Crysis (detected by Trend Micro as RANSOM_CRYSIS.A), a ransomware family first detected in February 2016, has been spotted targeting businesses in Australia in New Zealand through remote desktop protocol (RDP) brute force attacks.
Crysis has been reported in early June in 2016 to have set its sights into carving a market share left by TeslaCrypt when the latter’s developers decided to shut down their operations, and rivaling Locky’s prevalence in the ransomware threat landscape. Crysis is mainly distributed through spam emails, either with Trojanised attachments with double file extensions (as a way to disguise the malware as a non-executable) or links to compromised websites, and online locations that distribute spurious installers for legitimate programs and applications. Although not immediately seen when it was first discovered, we also observed that it used brute-forced RDPs as one of its infection vectors.
We were able to monitor Crysis in cyber-attacks involving brute-forced RDP credentials and the ransomware executed via a redirected drive from the source computer. Redirections in remote access tools implemented in Windows enable users to conveniently access, process, and utilise files from local drives as well as resources such as printers, Clipboard, and supported plug and play and multimedia devices. Crysis’ ongoing activity against Australian and New Zealand businesses was initially detected in early August 2016.
For ransomware operators running a hit-and-run business model to profit from victims as quickly as possible, exploiting RDP—especially those utilised by businesses—can be lucrative. This is particularly true for Crysis, given its ability to scan and encrypt files on removable drives and network shares. For instance, a more adept malefactor can employ various privilege escalation techniques to ultimately gain administrator access to the system and exacerbate the damage by perusing through servers and encrypting more data.
Mitigating the Risks
Cleanup from Crysis has been noted to be tricky. In its attacks on Australian and New Zealand businesses, we saw this ransomware injecting Trojans to redirected and/or connected devices such as printers and routers. This part of Crysis’ infection chain allows the attackers to regain access to and reinfect the system, even after the malware has been removed from the affected computer. This further illustrates why paying the ransom is not recommended, even if it seems expedient.
Administrators managing remote desktops are recommended to close RDP access if possible, or otherwise change the RDP port to a non-standard port. Updating and strengthening RDP credentials as well as implementing two-factor authentication, account lockout policies and user permission/restriction rules can make them more resistant to brute force attacks. Ensuring that connected devices are securely wiped during cleanups can mitigate the risks of further damage, while utilising encryption channels can help foil attackers from snooping on remote connections. Keeping the RDP client and server software up-to-date can also prevent potential vulnerabilities in RDPs from being exploited.
JuiceIT 2017 – Beyond the Hype!
Trend Micro will be attending JuiceIT and we look forward to meeting you at the event!