Incident Response, Malware, Network Security, Ransomware, TDR

Crysis ransomware now attacking businesses in Australia and New Zealand

Australian and New Zealand businesses are being hit with a ransomware campaign, according to Trend Micro.

First detected in February, the ransomware, dubbed Crysis, is now targeting the two nations via remote desktop protocol (RDP) brute force attacks.

The Crysis ransomware is spread through spam and targets are infected by clicking on a trojanized attachment (disguised with the use of double file extensions so the malware is perceived as a non-executable). The malware also can be delivered when recipients visit compromised websites that disseminate phony installers for legitimate programs and apps.

The researchers detected the malware in cyberattacks using brute-forced RDP credentials and saw it execute via a redirected drive from the source computer. 

RDP, a Windows component, enables users to connect to another computer through a network connection. The interface has been targeted previously in targeted attacks in order to siphon out data to sell on underground markets, as well as to enlist victim computers into botnets from which to launch future attacks.

The business model, said Trend Micro, can be lucrative for those behind the ransomware as the malware can scan and encrypt files on removable drives and network shares.

Recovering from an infection is no easy task, the researchers found, as the attacks in Australia and New Zealand injected trojans that redirected to connected devices, such as printers and routers. Thus, the bad actors can re-establish their connections to reinfect systems after the malware has been removed – a good reason, they said, not to pay ransoms.

Rather, the researchers advised administrators close RDP access if feasible, or alter the RDP port to a non-standard port.

"Updating and strengthening RDP credentials as well as implementing two-factor authentication, account lockout policies and user permission/restriction rules can make them more resistant to brute force attacks," the report stated.

"Regardless of who you are or where you work, update, update, update," Stephen Gates, chief research intelligence analyst for NSFOCUS, an enterprise network security provider, told on Monday. "This is always good advice. Several recent ransomware campaigns began with exploiting known software flaws. Updates for these vulnerabilities have been around for months. However, if people are not updating, they're just asking for trouble."

However, Gates added, many people don't even know what to update. And, updating the operating system and all applications is not completely automated in many cases. "Make a point to check for updates a least once a week for your operating systems, applications, browsers, plugins, media players, document readers, and anti-malware software," he said. "If you don't update and you're infected, then it's really your own fault. Drive-by downloads take advantage of those that don't update."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.