A new Crysis ransomware distribution campaign has been detected targeting businesses in Australia and New Zealand using RDP brute-forcing attacks.
The attackers are looking for unsecured, open RDP ports on the Interned and then launch a brute-forcing attacks trying to guess the compromised PC`s admin password. If they succeed, they infect the machine with the Crysis ransomware. Moreover, when they can, they spread it to other PCs on the same network as well. The crooks do that either by brute-forcing nearby computers or by leaving Crysis payloads on other network devices, like router or printers, which then infect other users.
Trend Micro researchers report that these Crysis campaigns have only been spotted in New Zealand and Australia, at least for now.
When Crysis first appeared at the beginning of 2016, its purpose was to replace the TeslaCrypt ransomware, which had shut down. However, even though the crooks behind Crysis were trying very hard to take the place TeslaCrypt had left on the ransomware marked by intensifying spam levels, they didn’t succeed. Other ransomware variants like Cerber, CryptXXX, Locky and Locky’s Zepto were a lot more active and didn’t leave Crysis a lot of room to expand.
At first, the Crysis criminal gang relied on spam messages with links to malicious websites, where victims were tricked into downloading malevolent files. Later, the attackers started using another popular malware distribution method – spam emails with malicious attachments.
Currently, the Crysis ransomware is using brute-force attacks to take hold of and lock devices, and, surely, it is not the first one to use this tactic. Other ransomware pieces which had previously relied on brute-forcing attacks are also LowLevel, DMA Locker, Apocalypse, Smrss32, Bucbi etc.
Unfortunately, for the moment, a free Crysis decrypter is not available due to the strong encryption combination of AES and RSA algorithms that the ransomware uses.
For now, the best advice to users is to create backups for their most valuable and sensitive data.