ODS – Cybersecurity ODS – Cybersecurity
  • SERVICES
    • PENETRATION TESTING
    • TRAINING
    • COMPUTER FORENSICS
  • Contact
  • PRODUCTS
    • SECUREACCESS.COM©
  • BLOG
  • WHO WE ARE
    • CORPORATE RESPONSIBILITY
    • SPONSORSHIPS
    • CAREERS
ODS – Cybersecurity ODS – Cybersecurity
  • SERVICES
    • PENETRATION TESTING
    • TRAINING
    • COMPUTER FORENSICS
  • Contact
  • PRODUCTS
    • SECUREACCESS.COM©
  • BLOG
  • WHO WE ARE
    • CORPORATE RESPONSIBILITY
    • SPONSORSHIPS
    • CAREERS
Jan 10
Crysis, a dangerous ransomware that is infecting companies right now

Crysis, a dangerous ransomware that is infecting companies right now

  • January 10, 2018
  • Sergiu Mesesan
  • News

These days we are receiving calls from people who are being infected by a ransomware called Crysis, which seems to be a continuation of the manual infections campaign using weakly protected Remote Desktop Protocol access, campaigns which were previously reported in 2016 and 2017.

The ransomware has different variants, this one in particular being identified by the .java extension of the infected files. The infections that we have presented were caused by manually infecting the victim PCs through Remote Desktop Protocol (RDP) access, which means that a human attacker is accessing the victim machines prior to the infection by bruteforcing the Windows RDP protocol on port 3389. This exploits weak credentials in order to takeover the machine´s console and desktop.

The attacker usually downloads and installs monitoring programs like keyloggers to collect data from the system and also to gather data of the activities and data of the victim. This may be a private individual or a company. Through monitoring and credentials harvesting they can also extend the scope of the attack to other resources of the victim´s network. After enough data has been collected, the Crysis variant is executed on the victim machine and the ransomware encrypts almost every file of the affected machine including executable files. This is not common in other ransomware cases.

After the files are encrypted, a text message is left in every folder of the victim´s machine that asks the victim to contact the attacker at the supplied e-mail address. The address is also present in the infected files names.

What is also uncommon considering the latest big scale ransomware attacks is the fact that the quantity of the ransom demanded by the attackers is customized in accordance to the data that the attacker obtained previously from the monitoring of the victim. A wealthier company is asked for more money than a smaller one or a private individual. Unlike previous ransomware attacks where the ransom was quantified in hundreds of dollars, these ransom demands usually reach thousands of dollars.

Unlike previous variants whose keys are already published and whose infected files can be decrypted by various tools including Kaspersky Rakhni Decryptor and AVG Crysis decryptor, this Crysis.java variant uses new, custom RSA keys, rendering the recovery of the infected files IMPOSSIBLE at the moment.

An investigation, has placed the United Kingdom in the list of the top 5 countries most affected by this type of ransomware:

Crysis ransomware chart with the most affected countries

Source: welivesecurity

In recent cases we have seen that Crysis lays dormant in the affected computer for months, until the ransomware goes “into action”. In one of the cases our analysts found proof that the victim servers were used for cryptocoin mining prior to the manual infection and the ransom demand.

So, what can we do?

  • Have your backups up to date.
  • DO NOT click on dubious-looking links that come from emails, messages, or social networks.
  • In case you get infected, DO NOT REBOOT THE MACHINE. Call a data security company immediately.
  • Have a phone close to you, and call for HELP, in case the worst scenario happens.

ALLION.exe – the ransomware sample, a bitcoin miner and a monitoring software found in one of the victim servers. The miner and the PH file were also infected and the name format assigned to the infected files is particular to the Crysis ransomware.

Crysis ransomware screenshot

  • About
  • Latest Posts
Sergiu Mesesan
Sergiu Mesesan
As Chief Information Security Manager for ODS, Sergiu Mesesan evaluates all risks involved in our software, servers and networks. From his thorough analysis, he informs the ODS staff on what actions to take and to avoid in a cyber attack, which makes Sergiu one of the company's most vital components when tackling a project. As Head of IT Security and a member of the analyst team, Sergiu has 6 years of experience behind him, and among his competencies are web auditing, and IT security management.
Sergiu Mesesan
Latest posts by Sergiu Mesesan (see all)
  • Crysis, a dangerous ransomware that is infecting companies right now - January 10, 2018
  • How to protect your business from brute-forcing subdomains attacks - June 13, 2017
  • Hackers, from technological evolution pillars to governmental weapons - January 3, 2017
  • Facebook
  • Twitter
  • LinkedIn
  • E-Mail

Comments are closed.

Safe Password Generator
Cybersecurity Guide for Dummies

Recent posts:

  • The keys to get the ISO 27001 certification
  • Managed Security Service – MSSP
  • DDoS Attacks – An In-Depth Guide
  • Cyber security in critical infrastructures
  • How to work on hotel cyber security
TIME TO PROTECT YOUR BUSINESS!

Contact US!

ES: 900 838 167
UK: +44 203 034 0056
US: +1 347 669 9174

FOLLOW US

      Youtube

We promote cyber security

MENU

HOME SERVICES PENETRATION TESTING TRAINING COMPUTER FORENSICS SOCIAL RESPONSIBILITY SPONSORING CAREERS
© 2021 Open Data Security | Legal Warning -   Privacy Policy and Cookies Policy
We use our own and third-party cookies to improve our services, and analyze the traffic on our page. If you accept or continue browsing our website, we understand that you have accepted the installation of cookies. More information in our Cookies Policy.