A Show of (Brute) Force: Crysis Ransomware Found Targeting Australian and New Zealand Businesses

By | September 30, 2016

Crysis (detected  as RANSOM_CRYSIS.A), a ransomware family first detected in February this year, has been spotted targeting businesses in Australia in New Zealand through remote desktop protocol (RDP) brute force attacks.
Crysis has been reported in early June this year to have set its sights into carving a market share left by TeslaCrypt when the latter’s developers decided to shut down their operations, and rivaling Locky’s prevalence in the ransomware threat landscape. Crysis is mainly distributed through spam emails, either with Trojanized attachments with double file extensions (as a way to disguise the malware as a non-executable) or links to compromised websites, and online locations that distribute spurious installers for legitimate programs and applications. Although not immediately seen when it was first discovered, we also observed that it used brute-forced RDPs as one of its infection vectors.
We were able to monitor Crysis in cyber-attacks involving brute-forced RDP credentials and the ransomware executed via a redirected drive from the source computer. Redirections in remote access tools implemented in Windows enable users to conveniently access, process, and utilize files from local drives as well as resources such as printers, Clipboard, and supported plug and play and multimedia devices. Crysis’ ongoing activity against Australian and New Zealand businesses was initially detected in early August this year.
Figure 1. A sample infection flow of Crysis via an RDP brute force attack
RDP, which is built-in to Windows operating systems, provides an interface that allows end users to connect to another computer over a network connection. RDPs have been traditionally abused to exfiltrate data as part of a targeted attack, steal information that can be sold to online underground marketplaces, and integrate the hijacked system to a network of bots to launch further malicious attacks.
For ransomware operators running a hit-and-run business model to profit from victims as quickly as possible, exploiting RDP—especially those utilized by businesses—can be lucrative. This is particularly true for Crysis, given its ability to scan and encrypt files on removable drives and network shares. For instance, a more adept malefactor can employ various privilege escalation techniques to ultimately gain administrator access to the system and exacerbate the damage by perusing through servers and encrypting more data.
Figure 2. One of Crysis’ ransom notes; this ransomware variant can encrypt 185 file types through a combination of RSA and AES encryption algorithms, delete back-ups via vssadmin, and add registry entries to enable automatic execution at every startup.
Ransomware and RDP attacks already share a history, mostly involving businesses. In late October 2015, operators behind the LowLevel04 ransomware (detected by Trend Micro as Ransom_LEVELO.A) were found brute forcing RDP credentials then manually downloading and installing the malware. It has the ability to scan for mapped network and removable drives and encrypt files stored on them. It can also delete the computer’s event logs to prevent forensics on the infected machine.
LeChiffre (Ransom_LECTOOL.A), which made headlines in late January this year after hitting three banks and a pharmaceutical company, can encrypt local and networked files offline by generating the encryption keys locally. It also left a backdoor to the infected machine by replacing the process that invokes Sticky Keys (i.e. pressing the SHIFT key five times) with a malicious Command Prompt that provided the attackers access to the affected computer via its command-line interface.
In May, a variant of the Bucbi ransomware (Ransom_BUCBI.A) reportedly used an RDP brute force utility tool to breach internet-facing RDP servers. It drops a malicious executable that can run an encryption routine to all available network resources it can identify. Variants of Apocalypse (Ransom_APOCALYPSE.A), DMA Locker (Ransom_MADLOCKER.B), and Smrss32 (Ransom_CRYPTOWIPE.A) were also noted to have been installed manually via remote desktop.
Figure 3. Trend Micro™ Deep Security™ has configurable intrusion prevention rules that can detect and thwart suspicious RDP connection requests associated with possible brute force attacks.
Mitigating the Risks
Cleanup from Crysis has been noted to be tricky. In its attacks on Australian and New Zealand businesses, we saw this ransomware injecting Trojans to redirected and/or connected devices such as printers and routers. This part of Crysis’ infection chain allows the attackers to regain access to and re-infect the system, even after the malware has been removed from the affected computer. This further illustrates why paying the ransom is not recommended, even if it seems expedient.
Administrators managing remote desktops are recommended to close RDP access if possible, or otherwise change the RDP port to a non-standard port. Updating and strengthening RDP credentials as well as implementing two-factor authentication, account lockout policies and user permission/restriction rules can make them more resistant to brute force attacks. Ensuring that connected devices are securely wiped during cleanups can mitigate the risks of further damage, while utilizing encryption channels can help foil attackers from snooping on remote connections. Keeping the RDP client and server software up-to-date can also prevent potential vulnerabilities in RDPs from being exploited.
Regularly backing up data—at least three backups, in two different media formats, with one copy stored off-site—is also an effective way to mitigate the effects of a ransomware attack.
Figure 4. Trend Micro™ Worry-Free Business Security™, which can detect and prevent intrusion to the network or system, has a Vulnerability Protection module that blocks attacks which leverage system and software vulnerabilities.

Trend Micro Ransomware Solutions
For small-medium businesses and enterprises whose networked devices are targeted by ransomware such as Crysis, business continuity, financial losses and company reputation are at stake. With cybercriminals intensifying their efforts to hold critical data hostage, a proactive, multilayered approach to security is important— from gateway, endpoints, networks, and servers.


Email and Gateway Protection
Trend Micro Cloud App Security, Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security address ransomware in common delivery methods such as email and web.
Spear phishing protection
Malware Sandbox
IP/Web Reputation
Document exploit detection

Endpoint Protection
Trend Micro Smart Protection Suites detects and stops suspicious behavior and exploits associated with ransomware at the endpoint level.
Ransomware Behavior Monitoring
Application Control
Vulnerability Shielding
Web Security

Network Protection
Trend Micro Deep Discovery Inspector detects malicious traffic, communications, and other activities associated with attempts to inject ransomware into the network.
Network Traffic Scanning
Malware Sandbox
Lateral Movement Prevention

Server Protection
Trend Micro Deep Security™ detects and stops suspicious network activity and shields servers and applications from exploits.
Webserver Protection
Vulnerability Shielding
Lateral Movement Prevention


Protection for Small-Medium Businesses
Trend Micro Worry-Free™ Business Security Advanced offers cloud-based email gateway security through Hosted Email Security that can detect and block ransomware.
Ransomware behavior monitoring
IP/Web Reputation

Protection for Home Users
Trend Micro Security 10 provides robust protection against ransomware by blocking malicious websites, emails, and files associated with this threat.
IP/Web Reputation
Ransomware Protection
Additional analysis by Michael Villanueva, Mick McCluney, and Joel Hartley
Post from: Trendlabs Security Intelligence Blog – by Trend Micro
A Show of (Brute) Force: Crysis Ransomware Found Targeting Australian and New Zealand Businesses

Please check this great service at: http://www.test-net.org/services/network-calculator/ or visit FREE SERVICES menu

[Total: 0    Average: 0/5]

94 thoughts on “A Show of (Brute) Force: Crysis Ransomware Found Targeting Australian and New Zealand Businesses

  1. Kristen

    I’ve been browsing online more than three hours as of late, but I by
    no means found any attention-grabbing article like yours.
    It is pretty price enough for me. In my opinion, if all website owners and bloggers made excellent content as you probably did,
    the internet might be much more useful than ever before.

  2. Wahl Shaver

    Excellent goods from you, man. I’ve understand your stuff previous to and you’re just extremely magnificent.
    I actually like what you have acquired here, really like what you’re saying
    and the way in which you say it. You make it entertaining and you still take care of to
    keep it wise. I can’t wait to read far more from you.
    This is really a great website.

  3. Folleto de ejercicios de Kegel - docstoc

    I�m amazed, I have to admit. Rarely do I encounter a blog
    that�s both educative and interesting, and let me tell you, you’ve hit the
    nail on the head. The problem is something which not enough people are
    speaking intelligently about. Now i’m very happy that I stumbled
    across this in my search for something regarding this.

  4. Lolatoys.Com

    Undeniably believe that which you stated. Your favorite reason seemed to be on the web the
    simplest thing to be aware of. I say to you, I certainly get irked while people consider worries that they plainly do
    not know about. You managed to hit the nail upon the top and also defined out the whole
    thing without having side effect , people could take a signal.
    Will likely be back to get more. Thanks

  5. www.uidai.gov.in

    I don’t even know how I ended up right here, but I believed this publish was great.
    I do not recognize who you might be however certainly you’re
    going to a famous blogger should you aren’t already. Cheers!

  6. Demetrius

    Hey! Someone in my Myspace group shared this website with us
    so I came to take a look. I’m definitely enjoying the information. I’m book-marking and will be tweeting this to my followers!

    Wonderful blog and great design and style.

  7. we-vibe touch masageador

    I am extremely impressed with your writing skills and also with the layout on your weblog.
    Is this a paid theme or did you customize it yourself? Either way keep up the nice quality writing,
    it’s rare to see a great blog like this one these days.

  8. Violette

    Thank you for sharing your info. I really appreciate your efforts and I will be waiting for
    your further post thank you once again.

  9. http://www.capsifuel.com/

    We’re a group of volunteers and starting a new scheme in our community.
    Your web site offered us with valuable information to work on.
    You’ve done a formidable job and our entire community will
    be grateful to you.

  10. canadian pharmacies viagara

    A motivating discussion is definitely worth comment. I do think that you need to write more on this subject, it may not be a taboo
    matter but generally people don’t talk about such topics.

    To the next! Cheers!!

  11. Kill

    I’ll immediately clutch your rss feed as I can’t find your e-mail subscription hyperlink or
    newsletter service. Do you’ve any? Kindly allow me recognise in order that I may just subscribe.

  12. http://www.tzzxtfsb.com/

    you are in reality a good webmaster. The site loading speed
    is incredible. It seems that you are doing any unique trick.

    In addition, The contents are masterwork. you
    have done a wonderful process in this matter!

  13. http://www.qiuzhongde.com/

    My brother recommended I would possibly like this web site.
    He was once totally right. This put up actually made my day.
    You can not imagine just how much time I had spent for
    this info! Thanks!

  14. Erick

    Since the admin of this website is working, no question very rapidly it will
    be renowned, due to its feature contents.

  15. http://www.michaelonsecurity.com/

    This design is incredible! You definitely know how to keep
    a reader entertained. Between your wit and your
    videos, I was almost moved to start my own blog (well, almost…HaHa!) Great job.
    I really loved what you had to say, and more than that,
    how you presented it. Too cool!

  16. Apk

    Can you tell us more about this? I’d like to find out some additional information.

  17. Cletus Dreggs

    You could certainly see your skills in the paintings you write. The sector hopes for more passionate writers like you who are not afraid to mention how they believe. All the time follow your heart.

  18. raw probiotics

    This informative article gives the light in which we can observe
    the reality. This is an extremely nice one and gives in-depth information. Thanks for this nice article.

  19. Nannie

    Hey there, You have performed an admirable job.
    I’ll without a doubt digg it and for my part recommend to my friends.
    I’m confident they will be benefiting from this amazing site.

  20. twitxr.com

    I’m really loving the design and layout of your site.
    It’s very easy on the eyes which makes it far more pleasant for me to come here and
    visit often. Did you hire out a designer to make your theme?

    Superb work!

  21. rug cleaning boston

    I have been checking out for a little bit for
    any good quality articles or blogs on this
    kind of area . Exploring in Search engines I finally
    came across this web site. Reading this information made me happy
    that I’ve found precisely what I needed.

  22. Will

    I will right away snatch your rss feed as I can not
    to find your e-mail subscription hyperlink or e-newsletter
    service. Do you have any? Please allow me realize so that I may just subscribe.

  23. platinum seo boston.seo boston

    When visiting blogs, i generally discover an excellent content just like yours.
    Great job on this write-up! I enjoy how you presented your facts and the way you made it
    appealing and straightforward. Many thanks.

  24. seo

    I’m actually glad to find this site on yahoo, just what I was trying to
    find. Saved to favorites.

  25. boston Seo

    Your content is good and informative in my personal opinion. You have really done
    plenty of research on this topic.Thank you for sharing it.

  26. http://opencu.com/

    Amazing! This blog looks just like my old one! It’s on a totally
    different topic but it has pretty much the same layout and design. Outstanding choice
    of colors!

  27. psychic's

    I really like your site.. very nice colors & theme. Did you create this site yourself
    or did you employ someone to do it for you? Plz answer back
    because I’m looking to create my own blog and would really like to know where u got this from.

  28. Ahmad

    I was wondering if you ever thought of changing the structure
    of your website? Its very well written; I
    love what youve got to say. But maybe you could a little more in the
    way of content so people could connect with it better.
    Youve got an awful lot of text for only having one or 2 pictures.

    Maybe you could space it out better?

  29. Velva

    constantly i used to read smaller articles or reviews that also
    clear their motive, and that is also happening with this piece
    of writing which I am reading now.

  30. top male enhancement

    Very good blog! Do you have any helpful hints for aspiring writers?

    I’m planning to start my own blog soon but I’m a little
    lost on everything. Would you propose starting with a free platform like WordPress
    or go for a paid option? There are so many choices out there that
    I’m completely confused .. Any suggestions? Thanks!

  31. www.leboudoir.ma

    Somebody necessarily assist to make severely articles I would state.
    This is the very first time I frequented your website page and to this point?
    I amazed with the research you made to create this particular put up
    amazing. Excellent process!

  32. http://группаморе.xn--p1ai

    Howdy would you mind letting me know which web host you’re
    utilizing? I’ve loaded your blog in 3 completely different internet
    browsers and I must say this blog loads a lot quicker then most.
    Can you suggest a good internet hosting provider at a fair price?

    Thanks a lot, I appreciate it!

  33. psychic free reading love

    I enjoy the information in this article. It’s
    smart, well-written along with easy to understand. You have got my attention on this
    subject. I will be back for many more interesting articles or blog posts.

  34. loans

    I always used to read article in news papers but now
    as I am a user of web thus from now I am using net for articles, thanks
    to web.

  35. loans

    You really make it seem so easy with your presentation but I find this matter to
    be actually something that I think I would never
    understand. It seems too complex and extremely broad for me.
    I am looking forward for your next post, I’ll try to get the
    hang of it!

  36. loans

    hi!,I love your writing so much! percentage we be in contact more about
    your article on AOL? I require an expert in this area
    to unravel my problem. May be that’s you! Looking ahead to see you.

  37. loans

    Its such as you learn my mind! You seem to know so much about this, like you wrote the guide in it or something.

    I feel that you simply could do with some percent to power the message home a
    little bit, but other than that, this is wonderful
    blog. An excellent read. I’ll definitely be back.

  38. Sylvia

    This is the kind of information I’ve long been in search of.
    Many thanks for posting this information.

  39. Meri

    My partner and I stumbled over here different web page and thought I might check things out.

    I like what I see sso i am just following you. Look forward
    to checking out your web page yet again.

  40. www.games-4-free.net

    Undeniably believe that that you stated. Your favourite justification seemed to be
    at the web the easiest factor to take into accout of. I say to you, I definitely get irked while other people think about concerns that they plainly do
    not know about. You controlled to hit the nail upon the highest and
    defined out the whole thing without having side-effects , other people could take a signal.
    Will likely be again to get more. Thank you

  41. Karry

    With havin so much written content do you
    ever run into any problems of plagorism or copyright violation? My site has a lot
    of exclusive content I’ve either authored myself or outsourced but
    it appears a lot of it is popping it up all over the internet without
    my agreement. Do you know any ways to help reduce
    content from being ripped off? I’d truly appreciate it.

  42. charlesfilterproj1.com

    The first large thung I did on Wikupedia was modifying the Henry James entry up to featured-article condition, plus composing a grewt deal
    of write-ups on private works by James.

  43. Dieter

    With this general understanding of log cabin vacations, you will certainly have a much better idea exactly what to expect during the remain.

  44. Maple

    Sweet blog! I found it while browsing on Yahoo News.
    Do you have any suggestions on how to get listed in Yahoo News?

    I’ve been trying for a while but I never seem to get there!
    Many thanks

  45. investigatory powers of congress

    A brochure gives you a chance to inform your story…however then you have to use it to
    tell your story, not just repeat your identify and the actual fact you’ve
    gotten been in business 20 years.

  46. Mskmv.ru

    What’s up Dear, are you actually visiting this web page daily, if so afterward you
    will without doubt take nice know-how.


Leave a Reply

Your email address will not be published. Required fields are marked *