SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Trend Micro warns NZ & Australian firms about Crysis ransomware
Tue, 20th Sep 2016
FYI, this story is more than a year old

New Zealand and Australian businesses are being warned to watch out for Crysis ransomware, which operates through remote desktop protocol (RDP) attacks.

Jon Oliver, senior architect at Trend Micro, has covered the spread of the ransomware family, known as RANSOM_CRYSIS.A. It has been in circulation in the ANZ region since June this year, in a gap left by the exit of TeslaCrypt and in direct competition to the Locky ransomware.

Oliver says that the Crysis ransomware is spread through spam emails using trojanised attachments, or through links to compromised websites and others that include installers to legitimate programmes.

The company says that through monitoring, it has been able to track how Crysis uses brute-force RDP credentials and ransomware to infect Windows users through local drives, and access through printers, multimedia devices and even the Clipboard.

Oliver explains that RDP is an inbuilt feature of Windows and allows users to connect to others over a network connections. These open connections have been the targets of attacks, information theft and botnet hosting.

Crysis can also scan and encrypt files on network shares and removable drives, meaning that ransomware operators can make the most of the exploits for profit. Dedicated hackers can access the system by gaining administrator permission and causing more damage by encrypting data.

Oliver explains that attacks against Australian and New Zealand businesses have targeted connected devices, such as printers and routers. This method allows Crysis attackers to get access again and take control of a system multiple times, even after malware has been removed. Oliver says this is a key reason why businesses should not pay ransomware demands.

Trend Micro recommends:

  • Administrators close or convert the RDP port to a non-standard port.
  • Updating and strengthening RDP credentials
  • Using two-factor authentication
  • Using secure wipes during cleanups
  • Keeping RDP clients and server software up to date
  • Using the three-copy backup system for data: two different media formats, with one backup stored offline.
  • Using multi-layered security to prevent and mitigate attacks