Guest Blog | A Show of (Brute) Force: Crysis Ransomware Found Targeting Australian and New Zealand Businesses – Trend Micro

Crysis (detected by Trend Micro as RANSOM_CRYSIS.A), a ransomware family first detected in February 2016, has been spotted targeting businesses in Australia in New Zealand through remote desktop protocol (RDP) brute force attacks.

Crysis has been reported in early June in 2016 to have set its sights into carving a market share left by TeslaCrypt when the latter’s developers decided to shut down their operations, and rivaling Locky’s prevalence in the ransomware threat landscape. Crysis is mainly distributed through spam emails, either with Trojanised attachments with double file extensions (as a way to disguise the malware as a non-executable) or links to compromised websites, and online locations that distribute spurious installers for legitimate programs and applications. Although not immediately seen when it was first discovered, we also observed that it used brute-forced RDPs as one of its infection vectors.

We were able to monitor Crysis in cyber-attacks involving brute-forced RDP credentials and the ransomware executed via a redirected drive from the source computer. Redirections in remote access tools implemented in Windows enable users to conveniently access, process, and utilise files from local drives as well as resources such as printers, Clipboard, and supported plug and play and multimedia devices. Crysis’ ongoing activity against Australian and New Zealand businesses was initially detected in early August 2016.

For ransomware operators running a hit-and-run business model to profit from victims as quickly as possible, exploiting RDP—especially those utilised by businesses—can be lucrative. This is particularly true for Crysis, given its ability to scan and encrypt files on removable drives and network shares. For instance, a more adept malefactor can employ various privilege escalation techniques to ultimately gain administrator access to the system and exacerbate the damage by perusing through servers and encrypting more data.

Mitigating the Risks

Cleanup from Crysis has been noted to be tricky. In its attacks on Australian and New Zealand businesses, we saw this ransomware injecting Trojans to redirected and/or connected devices such as printers and routers. This part of Crysis’ infection chain allows the attackers to regain access to and reinfect the system, even after the malware has been removed from the affected computer. This further illustrates why paying the ransom is not recommended, even if it seems expedient.

Administrators managing remote desktops are recommended to close RDP access if possible, or otherwise change the RDP port to a non-standard port. Updating and strengthening RDP credentials as well as implementing two-factor authentication, account lockout policies and user permission/restriction rules can make them more resistant to brute force attacks. Ensuring that connected devices are securely wiped during cleanups can mitigate the risks of further damage, while utilising encryption channels can help foil attackers from snooping on remote connections. Keeping the RDP client and server software up-to-date can also prevent potential vulnerabilities in RDPs from being exploited.


JuiceIT 2017 – Beyond the Hype!

Trend Micro will be attending JuiceIT and we look forward to meeting you at the event!


Tags: JuiceIT 2017, Ransomware



Information protection in an age of information theft

Managing and safeguarding data across various apps, clouds, and endpoints is an uphill battle. It’s led to organisations relying on…

Customer Story: Knight Frank

Cloud Transition an Azure Success Story for Knight Frank Download Customer Story Contact a Specialist Objective…

3CX Desktop App Critical Vulnerability Alert

The Australian Cyber Security Centre has issued a warning about a new supply chain attack that has targeted a…

Managed Services eBook
Your guide to Data#3 Managed Services

Digital disruption is causing significant changes in the workplace, leading to higher expectations for access, security, and support regardless of…

JuiceIT Guest Blog | How XDR can help when time is of the essence

The only thing worse than cyber threats is an inability to detect those threats in time. Organisations need the…

JuiceIT Guest Blog | Veeam Platform: Reliable and Fast Recovery from Ransomware in a Hybrid World.

Ransomware attacks have become a growing concern for organisations of all sizes in Australia and New Zealand, resulting in significant…

Customer Story: Pernod Ricard Winemakers

Azure Migration gives Pernod Ricard Greater Flexibility and Improved Performance Download Customer Story Contact a Specialist…

Why would you deploy SASE?
If Secure Access Software Edge (SASE) with Cisco Meraki is the destination, what does the journey to get there look like?

Firstly, let’s set the scene. The term SASE was first mentioned by Gartner Analysts in July 2019 and Gartner continues…