The Doppelpaymer ransomware that went around with companies this month was not spread through the BlueKeep vulnerability. Microsoft has debunked those rumors in a blog post. The company says the ransomware came to companies in other ways.

Microsoft writes that in a recommendation to users affected by Doppelpaymer. He struck early this month at a number of companies, in particular at the Mexican oil company Pemex. The Doppelpaymer ransomware has been around since mid-June this year and is particularly striking among companies. The distributors demand a high amount of ransom, often of millions of euros. Dozens of companies have already been affected. In addition to Pemex, a Spanish ICT company was also affected.

Due to the latter infection in particular, there were rumors among security researchers that the ransomware was spread through the BlueKeep vulnerability. That is a leak in the Remote Desktop Protocol in Windows. A patch has been available for BlueKeep for months, but thousands of companies worldwide have still not implemented it. Many agencies and companies are afraid that the leak could cause 'a new WannaCry'.

That destructive ransomware caused a lot of damage in 2017, and was spread through the same vulnerability. Earlier this month, Microsoft again warned companies to implement the patch. So far, BlueKeep has not been actively abused by serious criminals, although cryptominers have been installed.

BlueKeep is a remote code execution bug in Remote Desktop Services in Windows 7, Windows Server 2008 and 2008 R2. The vulnerability is very similar to the bug that major ransomware attacks such as WannaCry exploit. Therefore there is great fear that BlueKeep will again can cause major damage to companies. It is not the first time that Microsoft has warned about BlueKeep.

The rumors were earlier that the Doppelpaymer ransomware was distributed via Microsoft Teams and abused BlueKeep. That is not true according to Microsoft. The company says the attackers used stolen passwords from domain administrators. This allowed the attackers to penetrate and move through the infected networks.

Futhermore, @headleaks written a complete tutorial about how hackers exploit BlueKeep vulnerability.

DoppelPaymer Ransomware is a file-locking trojan that blocks the media and leaves notices of extortion redirecting you to the unlocker's transaction site. Although the BitPaymer Ransomware is a highly similar update, it uses a separate form of encryption and requires a different decryptor to recover any files. Let your anti-malware products remove DoppelPaymer Ransomware as soon as they detect it and store secure backups for undoing the side effects of its attacks.

Microsoft lists the following measures to be taken by consumers to block attacks on ransomware and avoid data loss:

  • Keep your Windows Operating System and antivirus up-to-date.
  • Upgrade to Windows 10.
  • Regularly back-up your files in an external hard-drive.
  • Enable file history or security of the process. In your Windows 10 or Windows 8.1 devices, you must have your file history enabled and you have to setup a drive for file history.
  • Use OneDrive for Consumer or for Business.
  • Beware of phishing emails, spams, and clicking malicious attachment.
  • Use Microsoft Edge to get SmartScreen protection. It will prevent you from browsing sites that are known to be hosting exploits, and protect you from socially-engineered attacks such as phishing and malware downloads.
  • Disable the loading of macros in your Office programs.
  • Disable your Remote Desktop feature whenever possible.
  • Use two factor authentication.
  • Use a safe and password-protected internet connection.
  • Avoid browsing web sites that are known for being malware breeding grounds (illegal download sites, porn sites, etc.).

Source: Customer Guidance for the Dopplepaymer Ransomware

While Microsoft recommends disabling Remote Desktop Services if possible, in many cases it is required in enterprise environments. If so, administrators will ensure that they do not allow Remote Desktop servers available from the Internet, as they are attacked by brute-force attacks in order to gain access to the network behind them. Instead, they will only be accessible after a client logs into a corporate VPN.