A Show of (Brute) Force: Crysis Ransomware Found Targeting Australian and New Zealand Businesses

By | September 30, 2016

Crysis (detected  as RANSOM_CRYSIS.A), a ransomware family first detected in February this year, has been spotted targeting businesses in Australia in New Zealand through remote desktop protocol (RDP) brute force attacks.
Crysis has been reported in early June this year to have set its sights into carving a market share left by TeslaCrypt when the latter’s developers decided to shut down their operations, and rivaling Locky’s prevalence in the ransomware threat landscape. Crysis is mainly distributed through spam emails, either with Trojanized attachments with double file extensions (as a way to disguise the malware as a non-executable) or links to compromised websites, and online locations that distribute spurious installers for legitimate programs and applications. Although not immediately seen when it was first discovered, we also observed that it used brute-forced RDPs as one of its infection vectors.
We were able to monitor Crysis in cyber-attacks involving brute-forced RDP credentials and the ransomware executed via a redirected drive from the source computer. Redirections in remote access tools implemented in Windows enable users to conveniently access, process, and utilize files from local drives as well as resources such as printers, Clipboard, and supported plug and play and multimedia devices. Crysis’ ongoing activity against Australian and New Zealand businesses was initially detected in early August this year.
Figure 1. A sample infection flow of Crysis via an RDP brute force attack
RDP, which is built-in to Windows operating systems, provides an interface that allows end users to connect to another computer over a network connection. RDPs have been traditionally abused to exfiltrate data as part of a targeted attack, steal information that can be sold to online underground marketplaces, and integrate the hijacked system to a network of bots to launch further malicious attacks.
For ransomware operators running a hit-and-run business model to profit from victims as quickly as possible, exploiting RDP—especially those utilized by businesses—can be lucrative. This is particularly true for Crysis, given its ability to scan and encrypt files on removable drives and network shares. For instance, a more adept malefactor can employ various privilege escalation techniques to ultimately gain administrator access to the system and exacerbate the damage by perusing through servers and encrypting more data.
Figure 2. One of Crysis’ ransom notes; this ransomware variant can encrypt 185 file types through a combination of RSA and AES encryption algorithms, delete back-ups via vssadmin, and add registry entries to enable automatic execution at every startup.
Ransomware and RDP attacks already share a history, mostly involving businesses. In late October 2015, operators behind the LowLevel04 ransomware (detected by Trend Micro as Ransom_LEVELO.A) were found brute forcing RDP credentials then manually downloading and installing the malware. It has the ability to scan for mapped network and removable drives and encrypt files stored on them. It can also delete the computer’s event logs to prevent forensics on the infected machine.
LeChiffre (Ransom_LECTOOL.A), which made headlines in late January this year after hitting three banks and a pharmaceutical company, can encrypt local and networked files offline by generating the encryption keys locally. It also left a backdoor to the infected machine by replacing the process that invokes Sticky Keys (i.e. pressing the SHIFT key five times) with a malicious Command Prompt that provided the attackers access to the affected computer via its command-line interface.
In May, a variant of the Bucbi ransomware (Ransom_BUCBI.A) reportedly used an RDP brute force utility tool to breach internet-facing RDP servers. It drops a malicious executable that can run an encryption routine to all available network resources it can identify. Variants of Apocalypse (Ransom_APOCALYPSE.A), DMA Locker (Ransom_MADLOCKER.B), and Smrss32 (Ransom_CRYPTOWIPE.A) were also noted to have been installed manually via remote desktop.
Figure 3. Trend Micro™ Deep Security™ has configurable intrusion prevention rules that can detect and thwart suspicious RDP connection requests associated with possible brute force attacks.
Mitigating the Risks
Cleanup from Crysis has been noted to be tricky. In its attacks on Australian and New Zealand businesses, we saw this ransomware injecting Trojans to redirected and/or connected devices such as printers and routers. This part of Crysis’ infection chain allows the attackers to regain access to and re-infect the system, even after the malware has been removed from the affected computer. This further illustrates why paying the ransom is not recommended, even if it seems expedient.
Administrators managing remote desktops are recommended to close RDP access if possible, or otherwise change the RDP port to a non-standard port. Updating and strengthening RDP credentials as well as implementing two-factor authentication, account lockout policies and user permission/restriction rules can make them more resistant to brute force attacks. Ensuring that connected devices are securely wiped during cleanups can mitigate the risks of further damage, while utilizing encryption channels can help foil attackers from snooping on remote connections. Keeping the RDP client and server software up-to-date can also prevent potential vulnerabilities in RDPs from being exploited.
Regularly backing up data—at least three backups, in two different media formats, with one copy stored off-site—is also an effective way to mitigate the effects of a ransomware attack.
Figure 4. Trend Micro™ Worry-Free Business Security™, which can detect and prevent intrusion to the network or system, has a Vulnerability Protection module that blocks attacks which leverage system and software vulnerabilities.

Trend Micro Ransomware Solutions
For small-medium businesses and enterprises whose networked devices are targeted by ransomware such as Crysis, business continuity, financial losses and company reputation are at stake. With cybercriminals intensifying their efforts to hold critical data hostage, a proactive, multilayered approach to security is important— from gateway, endpoints, networks, and servers.

PROTECTION FOR ENTERPRISES

Email and Gateway Protection
Trend Micro Cloud App Security, Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security address ransomware in common delivery methods such as email and web.
Spear phishing protection
Malware Sandbox
IP/Web Reputation
Document exploit detection

Endpoint Protection
Trend Micro Smart Protection Suites detects and stops suspicious behavior and exploits associated with ransomware at the endpoint level.
Ransomware Behavior Monitoring
Application Control
Vulnerability Shielding
Web Security

Network Protection
Trend Micro Deep Discovery Inspector detects malicious traffic, communications, and other activities associated with attempts to inject ransomware into the network.
Network Traffic Scanning
Malware Sandbox
Lateral Movement Prevention

Server Protection
Trend Micro Deep Security™ detects and stops suspicious network activity and shields servers and applications from exploits.
Webserver Protection
Vulnerability Shielding
Lateral Movement Prevention

PROTECTION FOR SMALL-MEDIUM BUSINESSES AND HOME USERS

Protection for Small-Medium Businesses
Trend Micro Worry-Free™ Business Security Advanced offers cloud-based email gateway security through Hosted Email Security that can detect and block ransomware.
Ransomware behavior monitoring
IP/Web Reputation

Protection for Home Users
Trend Micro Security 10 provides robust protection against ransomware by blocking malicious websites, emails, and files associated with this threat.
IP/Web Reputation
Ransomware Protection
Additional analysis by Michael Villanueva, Mick McCluney, and Joel Hartley
Post from: Trendlabs Security Intelligence Blog – by Trend Micro
A Show of (Brute) Force: Crysis Ransomware Found Targeting Australian and New Zealand Businesses


Please check this great service at: http://www.test-net.org/services/unit-converter/ or visit FREE SERVICES menu

[Total: 0    Average: 0/5]

94 thoughts on “A Show of (Brute) Force: Crysis Ransomware Found Targeting Australian and New Zealand Businesses

  1. Kristen

    I’ve been browsing online more than three hours as of late, but I by
    no means found any attention-grabbing article like yours.
    It is pretty price enough for me. In my opinion, if all website owners and bloggers made excellent content as you probably did,
    the internet might be much more useful than ever before.

    Reply
  2. Wahl Shaver

    Excellent goods from you, man. I’ve understand your stuff previous to and you’re just extremely magnificent.
    I actually like what you have acquired here, really like what you’re saying
    and the way in which you say it. You make it entertaining and you still take care of to
    keep it wise. I can’t wait to read far more from you.
    This is really a great website.

    Reply
  3. Folleto de ejercicios de Kegel - docstoc

    I�m amazed, I have to admit. Rarely do I encounter a blog
    that�s both educative and interesting, and let me tell you, you’ve hit the
    nail on the head. The problem is something which not enough people are
    speaking intelligently about. Now i’m very happy that I stumbled
    across this in my search for something regarding this.

    Reply
  4. Lolatoys.Com

    Undeniably believe that which you stated. Your favorite reason seemed to be on the web the
    simplest thing to be aware of. I say to you, I certainly get irked while people consider worries that they plainly do
    not know about. You managed to hit the nail upon the top and also defined out the whole
    thing without having side effect , people could take a signal.
    Will likely be back to get more. Thanks

    Reply
  5. www.uidai.gov.in

    I don’t even know how I ended up right here, but I believed this publish was great.
    I do not recognize who you might be however certainly you’re
    going to a famous blogger should you aren’t already. Cheers!

    Reply
  6. Demetrius

    Hey! Someone in my Myspace group shared this website with us
    so I came to take a look. I’m definitely enjoying the information. I’m book-marking and will be tweeting this to my followers!

    Wonderful blog and great design and style.

    Reply
  7. we-vibe touch masageador

    I am extremely impressed with your writing skills and also with the layout on your weblog.
    Is this a paid theme or did you customize it yourself? Either way keep up the nice quality writing,
    it’s rare to see a great blog like this one these days.

    Reply
  8. Violette

    Thank you for sharing your info. I really appreciate your efforts and I will be waiting for
    your further post thank you once again.

    Reply
  9. http://www.capsifuel.com/

    We’re a group of volunteers and starting a new scheme in our community.
    Your web site offered us with valuable information to work on.
    You’ve done a formidable job and our entire community will
    be grateful to you.

    Reply
  10. canadian pharmacies viagara

    A motivating discussion is definitely worth comment. I do think that you need to write more on this subject, it may not be a taboo
    matter but generally people don’t talk about such topics.

    To the next! Cheers!!

    Reply
  11. Kill

    I’ll immediately clutch your rss feed as I can’t find your e-mail subscription hyperlink or
    newsletter service. Do you’ve any? Kindly allow me recognise in order that I may just subscribe.
    Thanks.

    Reply
  12. http://www.tzzxtfsb.com/

    you are in reality a good webmaster. The site loading speed
    is incredible. It seems that you are doing any unique trick.

    In addition, The contents are masterwork. you
    have done a wonderful process in this matter!

    Reply
  13. http://www.qiuzhongde.com/

    My brother recommended I would possibly like this web site.
    He was once totally right. This put up actually made my day.
    You can not imagine just how much time I had spent for
    this info! Thanks!

    Reply
  14. Erick

    Since the admin of this website is working, no question very rapidly it will
    be renowned, due to its feature contents.

    Reply
  15. http://www.michaelonsecurity.com/

    This design is incredible! You definitely know how to keep
    a reader entertained. Between your wit and your
    videos, I was almost moved to start my own blog (well, almost…HaHa!) Great job.
    I really loved what you had to say, and more than that,
    how you presented it. Too cool!

    Reply
  16. Apk

    Can you tell us more about this? I’d like to find out some additional information.

    Reply
  17. Cletus Dreggs

    You could certainly see your skills in the paintings you write. The sector hopes for more passionate writers like you who are not afraid to mention how they believe. All the time follow your heart.

    Reply
  18. raw probiotics

    This informative article gives the light in which we can observe
    the reality. This is an extremely nice one and gives in-depth information. Thanks for this nice article.

    Reply
  19. Nannie

    Hey there, You have performed an admirable job.
    I’ll without a doubt digg it and for my part recommend to my friends.
    I’m confident they will be benefiting from this amazing site.

    Reply
  20. twitxr.com

    I’m really loving the design and layout of your site.
    It’s very easy on the eyes which makes it far more pleasant for me to come here and
    visit often. Did you hire out a designer to make your theme?

    Superb work!

    Reply
  21. rug cleaning boston

    I have been checking out for a little bit for
    any good quality articles or blogs on this
    kind of area . Exploring in Search engines I finally
    came across this web site. Reading this information made me happy
    that I’ve found precisely what I needed.

    Reply
  22. Will

    I will right away snatch your rss feed as I can not
    to find your e-mail subscription hyperlink or e-newsletter
    service. Do you have any? Please allow me realize so that I may just subscribe.
    Thanks.

    Reply
  23. platinum seo boston.seo boston

    When visiting blogs, i generally discover an excellent content just like yours.
    Great job on this write-up! I enjoy how you presented your facts and the way you made it
    appealing and straightforward. Many thanks.

    Reply
  24. seo

    I’m actually glad to find this site on yahoo, just what I was trying to
    find. Saved to favorites.

    Reply
  25. boston Seo

    Your content is good and informative in my personal opinion. You have really done
    plenty of research on this topic.Thank you for sharing it.

    Reply
  26. http://opencu.com/

    Amazing! This blog looks just like my old one! It’s on a totally
    different topic but it has pretty much the same layout and design. Outstanding choice
    of colors!

    Reply
  27. psychic's

    I really like your site.. very nice colors & theme. Did you create this site yourself
    or did you employ someone to do it for you? Plz answer back
    because I’m looking to create my own blog and would really like to know where u got this from.
    thanks.

    Reply
  28. Ahmad

    I was wondering if you ever thought of changing the structure
    of your website? Its very well written; I
    love what youve got to say. But maybe you could a little more in the
    way of content so people could connect with it better.
    Youve got an awful lot of text for only having one or 2 pictures.

    Maybe you could space it out better?

    Reply
  29. Velva

    constantly i used to read smaller articles or reviews that also
    clear their motive, and that is also happening with this piece
    of writing which I am reading now.

    Reply
  30. top male enhancement

    Very good blog! Do you have any helpful hints for aspiring writers?

    I’m planning to start my own blog soon but I’m a little
    lost on everything. Would you propose starting with a free platform like WordPress
    or go for a paid option? There are so many choices out there that
    I’m completely confused .. Any suggestions? Thanks!

    Reply
  31. www.leboudoir.ma

    Somebody necessarily assist to make severely articles I would state.
    This is the very first time I frequented your website page and to this point?
    I amazed with the research you made to create this particular put up
    amazing. Excellent process!

    Reply
  32. http://группаморе.xn--p1ai

    Howdy would you mind letting me know which web host you’re
    utilizing? I’ve loaded your blog in 3 completely different internet
    browsers and I must say this blog loads a lot quicker then most.
    Can you suggest a good internet hosting provider at a fair price?

    Thanks a lot, I appreciate it!

    Reply
  33. psychic free reading love

    I enjoy the information in this article. It’s
    smart, well-written along with easy to understand. You have got my attention on this
    subject. I will be back for many more interesting articles or blog posts.

    Reply
  34. loans

    I always used to read article in news papers but now
    as I am a user of web thus from now I am using net for articles, thanks
    to web.

    Reply
  35. loans

    You really make it seem so easy with your presentation but I find this matter to
    be actually something that I think I would never
    understand. It seems too complex and extremely broad for me.
    I am looking forward for your next post, I’ll try to get the
    hang of it!

    Reply
  36. loans

    hi!,I love your writing so much! percentage we be in contact more about
    your article on AOL? I require an expert in this area
    to unravel my problem. May be that’s you! Looking ahead to see you.

    Reply
  37. loans

    Its such as you learn my mind! You seem to know so much about this, like you wrote the guide in it or something.

    I feel that you simply could do with some percent to power the message home a
    little bit, but other than that, this is wonderful
    blog. An excellent read. I’ll definitely be back.

    Reply
  38. Sylvia

    This is the kind of information I’ve long been in search of.
    Many thanks for posting this information.

    Reply
  39. Meri

    My partner and I stumbled over here different web page and thought I might check things out.

    I like what I see sso i am just following you. Look forward
    to checking out your web page yet again.

    Reply
  40. www.games-4-free.net

    Undeniably believe that that you stated. Your favourite justification seemed to be
    at the web the easiest factor to take into accout of. I say to you, I definitely get irked while other people think about concerns that they plainly do
    not know about. You controlled to hit the nail upon the highest and
    defined out the whole thing without having side-effects , other people could take a signal.
    Will likely be again to get more. Thank you

    Reply
  41. Karry

    With havin so much written content do you
    ever run into any problems of plagorism or copyright violation? My site has a lot
    of exclusive content I’ve either authored myself or outsourced but
    it appears a lot of it is popping it up all over the internet without
    my agreement. Do you know any ways to help reduce
    content from being ripped off? I’d truly appreciate it.

    Reply
  42. charlesfilterproj1.com

    The first large thung I did on Wikupedia was modifying the Henry James entry up to featured-article condition, plus composing a grewt deal
    of write-ups on private works by James.

    Reply
  43. Dieter

    With this general understanding of log cabin vacations, you will certainly have a much better idea exactly what to expect during the remain.

    Reply
  44. Maple

    Sweet blog! I found it while browsing on Yahoo News.
    Do you have any suggestions on how to get listed in Yahoo News?

    I’ve been trying for a while but I never seem to get there!
    Many thanks

    Reply
  45. investigatory powers of congress

    A brochure gives you a chance to inform your story…however then you have to use it to
    tell your story, not just repeat your identify and the actual fact you’ve
    gotten been in business 20 years.

    Reply
  46. Mskmv.ru

    What’s up Dear, are you actually visiting this web page daily, if so afterward you
    will without doubt take nice know-how.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *