According to several reports by small and medium-sized businesses and giants in Greece in 2019 CrySIS ή Dharma ransomware, which has been sowing terror to its victims since 2016, has infected several companies.
While the global online community felt that the tyranny of CrySIS ransomware was over, several Greek companies they deny it by falling for his victims malware and paying - most of them - large sums of money for decrypting their files.
In fact, according to Malwarebytes Labs, you are seeing a 148% increase in CrySIS ransomware attacks from February to March 2019 globally.
In the Greek business world, ransomware seems to have bothered several companies who considered themselves untouchable or who never expected to be the target of hackers.
Following SecNews research, The hackers behind the attacks are purely for the purpose of making money asking as ransom. This means that companies are not the target of personal interests or conspiracies by their competitors.
The hackers they act as "professionals" and as soon as they receive the ransom they send the decryption key to the files.
According to SecNews research, Chinese and / or Russians are probably behind the attacks. hacking teams. In fact, these are organized groups that have made millions (!) Of dollars [b. $ 500.000.000 million] of malicious actions.
What is CrySIS/ Dharma ransomware and how does it work?
CrySIS / Dharma aims Windows systems, and is mainly aimed at businesses. It uses various distribution methods:
- CrySIS is distributed as malicious attachments to spam emails. Specifically, malicious attachments use duplicate file extensions, which in default Windows settings may appear to be non-executable while they actually are.
- CrySIS can also end up disguised as installation files for legitimate software, including the AV vendors. The hackers behind CrySIS offer "acacia" installers for various legitimate applications as executable files that can be downloaded, which have been distributed through various websites and public networks.
- Most of the time, CrySIS / Dharma is delivered manually to targeted attacks, utilizing credentials RDP leaking or weak. This means that the attacker has access to the machine victims before brute-forcing attack on Windows RDP protocol on port 3389.
In a recent attack, CrySIS was sent as a download link to a spam email. The link redirects to an installer that is protected by password. The password was given to potential victims in the email, and in addition to the CrySIS / Dharma executable, the installer contained an outdated removal tool from a known security vendor.
This social engineering strategy was used to keep users suspicious. Seeing a familiar security solution in the installation package consider downloadable as safe.
Once CrySIS infects a system, creates registry entries and encrypts almost every type of file, bypassing system and malware files. Performs encryption using one strong encryption algorithm (AES-256 in combination with RSA-1024 asymmetric encryption), which applies to fixed, removable and network drives.
Before encryption, CrySIS deletes all Windows Restore Points executing the vssadmin delete shadows / all / quiet command.
The Trojan which is spreading because of ransomware collects the computer name and the number of encrypted files from certain formats, sending them to a remote C2 server controlled by him hacker. In some Windows versions, it also tries to acts with administrator rights, thus expanding the list of files that can be encrypted.
After a successful RDP attack, it was observed that before executing the payload of ransomware, CrySIS uninstalls it security software installed on the system.
When CrySIS completes the encryption, leaves a note on the desktop with how much the victim has to pay if it wants to retrieve its files by providing two email addresses to contact the hackers.
The ransom required is usually about 1 Bitcoin, but there have been cases where pricing appears to have been adjusted to the income of the company affected. Economically sound companies often pay more.
How to protect yourself?
Although you have the option of using other software to operate remotely on your work computers, RDP is essentially a secure and easy-to-use protocol with a pre-installed client on Windows systems, as well as clients available for other operating systems. There are some steps you can take to make it much more difficult for someone to access your network through unauthorized connections RDP:
- Use it to make it harder for a brute force to succeed strong passwords.
- Do not turn off network-level authentication (Network Level Authentication - NLA) as it offers an additional level of authentication. Turn it on if it wasn't already.
- Change the RDP port so that port-scanners looking for open RDP ports will lose yours. By default, the server listens to door 3389 both for TCP and for UDP.
- Ή use a remote Gateway Server server, which also gives you some additional safety and operational advantages such as 2FA. The logs of RDP sessions can be very useful when you want to control the various movements. As these logs are not found on the hacked machine, it is more difficult for hackers to fake.
- Restrict access to specific IP addresses, if it is possible. There should be no need for many IPs that need access to RDP.
- There are many possibilities to increase user permissions on Windows computers even when using RDP, but all known methods have been patched. So, as always, make sure your systems are fully up to date patched.
- Use an effective and easy to use backup strategy. Confidence in Restore Points does not qualify and is completely useless when ransomware first deletes restore points, as in the case of CrySIS.
- Train the staff about you phishing attacks and raise awareness about cyber security.
- End, use a multilevel, advanced security solution to protect your machines from ransomware attacks.
TRansom.Crysis is known to use these extensions for encrypted files:
.crysis, .dharma, wallet, .java, .adobe, .viper1, .write, .bip, .zzzzz, .viper2, .arrow, .gif, .xtbl, .onion, .bip, .cezar, .combo, .cesar, .cmb, .AUF, .arena, .brrr, .btc, .cobra, .gamma, .heets, .java, .monro, .USA, .bkp, .xwx, .btc, .best, .bgtx , .boost, .heets, .waifu, .qwe, .gamma, .ETH, .bet, ta, .air, .vanss,. 888, .FUNNY, .amber, .gdb, .frend, .like, .KARLS, .xxxxx, .aqva, .lock, .korea, .plomb, .tron, .NWA, .AUDIT, .com, .cccmn, .azero, .Bear, .bk666, .fire, .stun, .myjob, .ms13, .war, .carcn, .risk, .btix, .bkpx, .he, .ets, .santa, .gate, .bizer , .LOVE, .LDPR, .MERS, .bat, .qbix, .aa1, and .wal
So far, the following ransom have been identified names:
- HOW TO DECRYPT YOUR DATA.txt
- Readme to restore your files.txt
- Decryption instructions.txt
- FILES ENCRYPTED.txt
- Files encrypted !! .txt
Common file hashes:
If you have been a victim of this attack you can contact the SecNews research team by clicking on https://www.secnews.gr/ask-us/.
For the sake of privacy, the names of Greek companies that have fallen victim to CrySIS/ Dharma ransomware, not disclosed.