Earlier this year, the group behind one of the most widespread ransomware TeslaCrypt decided to shut up shop. But there are plenty of new ransomware that are taking its place. One of them is the Crysis ransomware family that has been found to target Australian and New Zealand businesses. Here’s what you need to know.
The distinctive feature of Crysis ransomware is that it tries to brute force remote desktop protocol (RDP) credentials to gain access to a victim’s computer and then install malware on their machine to encrypt files. What’s more troubling is that it injects Trojans on connected devices such as printers and routers so attackers can re-establish connections to PCs and reinfect them even after the malware has been removed.
While the ransomware was discovered earlier this year, it is now clear that Crysis is targeting businesses in Australia and New Zealand. According to security vendor Trend Micro’s research team:
“Crysis is mainly distributed through spam emails, either with Trojanised attachments with double file extensions (as a way to disguise the malware as a non-executable) or links to compromised websites, and online locations that distribute spurious installers for legitimate programs and applications. Although not immediately seen when it was first discovered, we also observed that it used brute-forced RDPs as one of its infection vectors.”
RDP is built-in to the Windows operating system and is a legitimate tool for users to remotely connect to their computers if they are away from their desks.
If you’re an IT administrator, Trend Micro recommends closing RDP access if possible or to change the RDP port to a non-standard port. The company also advises IT administrators to update and strengthen RDP credentials and to implement two-factor authentication, account lockout policies and user permission rules to fend off brute force attacks.
If your business is found to be infected by Crysis, ensure to remote the ransomware from affected machines and connected devices, Trend Micro said:
“Ensuring that connected devices are securely wiped during cleanups can mitigate the risks of further damage, while utilising encryption channels can help foil attackers from snooping on remote connections. Keeping the RDP client and server software up-to-date can also prevent potential vulnerabilities in RDPs from being exploited.
As usual, we recommend that you regularly back up your data so that even if you do suffer a ransomware attack you won’t lose any important files.