[Important Security Warning] New Fileless Extortion Software “SOREBRECT” Attack Warning

According to threat intelligence, the SOREBRECT ransomware is now threatening systems worldwide. This ransomware gains account credentials through a brute force attack against RDP, then injects code into svchost.exe, a legitimate Windows process. Once code injection is complete, the SOREBRECT ransomware destroys its own source files in order to avoid detection. SOREBRECT encrypts local files using Microsoft’s Sysinternals “PsExe” command, and can encrypt files on remote Windows machines by scanning for open shares. SOREBRECT’s unique feature is its ability to destroy its own source files in order to avoid detection, which makes it a high security risk.

As this ransomware affects both individuals and organizations, the Alibaba Cloud security team suggests that system administrators and security engineers take the following precautions:

1. Do not expose port 3389 to the Internet. If you need to use RDP to administer remote machines, we recommend you set up a VPN and access RDP services through a VPN tunnel. You can also directly administer machines through the Alibaba Cloud ECS console’s “Connect” function.

2. Strengthen your Windows account passwords, and turn on audit logs so you can track who logs in and when.

3. Disable folder sharing, or set stricter security controls: public folder shares which do not require login are most at risk.

4. Apply patches regularly.

5. Backup all important files and documents regularly, and backup data to external storage devices that are not connected to the computer frequently. ECS’s “Snapshot” feature can be used for this.

6. Install anti-virus software, and avoid clicking on unfamiliar links.

7. Use Alibaba Cloud Anti-DDoS Pro and Server Guard to detect and defend servers automatically.

If you have any questions, please feel free to contact us via ticket.

Alibaba Cloud Security Team