Crysis (detected by Trend Micro as RANSOM_CRYSIS.A), a ransomware family first detected in February this year, has been spotted targeting businesses in Australia in New Zealand through remote desktop protocol (RDP) brute force attacks.
Crysis has been reported in early June this year to have set its sights into carving a market share left by TeslaCrypt when the latter’s developers decided to shut down their operations, and rivaling Locky’s prevalence in the ransomware threat landscape. Crysis is mainly distributed through spam emails, either with Trojanized attachments with double file extensions (as a way to disguise the malware as a non-executable) or links to compromised websites, and online locations that distribute spurious installers for legitimate programs and applications. Although not immediately seen when it was first discovered, we also observed that it used brute-forced RDPs as one of its infection vectors.
We were able to monitor Crysis in cyber-attacks involving brute-forced RDP credentials and the ransomware executed via a redirected drive from the source computer. Redirections in remote access tools implemented in Windows enable users to conveniently access, process, and utilize files from local drives as well as resources such as printers, Clipboard, and supported plug and play and multimedia devices. Crysis’ ongoing activity against Australian and New Zealand businesses was initially detected in early August this year.
RDP, which is built-in to Windows operating systems, provides an interface that allows end users to connect to another computer over a network connection. RDPs have been traditionally abused to exfiltrate data as part of a targeted attack, steal information that can be sold to online underground marketplaces, and integrate the hijacked system to a network of bots to launch further malicious attacks.
For ransomware operators running a hit-and-run business model to profit from victims as quickly as possible, exploiting RDP—especially those utilized by businesses—can be lucrative. This is particularly true for Crysis, given its ability to scan and encrypt files on removable drives and network shares. For instance, a more adept malefactor can employ various privilege escalation techniques to ultimately gain administrator access to the system and exacerbate the damage by perusing through servers and encrypting more data.
Figure 2. One of Crysis’ ransom notes; this ransomware variant can encrypt 185 file types through a combination of RSA and AES encryption algorithms, delete back-ups via vssadmin, and add registry entries to enable automatic execution at every startup.
Ransomware and RDP attacks already share a history, mostly involving businesses. In late October 2015, operators behind the LowLevel04 ransomware (detected by Trend Micro as Ransom_LEVELO.A) were found brute forcing RDP credentials then manually downloading and installing the malware. It has the ability to scan for mapped network and removable drives and encrypt files stored on them. It can also delete the computer’s event logs to prevent forensics on the infected machine.
LeChiffre (Ransom_LECTOOL.A), which made headlines in late January this year after hitting three banks and a pharmaceutical company, can encrypt local and networked files offline by generating the encryption keys locally. It also left a backdoor to the infected machine by replacing the process that invokes Sticky Keys (i.e. pressing the SHIFT key five times) with a malicious Command Prompt that provided the attackers access to the affected computer via its command-line interface.
In May, a variant of the Bucbi ransomware (Ransom_BUCBI.A) reportedly used an RDP brute force utility tool to breach internet-facing RDP servers. It drops a malicious executable that can run an encryption routine to all available network resources it can identify. Variants of Apocalypse (Ransom_APOCALYPSE.A), DMA Locker (Ransom_MADLOCKER.B), and Smrss32 (Ransom_CRYPTOWIPE.A) were also noted to have been installed manually via remote desktop.
Figure 3. Trend Micro™ Deep Security™ has configurable intrusion prevention rules that can detect and thwart suspicious RDP connection requests associated with possible brute force attacks.
Mitigating the Risks
Cleanup from Crysis has been noted to be tricky. In its attacks on Australian and New Zealand businesses, we saw this ransomware injecting Trojans to redirected and/or connected devices such as printers and routers. This part of Crysis’ infection chain allows the attackers to regain access to and re-infect the system, even after the malware has been removed from the affected computer. This further illustrates why paying the ransom is not recommended, even if it seems expedient.
Administrators managing remote desktops are recommended to close RDP access if possible, or otherwise change the RDP port to a non-standard port. Updating and strengthening RDP credentials as well as implementing two-factor authentication, account lockout policies and user permission/restriction rules can make them more resistant to brute force attacks. Ensuring that connected devices are securely wiped during cleanups can mitigate the risks of further damage, while utilizing encryption channels can help foil attackers from snooping on remote connections. Keeping the RDP client and server software up-to-date can also prevent potential vulnerabilities in RDPs from being exploited.
Regularly backing up data—at least three backups, in two different media formats, with one copy stored off-site—is also an effective way to mitigate the effects of a ransomware attack.
Figure 4. Trend Micro™ Worry-Free Business Security™, which can detect and prevent intrusion to the network or system, has a Vulnerability Protection module that blocks attacks which leverage system and software vulnerabilities.
Trend Micro Ransomware Solutions
For small-medium businesses and enterprises whose networked devices are targeted by ransomware such as Crysis, business continuity, financial losses and company reputation are at stake. With cybercriminals intensifying their efforts to hold critical data hostage, a proactive, multilayered approach to security is important— from gateway, endpoints, networks, and servers.
Trend Micro Deep Discovery Inspector detects malicious traffic, communications, and other activities associated with attempts to inject ransomware into the network.Network Traffic ScanningMalware SandboxLateral Movement Prevention
Trend Micro Deep Security™ detects and stops suspicious network activity and shields servers and applications from exploits.Webserver ProtectionVulnerability ShieldingLateral Movement Prevention
PROTECTION FOR SMALL-MEDIUM BUSINESSES AND HOME USERS
Protection for Small-Medium Businesses
Trend Micro Worry-Free™ Business Security Advanced offers cloud-based email gateway security through Hosted Email Security that can detect and block ransomware.Ransomware behavior monitoringIP/Web Reputation
Protection for Home Users
Trend Micro Security 10 provides robust protection against ransomware by blocking malicious websites, emails, and files associated with this threat.IP/Web ReputationRansomware Protection
Additional analysis by Michael Villanueva, Mick McCluney, and Joel Hartley