CRYSIS Ransomware is back and crooks are using RDP attacks once again

CRYSIS Ransomware attacks leveraging brute force via Remote Desktop Protocol (RDP) are still ongoing, mostly targeting US firms in the healthcare.

Do you remember the CRYSIS ransomware? It is a ransomware that appeared in the threat landscape last year, now researchers at Trend Micro discovered the CRYSIS ransomware is being distributed via Remote Desktop Protocol (RDP) brute force attacks.

The malware was spread with the same technique in September 2016, when crooks targeted businesses in Australia and New Zealand. Now cyber criminals are targeting organizations across the world.

The researchers at Trend Micro observed a significant increase in the number of CRYSIS ransomware infections in January 2017 compared to the previous months. The last wave of attacks mostly targeted US organizations in the healthcare industry.

“In fact, the volume of these attacks doubled in January 2017 from a comparable period in late 2016. While a wide variety of sectors have been affected, the most consistent target has been the healthcare sector in the United States.” states the blog post published by Trend Micro.

The researchers believe that behind the two campaigns there are the same threat actors.

“We believe that the same group of attackers is behind the earlier attacks and the current campaign. The file names being used are consistent within each region. Other parts of this attack—such as where the malicious files are dropped onto the compromised machine—are also consistent.” continues the report.

The attackers used a folder shared on the remote PC to transfer malware from their machine, and in some cases, they used the clipboard to transfer files.

Both techniques expose the local resources of the attacker to the remote machine, and vice-versa.

The researchers observed multiple login attempts with commonly-used credentials, then when attackers determined the correct username and password usually come back multiple times within a short period trying to infect the endpoint.

“In one particular case, we saw CRYSIS deployed six times (packed different ways) on an endpoint within a span of 10 minutes. When we went over the files that were copied, they were created at various times during a 30-day period starting from the time of the first compromise attempt. The attackers had multiple files at their disposal, and they were experimenting with various payloads until they found something that worked well.” states the report.

These methods, they reveal, exposed the local resources of the attacker to the remote machine, and vice-versa.

Trend Micro suggests organizations apply proper security settings in Remote Desktop Services, for example disabling access to shared drives and the clipboard, making impossible for the attackers to copy malicious payloads via RDP.

The experts also suggest to carefully monitor logs to identify attackers’ IP addresses.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – CRYSIS ransomware, RDP)