• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   Brute Force RDP Attacks Plant CRYSIS Ransomware

Brute Force RDP Attacks Plant CRYSIS Ransomware

  • Posted on:February 9, 2017 at 5:00 am
  • Posted in:Malware, Ransomware
  • Author:
    Jay Yaneza (Threats Analyst)
0

In September 2016, we noticed that operators of the updated CRYSIS ransomware family (detected as RANSOM_CRYSIS) were targeting Australia and New Zealand businesses via remote desktop (RDP) brute force attacks. Since then, brute force RDP attacks are still ongoing, affecting both SMEs and large enterprises across the globe. In fact, the volume of these attacks doubled in January 2017 from a comparable period in late 2016. While a wide variety of sectors have been affected, the most consistent target has been the healthcare sector in the United States.

Figure 1. Distribution of victims

We believe that the same group of attackers is behind the earlier attacks and the current campaign. The file names being used are consistent within each region. Other parts of this attack—such as where the malicious files are dropped onto the compromised machine—are also consistent.

As we originally observed, during the RDP session a folder shared on the remote PC was used to transfer malware from the attacker machine:

Figure 2. Setting for shared folder to be used in RDP session

In some cases, the clipboard was also used to transfer files:

Figure 3. Setting for clipboard to be used in RDP session

Both methods expose the local resources of the attacker to the remote machine, and vice-versa. By default, there are no applied restrictions to these RDP features on an endpoint that is exposed to the internet and it is up to the administrator to apply controls.

The attacker tries to log in using various commonly-used usernames and passwords. Once the attacker has determined the correct username and password combination, he (or she) usually comes back multiple times within a short period to try and infect the endpoint. These repeated attempts are usually successful within a matter of minutes.

In one particular case, we saw CRYSIS deployed six times (packed different ways) on an endpoint within a span of 10 minutes. When we went over the files that were copied, they were created at various times during a 30-day period starting from the time of the first compromise attempt. The attackers had multiple files at their disposal, and they were experimenting with various payloads until they found something that worked well.

What to do when you suspect that this method has been used against your organization

If you find yourself in this situation, our original discussion in September event provided some key steps to consider.

  • Limit the potential risk to your network by applying proper security settings in Remote Desktop Services. Disabling access to shared drives and the clipboard would limit the ability to copy files via RDP. Restricting other security settings may be useful as well. Note that limiting such functionality may impact usability
  • Try to identify any offending IP addresses. With newer versions of Windows, the OS logs Remote Desktop connection details in the Windows Event Viewer with the Event ID 1149. The logged information includes the user account that was used (i.e., the compromised account), as well as the IP address of the attacker.

Trend Micro customers may also take advantage of some of the product features, namely:

  • Check the product configuration for a product like Trend Micro OfficeScan. Specifically, check for an option like “Scan network drive” and make sure it is activated. This feature is usually disabled, but in some cases (like this one) it may be useful. It may even allow for the cleanup of the attacker’s host: the shared network drive (located under \\tsclient) has full read/write access by default. Activating the “Scan network drive” option cleans the contents of this shared drive.
  • Advanced network detection tools like Trend Micro Deep Discoverycan monitor brute-force attacks. Multiple “Unsuccessful logon to Kerberos” and “Logon attempt – RDP” events could be signs of an ongoing brute-force attack, and allow the IT administrator to know if the attack was successful.  This should be monitored at all times for hosts that are exposed to the internet via RDP.

Trend Micro Ransomware Solutions

PROTECTION FOR ENTERPRISES

  • Email and Gateway Protection

    Trend Micro Cloud App Security, Trend MicroTM Deep DiscoveryTM Email Inspector and InterScanTM Web Security addresses ransomware in common delivery methods such as email and web.

    Spear phishing protection
    Malware Sandbox
    IP/Web Reputation
    Document exploit detection
  • Endpoint Protection

    Trend Micro Smart Protection Suites detects and stops suspicious behavior and exploits associated with ransomware at the endpoint level.

    Ransomware Behavior Monitoring
    Application Control
    Vulnerability Shielding
    Web Security
  • Network Protection

    Trend Micro Deep Discovery Inspector detects malicious traffic, communications, and other activities associated with attempts to inject ransomware into the network.

    Network Traffic Scanning
    Malware Sandbox
    Lateral Movement Prevention
  • Server Protection

    Trend Micro Deep SecurityTM detects and stops suspicious network activity and shields servers and applications from exploits.

    Webserver Protection
    Vulnerability Shielding
    Lateral Movement Prevention

PROTECTION FOR SMALL-MEDIUM BUSINESSES AND HOME USERS

  • Protection for Small-Medium Businesses

    Trend Micro Worry-FreeTM Business Security Advanced offers cloud-based email gateway security through Hosted Email Security that can detect and block ransomware.

    Ransomware behavior monitoring
    IP/Web Reputation
  • Protection for Home Users

    Trend Micro Security 10 provides robust protection against ransomware by blocking malicious websites, emails, and files associated with this threat.

    IP/Web Reputation
    Ransomware Protection
Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»

Featured Stories

  • systemd Vulnerability Leads to Denial of Service on Linux
  • qkG Filecoder: Self-Replicating, Document-Encrypting Ransomware
  • Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability
  • A Closer Look at North Korea’s Internet
  • From Cybercrime to Cyberpropaganda

Security Predictions for 2019

  • Our security predictions for 2019 are based on our experts’ analysis of the progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape. We have categorized them according to the main areas that are likely to be affected, given the sprawling nature of the technological and sociopolitical changes under consideration.
    Read our security predictions for 2019.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • February Patch Tuesday: Batch Includes 77 Updates That Cover Flaws in Internet Explorer, Exchange Server, and DHCP Server
  • Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire
  • Windows App Runs on Mac, Downloads Info Stealer and Adware
  • Linux Coin Miner Copied Scripts From KORKERDS, Removes All Other Malware and Miners
  • Various Google Play ‘Beauty Camera’ Apps Send Users Pornographic Content, Redirect Them to Phishing Websites and Collect Their Pictures

Popular Posts

  • Going In-depth with Emotet: Multilayer Operating Mechanisms
  • February Patch Tuesday: Batch Includes 77 Updates That Cover Flaws in Internet Explorer, Exchange Server, and DHCP Server
  • Various Google Play ‘Beauty Camera’ Apps Send Users Pornographic Content, Redirect Them to Phishing Websites and Collect Their Pictures
  • Linux Coin Miner Copied Scripts From KORKERDS, Removes All Other Malware and Miners
  • Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.