Brazilian Hackers Enter the Ransomware Scene

The TeamXRat Hacking Group Targets Hospitals and Organization in Their Own Country

Brazilians are no strangers to cybercrime. In fact, researchers from Kaspersky reckon that Brazilian hackers have been responsible for quite a few malware strains. Apparently, up until not that long ago, they were especially good at producing banking Trojans. In recent months, however, threat actors from around the globe have been substituting the banking Trojans for ransomware because of the lower overhead, the instant monetization, and the anonymity that the Bitcoin currency provides. Not surprisingly, the Brazilians are trying to keep up with the trend.

Kaspersky was alerted by a Brazilian hospital about a new strain of ransomware produced by the TeamXRat (a/k/a CorporacaoXRat) hacking group. Dubbed Xpan, the ransomware is specifically aimed at Brazilian hospitals and other relatively large organization, which, due to the importance of the information (patient records, etc.) stored on the machines, increases the chance of monetizing on the attack.

When activated, Xpan would scan the system and encrypt almost all of the files. Then, it will create a registry entry which will display the ransom note every time a user tries to open a locked file. Victims are urged to contact the hackers via email. Not surprisingly, the communication is in Portuguese, and the threat actors try to convince infected users that the purpose of the attack is to encourage the hacked institution to improve the security of its systems, which is a blatant lie. The hackers are after the money, and not after the greater good of Brazilian hospitals and their patients.

That said, Brazilian enterprises reading this might want to consider implementing a few actions to secure their systems. Xpan's infection vector doesn't involve malicious email attachments or drive-by-downloads. The hackers have decided to distribute it by brute-forcing their way into the network via the remote desktop protocol and installing the malware manually.

Due to the fact that many people around the world use easy-to-guess passwords, this particular way of infecting users is becoming more and more popular. Employing a strong set of login credentials is perhaps the most primitive security precaution, but in this particular instance, it could be extremely effective. Even if the infection has already happened, affected institutions shouldn't rush to pay the ransom.

Earlier versions of TeamXRat's ransomware were based on Xorist. They used a pretty simple Tiny Encryption Algorithm (TEA), and they were easily cracked by security experts. In its more recent incarnations, Xpan employs a much more sophisticated AES-256 algorithm.

There are two versions: the first one appends the ".___xratteamLucked" (three underscores) extension to the encrypted files, and the second one uses ".____xtratteamLucked" (four underscores). The two versions work in slightly different ways, but Kaspersky's experts reckon that both strains can be cracked. Instead of paying the ransom, victims should first seek help from the experts and look for ways of retrieving the information for free.