The CRYSIS ransomware, which was first noticed last year, appears to be back and once again using attacks leveraging brute force via Remote Desktop Protocol (RDP).
Trend Micro researchers discovered that the CRYSIS ransomware is being distributed via Remote Desktop Protocol (RDP) brute force attacks once again. In September 2016, the ransomware used the same RDP tactic to target business in New Zealand and Australia but now, it doesn’t set any restrictions and it is targeting organizations all over the globe.
Compared to previous months, the number of victims attacked by CRYSIS significantly increased in January this year, states Trend Micro. The researchers also noticed that the last two attack waves were mostly aiming at US-based healthcare institutions.
“In fact, the volume of these attacks doubled in January 2017 from a comparable period in late 2016. While a wide variety of sectors have been affected, the most consistent target has been the healthcare sector in the United States.” – a blog post published by Trend Micro reads.
The experts also believe that the same group of people is behind the two campaigns.
“We believe that the same group of attackers is behind the earlier attacks and the current campaign. The file names being used are consistent within each region. Other parts of this attack—such as where the malicious files are dropped onto the compromised machine—are also consistent.” – continues the report.
In order to transfer malware from their machine, the crooks used a folder shared on the remote PC. In some cases, they used the clipboard to transfer files. Both techniques expose the local resources of the attacker to the remote machine, and vice-versa.
The researchers noticed multiple login attempts with credentials which are commonly-used. After the attackers determined the correct username and password, they come back shortly after to try infecting the endpoint.
“In one particular case, we saw CRYSIS deployed six times (packed different ways) on an endpoint within a span of 10 minutes. When we went over the files that were copied, they were created at various times during a 30-day period starting from the time of the first compromise attempt. The attackers had multiple files at their disposal, and they were experimenting with various payloads until they found something that worked well.” – states the report.
These methods exposed the attacker`s local recourses to the remote machine, and vice-versa.
Trend Micro recommends organizations strengthen Remote Desktop Services security settings by disabling access to shared drives and the clipboard, for instance. This way crooks won’t be able to use RDP to transfer malicious payloads.