NamPoHyu Virus ransomware targets Samba servers in a unique way

Researchers have spotted a new family of ransomware dubbed NamPoHyu virus or MegaLocker virus targeting remote Samba servers.

While ransomware infections are typically installed on the computer that will be encrypted other malware, malicious email attachments, or by the attackers hacking a computer or network.

This new variant searches for accessible Samba servers, brute forcing the passwords, and then remotely encrypting their files and creating ransom notes, an April 16 Bleeping Computer blog post said.  

According to Shodan there are nearly 500,000 accessible Samba servers for threat actors to infect.

The ransomware has been active since March 2019 and was first called MegaLocker virus and changed its name to NamPoHyu in April and while the ransom note file stayed the same, it was updated to include a link to a Tor payment site.

The malwar’s ransom note instructs victim to email their assailant sending a photo of themselves at a birthday, holiday, hobbies, or other personal even to prove they were the private person in which they would pay a ransom of $250 while companies had to pay $1,000.

Researchers may have found a method to decrypt the ransomware although no information has been made publicly available as of yet.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.