From helpnetsecurity.com
Threat actors are brute-forcing their way into enterprise endpoints running server-side remote access applications and attempting to spread the GandCrab ransomware onto other enterprise computers, SecurityScorecard researchers are warning.
Their weapon of choice is Phorpiex/Trik, a bot with worm capabilities that allows it to spread to other systems by copying itself to USBs and other removable drives.
The campaign
This rather unsophisticated piece of malware scans the internet for Remote Desktop Protocol (RDP) and Virtual Network Computing (VNC) servers and tries to gain access to these devices by running through a list of widely used usernames and passwords (“password”, “test”, “testing”, “server”, “admin”, “123123”, “123456”, and similar).
The malware randomly generates a target’s IP address and tries to connect to it through port 5900. If it succeeds, it inserts the ransomware and leaves the user with locked files and a ransom request.
Read more here