Although Crysis originally surfaced back in February, these latest attacks were first discovered by Trend Micro in early August. It’s distributed through spam emails packed with a Trojan-based attachment or a link to a compromised website. It also lurks on websites that distribute fake installers for valid programs and applications sold through retail.
However, the security firm also discovered that the hackers behind the latest attacks are sneaking Crysis into business networks through the Remote Desktop feature built into the Windows platform. This service allows the user to remotely access another Windows machine as well as other local devices and resources like printers, the Clipboard, plug and play media, and more. A remote computer’s hard drive can even be shared (mapped), allowing other users to access the drive’s contents as if it’s installed in their machine.
According to Trend Micro, the hackers are grabbing Remote Desktop credentials by using brute force attacks, a method that employs software to continuously guess a password until the correct one is determined. Once hackers gain access to a remote computer, they use Crysis to encrypt the computer’s local files, forcing companies to shell out big bugs to regain access.
However, Trend Micro reports that Crysis can be used on an even larger scale. Once it encrypts the files on a remote computer, it has the ability to scan for mapped drives, removable drives, and other devices on the network, and infect those as well. Crysis could eventually migrate to the company’s file server and hold its contents hostage for even bigger bags of cash.
“Cleanup from Crysis has been noted to be tricky. In its attacks on Australian and New Zealand businesses, we saw this ransomware injecting Trojans to redirected and/or connected devices such as printers and routers,” the security firm reports. “This part of Crysis’ infection chain allows the attackers to regain access to and reinfect the system, even after the malware has been removed from the affected computer.”
That means if a business pays the hackers money to regain access to their files, those hackers can re-encrypt the files again. Trend Micro recommends that companies located in Australia and New Zealand should shut down access to Remote Desktop, or change the port that the Remote Desktop protocol (RDP) is currently using. Companies should also beef up Remote Desktop credentials and enforce two-step authentication, which requires a second form of identification on top of the Remote Desktop login credentials.
“Ensuring that connected devices are securely wiped during cleanups can mitigate the risks of further damage, while utilizing encryption channels can help foil attackers from snooping on remote connections,” the firm adds. “Keeping the RDP client and server software up-to-date can also prevent potential vulnerabilities in RDPs from being exploited.”
Naturally, Trend Micro has the perfect solution for keeping Crysis off a company’s network: its service for enterprises, and its service for small to medium-sized businesses.
