New ransomware delivered via Windows Remote Desktop Services

A new type of ransomware – dubbed LowLevel04 – is hitting users in Greece and Bulgaria. It is apparently delivered on the affected computers manually by the attackers, via Windows’ built-in Remote Desktop Services (RDS) or Terminal Services.

RDP provides users a way to connect to another computer over a network connection. Terminal Services provides remote access to a Windows desktop through “thin client” software, allowing the client computer to serve as a terminal emulator.

As far as some of the victims and researcher Nathan Scott can tell, the attackers are brute-forcing user account passwords on computers running Remote Desktop Services and/or Terminal Services.

“Many of the victims have also reported that the machines affected were servers, which makes sense as this type of attack would cause major disruption for a company,” Bleeping Computer’s Lawrence Abrams noted.

“From the reports we have received and by analyzing some samples, it appears that once the attacker gains access to a target computer, they download and install a package that generates the encryption keys, encrypts the data files, and then uploads various files back up to the hacker’s temp folder via the terminal services client drive mapping \\tsclient\c\temp\.”

It seems that most AV solutions are currently unable to prevent this infection.

The ransomware searches for files with a variety of extensions (.zip, .jpg, .mp3, .docx, .exe, and many, many more), encrypts them with a RSA-2048 key, adds the oorr. prefix to each encrypted file, and puts a ransom note into each folder where the encrypted files are.

In the ransom note, contained in a text file named help recover files.txt, the attackers explain to the victims their predicament, and ask them to pay 4 Bitcoin (around $1,000) in order to get their files decrypted (click on the screenshot to enlarge it):

The attackers can be contacted via two email addresses ( and and offer the victims free decryption of a single file in order to prove they have the needed decryption key.

The malware attempts to stymie malware researchers by hiding itself and deleting Application, Security, and System event logs.

For those who have been affected and they don’t want to pay the ransom, there is a possibility that at least some of the files can be recovered.

“In the incomplete sample we had, the ransomware did not delete Shadow Volume Copies or securely delete the original files,” Abrams noted. “This means that you may be able to use a file recovery tool to recover your files or a program like Shadow Explorer to restore your files from the Shadow Volume Copies.”

Here are instructions on how to do the latter.

Don't miss