Reyptson ransomware is a new threat that has been discovered in the past few days. The new ransomware variant is currently being used in attacks in Spain, with detected activity rising considerably in the days since its discovery.
There is no free decryptor for Reyptson ransomware at this stage. The ransomware variant encrypts a wide range of file types, including MS Office files and images using AES-128 encryption. Encrypted files will have the file extension .Reyptson appended to the file.
Infection will require files to be recovered from backups or the ransom demand must be paid if no backup exists and victims do not want permanent file loss. Users are told they must pay a ransom of €200 to unlock the encryption, although the payment will increase to €500 after 72 hours.
New cryptoransomware variants are being released on an almost daily basis with the majority spread via spam email. What makes this variant unique is its ability to spread itself following infection. Reyptson is capable of conducting its own email campaigns and spreading itself to a victim’s contacts.
The spam email campaigns are conducted via the Thunderbird email client. Reyptson ransomware searches for contacts and creates new spam email messages and sends them to all contacts using the victim’s credentials.
The emails claim to be invoices and include a link for the recipient to download the invoice. Clicking the link will download a compressed .rar file which contains an executable file that appears to be a PDF file. If that executable file is opened; the user will be infected with the ransomware and the process will repeat. According to an analysis by MalwareHunterTeam, the emails have the subject line Folcan S.L. Facturación.
Recently, global ransomware campaigns have been conducted using exploits stolen from the NSA. Those exploits take advantage of vulnerabilities in software that have not been addressed. Even though patches have been released to correct those vulnerabilities, many companies have yet to update their operating systems. A free scanner called Eternal Blues has been developed that has revealed more than 50,000 computers around the world are still vulnerable and have not been patched.
Patching promptly has always been important, but now even more so. Delaying the updating of software can see organizations infected and the damage can be considerable. In the case of NotPetya, computers are rendered useless and even payment of a ransom cannot undo the damage.
However, spam email remains the most common vector for spreading ransomware. Preventing Reyptson ransomware attacks and other cryptoransomware variants requires an advanced spam filter. A spam filter such as SpamTitan can block these messages and prevent them from being delivered to end users. If the spam emails are not delivered, they cannot be opened by end users.
Prompt patching, user awareness training, spam and web filtering can help organizations reduce the risk of attack. However, it is also essential to ensure multiple backups of data are made to ensure recovery in case of infection. Organizations should adopt the 3-2-1 approach to backups. Ensure there are three copies of data, on 2 different media with one copy stored off site.
One backup copy can be stored locally – on a removable device that is unplugged when backups are completed or are not being used. One copy should be stored in the cloud and one on a backup drive/tape that is stored in a secure location off site that can be used in the event of a disaster.