Friday, July 10, 09:44
Home investigations Greek companies victims of CrySIS / Dharma ransomware! An Endless Attack?

Greek companies victims of CrySIS / Dharma ransomware! An Endless Attack?

According to several reports by small and medium-sized businesses and giants in Greece in 2019 CrySIS ή Dharma ransomware, which has been sowing terror to its victims since 2016, has infected several companies.

CrySIS

While the global online community felt that the tyranny of CrySIS ransomware was over, several Greek companies they deny it by falling for his victims malware and paying - most of them - large sums of money for decrypting their files.

In fact, according to Malwarebytes Labs, you are seeing a 148% increase in CrySIS ransomware attacks from February to March 2019 globally.

In the Greek business world, ransomware seems to have bothered several companies who considered themselves untouchable or who never expected to be the target of hackers.

Following SecNews research, The hackers behind the attacks are purely for the purpose of making money asking as ransom. This means that companies are not the target of personal interests or conspiracies by their competitors.

The hackers they act as "professionals" and as soon as they receive the ransom they send the decryption key to the files.

According to SecNews research, Chinese and / or Russians are probably behind the attacks. hacking teams. In fact, these are organized groups that have made millions (!) Of dollars [b. $ 500.000.000 million] of malicious actions.

CrySIS Greek companies

What is CrySIS/ Dharma ransomware and how does it work?

CrySIS / Dharma aims Windows systems, and is mainly aimed at businesses. It uses various distribution methods:

  • CrySIS is distributed as malicious attachments to spam emails. Specifically, malicious attachments use duplicate file extensions, which in default Windows settings may appear to be non-executable while they actually are.
  • CrySIS can also end up disguised as installation files for legitimate software, including the AV vendors. The hackers behind CrySIS offer "acacia" installers for various legitimate applications as executable files that can be downloaded, which have been distributed through various websites and public networks.
  • Most of the time, CrySIS / Dharma is delivered manually to targeted attacks, utilizing credentials RDP leaking or weak. This means that the attacker has access to the machine victims before brute-forcing attack on Windows RDP protocol on port 3389.

In a recent attack, CrySIS was sent as a download link to a spam email. The link redirects to an installer that is protected by password. The password was given to potential victims in the email, and in addition to the CrySIS / Dharma executable, the installer contained an outdated removal tool from a known security vendor.

This social engineering strategy was used to keep users suspicious. Seeing a familiar security solution in the installation package consider downloadable as safe.

CrySIS ransomware Greek companies

The pollution

Once CrySIS infects a system, creates registry entries and encrypts almost every type of file, bypassing system and malware files. Performs encryption using one strong encryption algorithm (AES-256 in combination with RSA-1024 asymmetric encryption), which applies to fixed, removable and network drives.

Before encryption, CrySIS deletes all Windows Restore Points executing the vssadmin delete shadows / all / quiet command.

The Trojan which is spreading because of ransomware collects the computer name and the number of encrypted files from certain formats, sending them to a remote C2 server controlled by him hacker. In some Windows versions, it also tries to acts with administrator rights, thus expanding the list of files that can be encrypted.

After a successful RDP attack, it was observed that before executing the payload of ransomware, CrySIS uninstalls it security software installed on the system.

ransomware Greek companies

The Ransom

When CrySIS completes the encryption, leaves a note on the desktop with how much the victim has to pay if it wants to retrieve its files by providing two email addresses to contact the hackers.

The ransom required is usually about 1 Bitcoin, but there have been cases where pricing appears to have been adjusted to the income of the company affected. Economically sound companies often pay more.

How to protect yourself?

Although you have the option of using other software to operate remotely on your work computers, RDP is essentially a secure and easy-to-use protocol with a pre-installed client on Windows systems, as well as clients available for other operating systems. There are some steps you can take to make it much more difficult for someone to access your network through unauthorized connections RDP:

  • Use it to make it harder for a brute force to succeed strong passwords.
  • Do not turn off network-level authentication (Network Level Authentication - NLA) as it offers an additional level of authentication. Turn it on if it wasn't already.
  • Change the RDP port so that port-scanners looking for open RDP ports will lose yours. By default, the server listens to door 3389 both for TCP and for UDP.
  • Ή use a remote Gateway Server server, which also gives you some additional safety and operational advantages such as 2FA. The logs of RDP sessions can be very useful when you want to control the various movements. As these logs are not found on the hacked machine, it is more difficult for hackers to fake.
  • Restrict access to specific IP addresses, if it is possible. There should be no need for many IPs that need access to RDP.
  • There are many possibilities to increase user permissions on Windows computers even when using RDP, but all known methods have been patched. So, as always, make sure your systems are fully up to date patched.
  • Use an effective and easy to use backup strategy. Confidence in Restore Points does not qualify and is completely useless when ransomware first deletes restore points, as in the case of CrySIS.
  • Train the staff about you phishing attacks and raise awareness about cyber security.
  • End, use a multilevel, advanced security solution to protect your machines from ransomware attacks.

IOCs

TRansom.Crysis is known to use these extensions for encrypted files:

.crysis, .dharma, wallet, .java, .adobe, .viper1, .write, .bip, .zzzzz, .viper2, .arrow, .gif, .xtbl, .onion, .bip, .cezar, .combo, .cesar, .cmb, .AUF, .arena, .brrr, .btc, .cobra, .gamma, .heets, .java, .monro, .USA, .bkp, .xwx, .btc, .best, .bgtx , .boost, .heets, .waifu, .qwe, .gamma, .ETH, .bet, ta, .air, .vanss,. 888, .FUNNY, .amber, .gdb, .frend, .like, .KARLS, .xxxxx, .aqva, .lock, .korea, .plomb, .tron, .NWA, .AUDIT, .com, .cccmn, .azero, .Bear, .bk666, .fire, .stun, .myjob, .ms13, .war, .carcn, .risk, .btix, .bkpx, .he, .ets, .santa, .gate, .bizer , .LOVE, .LDPR, .MERS, .bat, .qbix, .aa1, and .wal

So far, the following ransom have been identified names:

  • txt
  • HOW TO DECRYPT YOUR DATA.txt
  • Readme to restore your files.txt
  • Decryption instructions.txt
  • FILES ENCRYPTED.txt
  • Files encrypted !! .txt
  • hta

Common file hashes:

  • 0aaad9fd6d9de6a189e89709e052f06b
  • bd3e58a09341d6f40bf9178940ef6603
  • 38dd369ddf045d1b9e1bfbb15a463d4c

ransomware

If you have been a victim of this attack you can contact the SecNews research team by clicking on https://www.secnews.gr/ask-us/.

For the sake of privacy, the names of Greek companies that have fallen victim to CrySIS/ Dharma ransomware, not disclosed.

LEAVE ANSWER

Please enter your comment!
Please enter your name here

LIVE NEWS

Flutter UI Toolkit: Also available for Ubuntu distributions

Recently, the first (alpha) version of the Flutter UI toolkit was announced for Ubuntu-based operating systems. After...

The majority of companies are concerned about security in the public cloud!

Most companies are concerned about security in the public cloud. Specifically, a percentage of 70% admits that he has fallen victim ...

Joker Malware apps are redistributed through the Google Play Store

Security researchers have discovered another incident with Android malware that hides in applications and records unsuspecting ...

The U.S. military is taking new steps to stop hackers

The US military is also working to take advantage of cloud migration and at the same time ensure data security ...

Microsoft's new KDP technology eliminates malware

Microsoft today released the first technical details about a new security feature that will soon be part of Windows 10 ....

Evilnum hacking team linked to attacks on Fintech companies!

Evilnum malware has been detected in the area of ​​cyber security threats since 2018, with the APT team behind ...

Ford: Employees demand an end to the supply of police vehicles!

Ford officials have asked the company's management to stop building and selling police vehicles. The reason for ...

Conti ransomware uses 32 CPU challenges at the same time

A lesser-known ransomware executive known as Conti uses up to 32 simultaneous CPU threads to encrypt files on infected computers ...

Microsoft Office updates: Fix issues in Word and Skype

Microsoft released the non-security July updates for Microsoft Office, which include improvements and fixes ...

Google makes open source Tsunami Scanner

Google recently announced that it will open the Tsunami vulnerability Scanner, wanting to help large-scale businesses protect ...