Crysis Ransomware Attacks RDP Servers to Deploy Ransomware

Crysis Ransomware Attacks RDP Servers to Deploy Ransomware

Recently, the cybersecurity researchers at ASEC (AhnLab Security Emergency Response Center) found that the operators of Crysis ransomware are actively utilizing the Venus ransomware in their operations.

Both Crysis and Venus are well-known for targeting the remote desktop services that are externally exposed, and it been revealed that the attacks are being launched via RDP by the AhnLab Smart Defense (ASD) logs.

Read moreBuilding cyber skills and roles from CyBOK foundations

Apart from this, Crysis and Venus are not alone, as the threat actor also deployed several other tools like:-

Port Scanner

Read moreAccessibility as a cyber security priority

Mimikatz

While such malicious tools can also target the infected systems within the internal network of the company. 

Crysis Ransomware Attack

Read moreNew interactive video - and related downloads - to help secondary school kids stay safe online

Threat actors exploit RDP as an attack vector, and they seek active and externally accessible systems.

Vulnerable systems face brute force or dictionary attacks, and weak account credentials enable threat actors to gain access to those accounts effortlessly.

Read moreNigerian Cybercrime Ring's Phishing Tactics Exposed

To perform a variety of malicious actions and activities, the obtained credentials enable threat actors to control systems via RDP.

Here, the Venus ransomware makes use of RDP as the attack vector, generating multiple malware types through explorer.exe, a legit Windows Explorer process.

Installation log for various malware (Source – AhnLab)
Read moreS3 Ep135: Sysadmin by day, extortionist by night

In past attacks, the threat actor tried Crysis ransomware for encryption but failed. Instead, they attempted Venus ransomware for encryption afterward.

Before Venus, tried Crysis (Source – AhnLab)

Moreover, the threat actor continually used Crysis ransomware to attack other systems, and they targeted externally exposed RDP services similarly. 

Read moreUS offers $10m bounty for Russian ransomware suspect outed in indictment

Once successful, the attacker accessed and infected other systems with Crysis ransomware via RDP. In the infected system, the threat actor deploys diverse malware types, and the scanners and credential theft tools are installed from NirSoft.

Here below, we have mentioned all the tools that are used in the attacks:-

Read moreBelkin Wemo Smart Plug V2 – the buffer overflow that won’t be patched

Venus Ransomware

Crysis Ransomware

Read moreZut alors! Raclage crapuleux! Clearview AI in 20% more trouble in France

Mimikatz

Web Browser Password Viewer – NirSoft

Read moreHeads Up CEO! Cyber Risk Influences Company Credit Ratings

Mail PassView – NirSoft

VNCPassView – NirSoft

Read moreCISA, NSA Issue New IAM Best Practice Guidelines

Wireless Key View – NirSoft

BulletsPassView – NirSoft

Read more6 Ways to Mitigate Risk While Expanding Access

RouterPassView – NirSoft

MessenPass (IM Password Recovery) – NirSoft

Read moreHypervisors and Ransomware: Defending Attractive Targets

Remote Desktop PassView – NirSoft

Network Password Recovery – NirSoft

Read moreNIST Launches Cybersecurity Initiative for Small Businesses

Network Share Scanner

Threat actor hijacks system using RDP and scans network with the help of tools that we have mentioned above to check if the infected system belongs to a specific network.

Read moreEducating Your Board of Directors on Cybersecurity

If so, ransomware conducts internal reconnaissance, gathers account credentials, and encrypts other network systems.

Mimikatz aids this process, and the collected account info enables lateral movement to network systems. While in a Crysis attack, the threat actor employs RDP for lateral movement within the network.

Read morePersonal Information of 9 Million Individuals Stolen in MCNA Ransomware Attack

Upon successful execution of Crysis ransomware, users would have been confronted with the subsequent ransom note.

Crysis Ransom note (Source – AhnLab)

Threat actor copies files to the Download folder, including bild.exe_ for Venus ransomware, and to encrypt additional files it terminates the following things:-

Read moreMany Vulnerabilities Found in PrinterLogic Enterprise Software

Office

Email clients

Read moreIndustrial Giant ABB Confirms Ransomware Attack, Data Theft

Databases

On successful deployment, the Venus ransomware alters the desktop and then it presents the user with a README file that warns info is stolen, files encrypted and prompts users to establish contact within 48 hours.

Venus Ransom note (Source – AhnLab)

Recommendations

Read moreOrganizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation

RDP services are actively exploited by the threat actors for initial compromise and lateral movement, that’s why security analysts have strongly recommended:-

Make sure to deactivate unused RDP to reduce attempts.

Read moreGoogle Cloud Users Can Now Automate TLS Certificate Lifecycle

Always use strong passwords.

Make sure to change passwords periodically.

Read moreZyxel Firewalls Hacked by Mirai Botnet

Ensure to update V3 to prevent malware.

“AI-based email security measures Protect your business From Email Threats!” – Request a Free Demo.

Read moreWatch Now: Threat Detection and Incident Response Virtual Summit

The post Crysis Ransomware Attacks RDP Servers to Deploy Ransomware appeared first on Cyber Security News.

   Read More 

Read moreNCC Group Releases Open Source Tools for Developers, Pentesters

Cyber Security News 

Related Posts

Microsoft fixes known issue causing Outlook freezes, slow starts

Microsoft fixes known issue causing Outlook freezes, slow starts

Microsoft has fixed a known issue affecting Outlook for Microsoft 365 users since June and causing slow starts and freezes as if Offline Outlook Data Files (OST) were syncing right after launch. […]   Read More 

BleepingComputer