fbpx
Share

Guest Blog | A Show of (Brute) Force: Crysis Ransomware Found Targeting Australian and New Zealand Businesses – Trend Micro

Crysis (detected by Trend Micro as RANSOM_CRYSIS.A), a ransomware family first detected in February 2016, has been spotted targeting businesses in Australia in New Zealand through remote desktop protocol (RDP) brute force attacks.

Crysis has been reported in early June in 2016 to have set its sights into carving a market share left by TeslaCrypt when the latter’s developers decided to shut down their operations, and rivaling Locky’s prevalence in the ransomware threat landscape. Crysis is mainly distributed through spam emails, either with Trojanised attachments with double file extensions (as a way to disguise the malware as a non-executable) or links to compromised websites, and online locations that distribute spurious installers for legitimate programs and applications. Although not immediately seen when it was first discovered, we also observed that it used brute-forced RDPs as one of its infection vectors.

We were able to monitor Crysis in cyber-attacks involving brute-forced RDP credentials and the ransomware executed via a redirected drive from the source computer. Redirections in remote access tools implemented in Windows enable users to conveniently access, process, and utilise files from local drives as well as resources such as printers, Clipboard, and supported plug and play and multimedia devices. Crysis’ ongoing activity against Australian and New Zealand businesses was initially detected in early August 2016.

For ransomware operators running a hit-and-run business model to profit from victims as quickly as possible, exploiting RDP—especially those utilised by businesses—can be lucrative. This is particularly true for Crysis, given its ability to scan and encrypt files on removable drives and network shares. For instance, a more adept malefactor can employ various privilege escalation techniques to ultimately gain administrator access to the system and exacerbate the damage by perusing through servers and encrypting more data.

Mitigating the Risks

Cleanup from Crysis has been noted to be tricky. In its attacks on Australian and New Zealand businesses, we saw this ransomware injecting Trojans to redirected and/or connected devices such as printers and routers. This part of Crysis’ infection chain allows the attackers to regain access to and reinfect the system, even after the malware has been removed from the affected computer. This further illustrates why paying the ransom is not recommended, even if it seems expedient.

Administrators managing remote desktops are recommended to close RDP access if possible, or otherwise change the RDP port to a non-standard port. Updating and strengthening RDP credentials as well as implementing two-factor authentication, account lockout policies and user permission/restriction rules can make them more resistant to brute force attacks. Ensuring that connected devices are securely wiped during cleanups can mitigate the risks of further damage, while utilising encryption channels can help foil attackers from snooping on remote connections. Keeping the RDP client and server software up-to-date can also prevent potential vulnerabilities in RDPs from being exploited.

————————————————–

JuiceIT 2017 – Beyond the Hype!

Trend Micro will be attending JuiceIT and we look forward to meeting you at the event!

 

Tags: JuiceIT 2017, Ransomware

Featured

Related

ACSC Essential Eight Maturity Model: Patch Operating Systems
Essential Eight Maturity Model: Patch Operating Systems

In 2021, the Australian Cyber Security Centre (ACSC) updated the Essential Eight Strategies to Mitigate Cyber Security Incidents Maturity…

Webinar: Data#3 Licensing Update and Microsoft 365 A5 Deep Dive
Data#3 Licensing Update and Microsoft 365 A5 Deep Dive

During the recent ISQ IT Managers forum, many schools expressed strong interest in a follow-up session on Microsoft 365…

ACSC Essential Eight Maturity Model: Restrict Admin Privileges
Essential Eight Maturity Model: Restrict Administrative Privileges

In 2021, the Australian Cyber Security Centre (ACSC) updated the Essential Eight Strategies to Mitigate Cyber Security…

Cisco-Meraki-Smart-Spaces
Smart Space Technology is Leading the Fightback Against Rising Energy Costs

Just as the country hit winter, and even Queenslanders were spotted wearing long sleeves, the prospect of power…

Data#3 named worldwide Microsoft Surface+ Partner of the Year
Data#3 named worldwide Microsoft Surface+ Partner of the Year

July 19, 2022; Brisbane, Australia: Leading Australian technology services and solutions provider, Data#3, is delighted to announce that it has…

Data#3 appoints John Tan to CCO
Data#3 appoints John Tan to newly created Chief Customer Officer position

July 13, 2022; Brisbane, Australia: Leading Australian technology services and solutions provider, Data#3, is delighted to announce that it has…

Meraki smart spaces
Smart Spaces: Changing Work for the Better

There’s a certain strangeness to heading back into the workplace after a lengthy spell working from home during lockdowns. Workers…

Customer Story: ElectraNet

ElectraNet cuts costs and increases visibility with technology intelligence solution Download Customer Story…