HC7 gotya

HC7 Gotya Ransomware

Another Ransomware, another day, another danger in the cyber space! To bring the discussion into perspective-

  • A company is hit with ransomware every 40 seconds.
  • 6 in 10 malware payloads were ransomware in Q1 2017.
  • There were 4.3x more ransomware in Q1 2017 than in Q1 2016.
  • 71% companies targeted by ransomware attacks have been infected.
  • Two thirds of ransomware infections in Q1 2017 were delivered via RDP.
  • The average ransomware demand has risen to $1077.
  • Global ransomware damages are predicted to exceed $5 billion in 2017.

Another variant is now making rounds, Hc7 Gotya Ransomware is spreading via remote desktop services using PsExec. Originally released as Hc6, the decryption key was made available soon after this variant began hitting the computers. Since then the attackers have upgraded the ransomware to Hc7 which is much hard to get around with.

What is it?

Hc7 is an upgraded version of Hc6 ransomware. It infiltrates the system like various other malicious codes. It infiltrates itself silently in the targeted system without user’s knowledge. The only way to decrypt the files is the decryption key sent to the Hc7 Gotya command and control server. All the encrypted files are coded with ‘.GOTYA’ extension.

Modus Operandi

Right now, the attackers are hacking into the exposed remote desktop services. They are using a classic spam method with infected word doc. Once the attackers get in, they use PsExec.exe to install the ransomware into the PC and the network. As the malicious code is executed, the files get encrypted with ‘.GOTYA’ extension and a recovery note is created.

The ransom note contains a Bitcoin address and demand $700 per machine or $5,000 for all the machine in BTC.

The ransomware note goes like this-

How to protect yourself from Hc7 Ransomware attack-

The attackers are targeting remote servers; hence it is safe to assume that if the servers are behind a firewall and cannot be connected unless the user is connected via a secure VPN. Best practices should always be followed like not leaving remote desktop connected to the server etc.

Logix Infosecurity keeps the clients safe by installing layers of security where they are required. Our experts and state-of-the-art technology keeps the threat away so that the clients can focus on their business.

Leave a Reply

Your email address will not be published. Required fields are marked *