‘NamPoHyu Virus’ ransomware target vulnerable Samba servers

There is a new ransomware that haunts the vulnerable Samba servers and it is called ‘NamPoHyu Virus'.

The ransomware is directly launched on the Samba servers by brute forcing the passwords, a move which is unusual from running executables on a victim’s computer

It was once called MegaLocker Virus and now it remotely encrypts the files and then leaves a ransom note.

Shodan, the search engine, has found some 500,000 accessible Samba servers across the globe. This indicates that this ransomware infection can be massive if the attackers gain access to these vulnerable Samba servers.

The ransomware was first identified in March 2019 after users complained that their NAS storage devices were suddenly encrypted by new ransomware called MegaLocker virus.

After the encryption is completed it leaves those encrypted files with .crypted extension and thereby leaving the ransom note named !DECRYPT_INSTRUCTION.TXT.

The ransom note contains instructions to contact alexshkipper@mail[.]ru. The note asks the prospective victim to send a photo from birthday, holiday, hobbies or some other personal event. If the victim is a single user, then the ransom amount stands at $250 otherwise it would be $1000 for companies.

According to Bleeping Computer, its name was changed to the current 'NamPoHyu Virus' since April 2019.