Petronella Blog Archive

Visit our New Blog

TeamViewer Connected to Ransomware Outbreak?

Blog Post

Starting back on March 9th, reports started showing up on the Bleeping Computer forum of a modified version of the EDA2 ransomware that was encrypting files and adding the “.surprise” extension to them. When people started looking into the malware it became apparent that every victim was using the remote control, online meeting, web conferencing, and file sharing tool TeamViewer. Once the TeamViewer traffic logs were inspected, it was clear that someone had remotely loaded the malware on computers, which then spread behind the scenes.

One of the more interesting aspects of this attack is the new approach of negotiated ransom. Like most ransom attacks, the victim’s files are encrypted and held hostage until an amount of money is paid in Bitcoins to unlock them. With the Surprise ransomware, the amount to be paid is negotiated individually and is dependent on how important the files are and how many systems are infected.

Though people were quick to blame TeamViewer for the ransomware infection, that seems unlikely as TeamViewer uses end to end encryption to thwart man-in-the-middle attacks, and latency between connection attempts increases exponentially to stop brute force attacks (it can take 17 hours for 24 attempts). The most likely scenario is user laziness.

It’s plausible that all the hackers did was try the login credentials for a compromised account on TeamViewer to see if there was an account with the same credentials. Basically, they just found someone who used the same username and password for their TeamViewer as they did for an account the hackers already had control of. Pretty simple, really. Once inside they were able to install ransomware on all the associated devices.

The best advice to prevent this kind of attack is to make sure you not only use strong, but also different passwords for all your accounts. If you do use TeamViewer, make sure you’re logging in with their two-factor authentication. That said, you should be using two-factor authentication for any site where you access sensitive or personal information, such as email, healthcare, and banking. You can also download the free Ransomware Protection Checklist, sign up to receive it by mail, or schedule a free 10 minute Ransomware Safety Review.