CRYSIS ransomware distributed by brute force attacks
Fri 10 Feb 2017
Researchers have discovered that CRYSIS ransomware, which first appeared last year, is being distributed by brute force remote desktop (RDP) attacks.
These attacks have more than doubled in volume in January 2017 over a similar time period in 2016. Originally, CRYSIS ransomware was focused on businesses in Australia and New Zealand.
While the latest wave has included a wide variety of sectors worldwide, the hardest hit has been the U.S. healthcare sector.
Researchers at Trend Micro, who have been following the ransomware attacks, noted that the same malicious individuals that conducted the 2016 dispersal of CRYSIS appear to be behind the current series of attacks, using the same file names and malware placement as were used in earlier incidents.
In the current iteration, the attacker uses either a shared folder or the clipboard to access the system remotely, and deliver the malware to the targeted machine, exposing local resources of the network to the attacker and vice versa.
The attacker attempts to log in to the system using commonly-used username and password combinations, and once the system is accessed the attacker returns multiple times in a short period of time to infect the endpoint. The researchers found that these repeated attempts were generally successful in a matter of minutes.
In one case it was observed that CRYSIS was deployed six times, packed in different ways on a single endpoint within ten minutes. The attackers copied over several files and appeared to be experimenting with different payloads to find the best option.
Because there are no default restrictions on shared folders of clipboards, unless the network administrator applies controls, these features may be exposed to the internet and accessible by a malicious individual.
Recommendations to protect a network from a brute force RDP attack include applying appropriate security measures in Remote Desktop features, including limiting or disabling access to shared folders and clipboards from remote locations.
As the nature of the RDP brute force approach opens the attacker’s information to the targeted network, should a user encounter CRYSIS, researchers recommend attempting to identify the offending IP addresses. Windows administrators can find remote desktop IP addresses in the Windows Event viewer, which will include both the compromised user account and the IP address of the attacker.