Crysis Ransomware Attacks RDP Servers to Deploy Ransomware

Recently, the cybersecurity researchers at ASEC (AhnLab Security Emergency Response Center) found that the operators of Crysis ransomware are actively utilizing the Venus ransomware in their operations.

Both Crysis and Venus are well-known for targeting the remote desktop services that are externally exposed, and it been revealed that the attacks are being launched via RDP by the AhnLab Smart Defense (ASD) logs.

Apart from this, Crysis and Venus are not alone, as the threat actor also deployed several other tools like:-

• Port Scanner
• Mimikatz

While such malicious tools can also target the infected systems within the internal network of the company. 

Crysis Ransomware Attack

Threat actors exploit RDP as an attack vector, and they seek active and externally accessible systems.

Vulnerable systems face brute force or dictionary attacks, and weak account credentials enable threat actors to gain access to those accounts effortlessly.

To perform a variety of malicious actions and activities, the obtained credentials enable threat actors to control systems via RDP.

Here, the Venus ransomware makes use of RDP as the attack vector, generating multiple malware types through explorer.exe, a legit Windows Explorer process.

In past attacks, the threat actor tried Crysis ransomware for encryption but failed. Instead, they attempted Venus ransomware for encryption afterward.

Moreover, the threat actor continually used Crysis ransomware to attack other systems, and they targeted externally exposed RDP services similarly. 

Once successful, the attacker accessed and infected other systems with Crysis ransomware via RDP. In the infected system, the threat actor deploys diverse malware types, and the scanners and credential theft tools are installed from NirSoft.

Here below, we have mentioned all the tools that are used in the attacks:-

• Venus Ransomware
• Crysis Ransomware
• Mimikatz
• Web Browser Password Viewer – NirSoft
• Mail PassView – NirSoft
• VNCPassView – NirSoft
• Wireless Key View – NirSoft
• BulletsPassView – NirSoft
• RouterPassView – NirSoft
• MessenPass (IM Password Recovery) – NirSoft
• Remote Desktop PassView – NirSoft
• Network Password Recovery – NirSoft
• Network Share Scanner

Threat actor hijacks system using RDP and scans network with the help of tools that we have mentioned above to check if the infected system belongs to a specific network.

If so, ransomware conducts internal reconnaissance, gathers account credentials, and encrypts other network systems.

Mimikatz aids this process, and the collected account info enables lateral movement to network systems. While in a Crysis attack, the threat actor employs RDP for lateral movement within the network.

Upon successful execution of Crysis ransomware, users would have been confronted with the subsequent ransom note.

Threat actor copies files to the Download folder, including bild.exe_ for Venus ransomware, and to encrypt additional files it terminates the following things:-

• Office
• Email clients
• Databases

On successful deployment, the Venus ransomware alters the desktop and then it presents the user with a README file that warns info is stolen, files encrypted and prompts users to establish contact within 48 hours.

Recommendations

RDP services are actively exploited by the threat actors for initial compromise and lateral movement, that’s why security analysts have strongly recommended:-

• Make sure to deactivate unused RDP to reduce attempts.
• Always use strong passwords.
• Make sure to change passwords periodically.
• Ensure to update V3 to prevent malware.

Source: https://cybersecuritynews.com/crysis-ransomware-attacking-rdp/