{
	"id": "411a7d77-d6a6-4dcc-8f32-c93c04dcea2d",
	"created_at": "2026-04-06T00:14:31.793821Z",
	"updated_at": "2026-04-10T03:22:13.30371Z",
	"deleted_at": null,
	"sha1_hash": "75b832ee291bf211e1b1a002e937aeed92f3ed86",
	"title": "Apocalypse: Ransomware which targets companies through insecure RDP",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 622295,
	"plain_text": "Apocalypse: Ransomware which targets companies through\r\ninsecure RDP\r\nBy Sarah\r\nPublished: 2016-06-29 · Archived: 2026-04-05 13:41:14 UTC\r\nBeyond a shadow of a doubt 2016 has been the year of the ransomware. So it comes as no surprise that new\r\nransomware families are popping up on weekly basis. Emsisoft has been on the frontline battling ransomware for\r\nyears now, providing users with valuable tools allowing them to recover their files after ransomware attacks. As a\r\nresult Emsisoft researchers often find themselves at the receiving end of hate from ransomware authors. Late last\r\nyear, we took a look at Radamant, whose authors included some rather unkind messages after our research team\r\nbroke their amateurish ransomware. Today, we want to take a look at a new ransomware family Apocalypse, that\r\nreared its ugly head about 2 months ago, that recently started spewing insults towards our team as well.\r\nMeet Apocalypse\r\nThe Apocalypse ransomware was first seen on the 9th May. The main attack vector is weak passwords on\r\ninsecurely configured Windows servers running the remote desktop service. This allows an attacker to use brute\r\nforce to gain access and means they can easily interact with the system as if they had access in person. Abusing\r\nremote desktop has become increasingly common over the last few months, especially for running ransomware\r\nlike Apocalypse.\r\nThe earliest variants install themselves to %appdata%windowsupdate.exe and create a run key called windows\r\nupdate to both HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE. This variant uses the .encrypted\r\nextension. A ransom note is created for every file in the form\r\nof *filename*.How_To_Decrypt.txt. The dr.compress@us1.l.a/dr.compress@bk.ru/dr.jimbo@bk.ru/dr.decrypter@bk.ru\r\nemail addresses are used in the ransom note.\r\nOn June 9th, another version of the Apocalypse was discovered. This variant uses a different location, run key\r\nname and email address. The ransomware installs itself to %ProgramFiles%windowsupdate.exe, and creates a run\r\nkey called windows update svc. The email address used in this variant is decryptionservice@mail.ru.\r\nOn June 22nd, the newest variant was discovered, which changed a lot more. Instead of using windowsupdate, it\r\nuses firefox as a name instead. The newest version installs itself to %ProgramFiles%firefox.exe, and creates a run\r\nhttp://blog.emsisoft.com/2016/06/29/apocalypse-ransomware-which-targets-companies-through-insecure-rdp/\r\nPage 1 of 6\n\nkey called firefox update checker. The new extension is .SecureCrypted and new name for ransom note\r\n*filename*.Contact_Here_To_Recover_Your_Files.txt. The email address used is recoveryhelp@bk.ru.\r\nA closer look into the latest variant\r\nTo give you a better idea on how Apocalypse operates, we want to take a closer look at one of the newest variants\r\nwith the hash AC70F2517698CA81BF161645413F168C. The ransomware first checks the default system\r\nlanguage and if it is set to Russian, Ukrainian or Belarusian then the ransomware will quit and not encrypt the\r\nsystem.\r\nThe ransomware then copies itself to %ProgramFiles%firefox.exe, if it doesn’t exist there already, and sets the\r\nhidden and system attributes. It also falsifies the timestamp of this file using the explorer.exe timestamp. Then a\r\nrun value is created, so the ransomware can run on every startup:\r\nCreation of the run values\r\nOnce installation is complete, it then runs the newly created firefox.exe, which then deletes the file. The\r\nfirefox.exe file does two different tasks at the same time: First, it periodically checks whether certain Windows\r\nprocesses are running and then kills them. Second, it starts the encryption routine where it gets a list of all\r\nremovable, fixed or remote network drives; the latter however is never encrypted due to a bug in the ransomware.\r\nThe ransomware then scans all folders and any files found will be encrypted.\r\nHowever, the malware will not attempt to encrypt any files if they end in one of the following text strings:\r\n.exe\r\n.dll\r\n.sys\r\n.msi\r\n.com\r\n.lnk\r\n.tmp\r\n.ini\r\n.SecureCrypted\r\n.bin\r\n.bat\r\nhttp://blog.emsisoft.com/2016/06/29/apocalypse-ransomware-which-targets-companies-through-insecure-rdp/\r\nPage 2 of 6\n\n.dat\r\n.Contact_Here_To_Recover_Your_Files.txt\r\nFiles located in the Windows folder are skipped as well.\r\nTo encrypt a file, the ransomware first checks whether it is encrypted already by comparing the first four bytes of\r\nthe file against the magic value: 0xD03C2A77. If the file is not encrypted already then it will encrypt the content\r\nof the file in memory using a custom XOR based algorithm:\r\nExample of a Apocalypse encryption loop\r\nThe exact algorithm varies slightly from variant to variant. The magic value and encrypted content will then be\r\nwritten to the file and SecureCrypted is added to the filename. Before closing it, the original file timestamps will\r\nbe restored and the following ransom note is created for the file:\r\nA L L Y O U R F I L E S A R E E N C R Y P T E D\r\nAll your data – documents, photos, videos, backups – everything is encrypted.\r\nThe only way to recover your files: contact us to the next email: recoveryhelp@bk.ru\r\nAttach to e-mail:\r\n1. Text file with your IP server as Subject (To locate your encryption algoritm)\r\n2. 1-2 encrypted files (please dont send files bigger than 1 MB)\r\nWe will check the encrypted file and send to you an email with your\r\nDecrypted FILE as proof that we actually have the decrypter software.\r\nRemember:\r\n1. The FASTER you’ll CONTACT US – the FASTER you will RECOVER your files.\r\n2. We will ignore your e-mails without IP server number in Subject.\r\n3. If you haven’t received reply from us in 24 hours – try to contact us via public e-mail services such as\r\nYahoo or so.\r\nThe ransomware also creates a window which it displays to the user with a similar ransom note:\r\nhttp://blog.emsisoft.com/2016/06/29/apocalypse-ransomware-which-targets-companies-through-insecure-rdp/\r\nPage 3 of 6\n\nThe screen that the ransomware displays to the user\r\nOne interesting aspect of this screen is that within the code which creates it, the ransomware author hid messages\r\nto Emsisoft:\r\nThe Apocalypse developer insults “emissoft”\r\nAs before, we see messages like this as validation of our work and consider it a backwards compliment.\r\nHow can I decrypt my files encrypted by this ransomware?\r\nAs for many other ransomware families, Emsisoft provides a free decrypter to all Apocalypse victims that allows\r\nthem to decrypt their files for free.\r\nhttp://blog.emsisoft.com/2016/06/29/apocalypse-ransomware-which-targets-companies-through-insecure-rdp/\r\nPage 4 of 6\n\nThe Emsisoft Apocalypse decrypter at work\r\nThe decrypter is available for download at our Emsisoft Decrypter portal here.\r\nHow can I protect myself?\r\nDue to the nature of the attack protection software is rather ineffective. If the attacker manages to get access to the\r\nsystem via remote control, they can simply disable any protection software installed or add the malware to the\r\nprotection software’s exclusion list.  It therefore is imperative to prevent the attacker from gaining access to the\r\nsystem to begin with.\r\nThe most important line of defense is a proper password policy that is enforced for all user accounts with remote\r\naccess to the system.  This does apply to rarely used accounts created for testing purposes or by applications as\r\nwell.\r\nEmsisoft Endpoint Protection: Award-Winning Security Made Simple\r\nExperience effortless next-gen technology. Start Free Trial\r\nEven better would be to disable Remote Desktop or Terminal Services completely if not required or at least to use\r\nIP address based restrictions to allow the access to these services from trusted networks only.\r\nhttp://blog.emsisoft.com/2016/06/29/apocalypse-ransomware-which-targets-companies-through-insecure-rdp/\r\nPage 5 of 6\n\nSource: http://blog.emsisoft.com/2016/06/29/apocalypse-ransomware-which-targets-companies-through-insecure-rdp/\r\nhttp://blog.emsisoft.com/2016/06/29/apocalypse-ransomware-which-targets-companies-through-insecure-rdp/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://blog.emsisoft.com/2016/06/29/apocalypse-ransomware-which-targets-companies-through-insecure-rdp/"
	],
	"report_names": [
		"apocalypse-ransomware-which-targets-companies-through-insecure-rdp"
	],
	"threat_actors": [],
	"ts_created_at": 1775434471,
	"ts_updated_at": 1775791333,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/75b832ee291bf211e1b1a002e937aeed92f3ed86.pdf",
		"text": "https://archive.orkl.eu/75b832ee291bf211e1b1a002e937aeed92f3ed86.txt",
		"img": "https://archive.orkl.eu/75b832ee291bf211e1b1a002e937aeed92f3ed86.jpg"
	}
}