October is known as the Cyber Security Awareness Month. It is an annual campaign that tries to make everyone more conscious about the importance of cyber security in the online landscape.

Almost every day we read and find out about a new type of malware threatening our online security. Cyber criminals are getting more skilled and try advanced techniques to get access to users’ valuable data. It’s no surprise that 2017 is mostly shaped by a record number of ransomware attacks.

Unlike other forms of cyber attacks, ransomware remains one the most profitable malware attack for cybercriminals. A new report called “The Ransomware Economy”, mentioned that, from 2016 to 2017, “there has been a 2,502% increase in the sale of ransomware on the dark web.” Most likely, ransomware attacks will continue to grow and maintain their status as a serious global threat.

Our team has recently seen in the wild how online criminals try alternative ways to spread ransomware and compromise high-value targets. The bad guys now target admin passwords through brute force attacks and dictionary attacks.

What’s new in this type of angle attack is that online criminals hack into unprotected remote desktop protocols and manually execute the ransomware. Moreover, the main purpose is to use different pieces of software and remain unnoticed.

Brute-force attacks (also known as brute force cracking) are trial and error methods used by online criminals to guess users’ personal information such as passwords or PINs. Basically, they try every possible passwords or combinations of letters and numbers until they figure out the correct one.

Dictionary attacks refer to the techniques used to breach an authentication mechanism by systematically using each word in a dictionary (no matter the language) as a password or trying to determine the decryption key of an encrypted document or message.   

The differences between these two types of attacks

Both attacks are based on guessing, and not looking for a particular flaw or bypass. It can happen to be either an offline attack or an online attack.

In terms of differences, a brute force attack means cyber criminals are trying the complete keyspace on the algorithm, while a dictionary attack means that attackers try only passwords/keys from a dictionary (which does not contain the complete keyspace).

By using both methods, they increase their chances of success and shorten the time to compromise.

How the infection process occurs

We have seen a few situations in which users’ servers got infected with a new type of ransomware, called Payday. The attack unfolded as follows:

1. An administrator account password (usually it’s the local administrator) is cracked via brute-force. Here’s how it happens.

It’s a matter of a few minutes (approximately 8-9 minutes) until the script ran about one attempt per second to connect via Remote Desktop Protocol  (RDP) on the local admin on the server. This resulted in getting loads of audit failures cascading in the Event Viewer -> Security.

You can use this tool to evaluate the strength of your passwords as well, just like we did for the initial password.

Given how fast the attacker managed to crack the password, the natural conclusion is that it was either a very weak password – no special signs, no figures or a word written in a special way. Using full words made the password vulnerable to a dictionary attack, which led to its compromise.

Once again, we have to emphasize the importance of setting strong passwords and manage them securely, to avoid becoming an easy target for cyber criminals. We recommend reading our easy-to-use password security guide and learn why passwords are still important for your online security.

2. As soon as the password was cracked, the attacker simply downloaded an infected archive in the downloads account of the admin account. This type of malware used is called Payday and belongs to the BTCWare ransomware family.

The infected file created a few entries in the registry which would auto-execute each time the PC was rebooted. So, we think that the attacker just needed to restart the PC or to shut it down in order to trigger the encryption process.

Here’s how the created registry entries are displayed:

payday displayed

What we know about the Payday BTCware Ransomware Variant

This ransomware variant is targeting victims by trying to encrypt the files on the server. It adds the [email]-id-id.payday file extension after their original one. The .payday variant uses a new key generation to encrypt files, and cannot be decrypted.

The Payday infection drops ransom notes named payday.hta and !! RETURN FILES !!.txt. The contact email addresses look like these: & See below an example of a ransom note for this type of ransomware:

An example of a ransom note for brute-force attacksSource:

The malicious files spreading this ransomware variant on servers, may be distributed in different forms such as email attachments and malicious links in spam email messages.

Here’s an example of an email containing a malicious file attached:

Source: Sensors TechForum

Why manual malware delivery still works

The core issue with this infection method is directly tied to the lack of adequate password security. Both organizations and end users continue to set weak passwords for their accounts and often reuse them. This makes them vulnerable and easy to be cracked by cybercriminals.

The recent example of the Australian Defence Force shows how a simple password fail gave attackers access to sensitive information. An Australian defense contractor managed to enter the company’s network and steal 30 GB of secret military information for a simple reason: default passwords were used. The Australian military was using default passwords on its internet-facing services.

The investigation found that “the admin password, to enter the company’s web portal, was ‘admin’ and the guest password was ‘guest”.

How to protect your system against Payday ransomware and manual ransomware infections

The best way to keep your valuable data safe from ransomware and survive in the malware economy is to think and act proactively.

Business wise, ransomware attacks can have negative effects and generate business disruption. This is why, preventing and avoiding infection spread should be a top priority for every business interested in securing their sensitive information.

To minimize both the risk and the impact of online threats, we recommend businesses to use this useful ransomware prevention guide:

  1. Use a multi-layered proactive security system that will keep up to date all the business endpoints and monitor your daily online activity;
  2. Always backup all your data and use external sources such as a hard drive or in the cloud (Google Drive, Dropbox, etc.) to store it. Our guide will show you how to do it;
  3. Use and apply security awareness programs within your business to avoid clicking on unknown links and email attachments that could redirect to malicious websites;
  4. Don’t use public Wi-Fi connections unless you have a virtual private network or using encryption software;
  5. Apply a patch management system and make sure the exploited third party software such as Java, Flash, and Adobe are fully patched;
  6. Another important security tip is to keep separate users and passwords for the admin’s laptop and the servers;
  7. Running an antivirus program on your server is a security-savvy decision, as well as on your endpoints. Read this short checklist of security measures that will help you protect your business network, including servers and endpoints;
  8. Given the rise of new types of malware and (such as Payday ransomware), we remind you that security is not just about using a solution or another, it’s also about improving your online habits and being proactive.
  9. Being proactive about the EU GDPR can help any organization save a lot of time and money. Starting with May 2018, the new EU General Data Protection Regulation (GDPR) comes into effects, and there will be significant changes in the way data is collected and managed in an organization. This is why, every company needs to be prepared and meet the requirements for GDPR compliance.
  10. It is also important for organizations to start training employees in matters of cyber security, because it can prove to be one of the best investments for a company. Here are a list of free educational resources to use such as the Cyber Security for Beginners course, The Daily Security Tip or even the Heimdal Security blog, which offer useful information to help them better understand the security landscape.

How to prevent and block brute force attacks

Brute-force attacks take advantage of weak passwords system and cybercriminals easily gain unauthorized access to an organization’s network and systems.

Businesses need to use a number of techniques and security measures to provide a strong defense against such attacks, so we recommend following this protection guide:

  1. Always remember to enforce password security best practices in your organization for maximum protection;
  2. Use two-factor authentication system to add more security and include a better protection against brute-force attacks;
  3. Another security measure is to simply block multiple failed login attempts coming from the same IP address or the same account. To do that, we recommend you combine the account lockout threshold policy with the account lockout duration. One will determine the number of failed sign-in attempts that will cause a user account to be locked, and the other will establish “the number of minutes that a locked-out account remains locked out before automatically becoming unlocked”.
  4. Keep separate users and passwords for the admin’s laptop and the servers, and configure an alert system to warn you when an outsider is trying to access your system;
  5. Try free online solutions like IPBan or EvlWatcher for keeping the Remote Desktop Protocol (RDP) secure on your Windows servers and blocking RDP attacks.
  6. Use free tools like CAPTCHA or reCAPTCHA to prevent automated submissions of the login page;
  7. Set unique login URLs , so unauthorized users can’t access the site from the same URL;
  8. Running an antivirus program on your server is a security-savvy decision, as well as on your endpoints. Read this short checklist of security measures that will help you protect your business network, including servers and endpoints;
  9. Restrict the access to your employees to only that data to which they need and use, and also limit the authority to install software programs and encourage them to report back to you when they notice/receive suspicious emails from untrusted sources.
  10. Change your default RDP (Remote Desktop Protocol) port. This is a very easy procedure that will save you a lot of trouble in the future. Windows uses the default RDP port 3389. If you have this port open to the Internet, you are VERY vulnerable to port scanning, which a multitude of hacking tools can do. Once they determine that your default RDP port is open, attackers WILL run scripts to brute force their way in. The solution here is to change your default RDP port to something unused and not common knowledge. If you’re new at this, you can use this full guide provided by Microsoft to get it done.

What do you think of this new ransomware variant spreading and infecting endpoints? Have you encountered a scenario like this one?

How to Secure a Business Network, Servers and Endpoints

15+ Experts Explain Why Software Patching is Key for Your Online Security


Due to the widespread nature of this campaign, it does not appear to be targeting specific victims or industries.

I am exclusively Apple iMac and iDevices. Months ago when I signed up to receive your email I asked about your security programs for use with Mac equipment. Unfortunately, Heimdal Security didn’t publish any MAC compatible Security programs. However, I was
told that the Mac compatible programs were being developed & almost ready. Are the MAC compatible programs ready for distribution yet? Please respond with
some updated info about Mac compatible programs.

Hi Richard! Thank you for your message. It’s on our roadmap to provide security programs for Apple products, and we’re working on it to be launched as soon as possible. We’ll make sure you are the first to know about this when it will come out. Thank you for your patience and understanding!

Hans-Werner Seehafer on October 17, 2017 at 3:47 pm

Ich sehe nur ein Problem Ihre Warnungen werden leider nicht von jeden verstanden nicht jeder kann Englisch deshalb sollten die Sicherheitswarnungen in der jeweiligen installierten Sprache erscheinen damit schließen Sie dann schon mal eine Riesenlücke weil die Leute dann wissen und entsprechend handeln können.

Leave a Reply

Your email address will not be published. Required fields are marked *