 594 8018

Tbilisi

33b Ilia Chavchavadze ave,

0179, Tbilisi, Georgia
+995 32 224 0366

Wrocław

1 Grabarska st., 50-079  Wrocław,

Poland

+48 71 747 8705

Vancouver

Suite 2600, Three Bentall Centre 
595 Burrard st., PO Box 49314 
Vancouver BC V7X 1L3 Canada

+1 289 968 4454

c a @ i s s p . c o m

Toronto

Suite 2201, 250 Yonge St. 
Toronto, ON M5B 2L7 Canada
+1 647 361 5221       

+1 800 573 0922 (toll-free)

c a @ i s s p . c o m

Almaty

808V, 165B Shevchenko St, 050009, Almaty,

Kazakhstan

+7 727 341 0024

i n f o @ i s s p . c o m

Copyright © 2020 ISSP. All rights reserved.

bottom of page