Guest Blog | A Show of (Brute) Force: Crysis Ransomware Found Targeting Australian and New Zealand Businesses – Trend Micro

Crysis (detected by Trend Micro as RANSOM_CRYSIS.A), a ransomware family first detected in February 2016, has been spotted targeting businesses in Australia in New Zealand through remote desktop protocol (RDP) brute force attacks.

Crysis has been reported in early June in 2016 to have set its sights into carving a market share left by TeslaCrypt when the latter’s developers decided to shut down their operations, and rivaling Locky’s prevalence in the ransomware threat landscape. Crysis is mainly distributed through spam emails, either with Trojanised attachments with double file extensions (as a way to disguise the malware as a non-executable) or links to compromised websites, and online locations that distribute spurious installers for legitimate programs and applications. Although not immediately seen when it was first discovered, we also observed that it used brute-forced RDPs as one of its infection vectors.

We were able to monitor Crysis in cyber-attacks involving brute-forced RDP credentials and the ransomware executed via a redirected drive from the source computer. Redirections in remote access tools implemented in Windows enable users to conveniently access, process, and utilise files from local drives as well as resources such as printers, Clipboard, and supported plug and play and multimedia devices. Crysis’ ongoing activity against Australian and New Zealand businesses was initially detected in early August 2016.

For ransomware operators running a hit-and-run business model to profit from victims as quickly as possible, exploiting RDP—especially those utilised by businesses—can be lucrative. This is particularly true for Crysis, given its ability to scan and encrypt files on removable drives and network shares. For instance, a more adept malefactor can employ various privilege escalation techniques to ultimately gain administrator access to the system and exacerbate the damage by perusing through servers and encrypting more data.

Mitigating the Risks

Cleanup from Crysis has been noted to be tricky. In its attacks on Australian and New Zealand businesses, we saw this ransomware injecting Trojans to redirected and/or connected devices such as printers and routers. This part of Crysis’ infection chain allows the attackers to regain access to and reinfect the system, even after the malware has been removed from the affected computer. This further illustrates why paying the ransom is not recommended, even if it seems expedient.

Administrators managing remote desktops are recommended to close RDP access if possible, or otherwise change the RDP port to a non-standard port. Updating and strengthening RDP credentials as well as implementing two-factor authentication, account lockout policies and user permission/restriction rules can make them more resistant to brute force attacks. Ensuring that connected devices are securely wiped during cleanups can mitigate the risks of further damage, while utilising encryption channels can help foil attackers from snooping on remote connections. Keeping the RDP client and server software up-to-date can also prevent potential vulnerabilities in RDPs from being exploited.


JuiceIT 2017 – Beyond the Hype!

Trend Micro will be attending JuiceIT and we look forward to meeting you at the event!


Tags: Ransomware, JuiceIT 2017


Subscribe to our blog


Networking for K-12 Education
Taking the Work out of the School Network

While there’s no consensus on who coined the phrase ‘truth is stranger than fiction’, you’d be hard pressed to find…

Improve Security with Microsoft 365 and Surface
Improve Security with Microsoft 365 and Surface

Security is a rising cost for most organisations. And it’s not a welcome one, with 81% of IT Managers currently…

Networking 2020. What now? What next?

It seems like only yesterday that I was working with customers to help craft their ‘Networking 2020 strategy’. As we…

5 Steps to Implement DevSecOps

The 1980s gave us many good things, such as U2, Metallica and Bon Jovi (questionable). But from a security…

VMware and Carbon Black: An Advance for Cloud Endpoint Protection

Initially, analysts were surprised when VMware completed its $2.1 billion cash purchase of Carbon Black in August…

7 Minutes of Security | Splunk for IT Ops

In our first episode of 7 Minutes of Security, our host and National Practice Manager – Security, Richard Dornhart…

A new era of security risks in education
A new era of security risks in education

For educators, ensuring the safety and wellbeing of students has always been a critical priority – one that’s been seriously…

Splunk ITSI eBook
Predict and Prevent with Splunk ITSI: 6 Customer Stories

Too many alerts, too little time In Asia Pacific 69%1 of companies receive more than 5,000 threats a day –…