CrySiS: Ransomware Variant Impacting New Jersey Organizations

March 9, 2017

TLP: WHITE | The NJCCIC assesses with high confidence that organizations with insecure remote desktop protocol (RDP) configurations on their networks are at risk of infection with CrySiS ransomware and other variants that opportunistically seek out networks with poorly authenticated RDP access. Since the beginning of 2017, 64 percent of ransomware incidents reported to the NJCCIC involved networks infected with the CrySiS variant. In addition to phishing emails, the hackers behind CrySiS are increasingly infecting victims by compromising remote desktop protocol (RDP) connections through brute force attacks and manually installing the malware onto a targeted system. Although files encrypted by earlier versions of CrySiS could be decrypted using a free, publicly available decryption tool, there is no publicly available decryption option for the current version. Therefore, in most cases, organizations impacted by CrySiS or other ransomware variants with no available decryption tool who do not have backups of their data face two options: accept the loss of their files or pay the ransom. The NJCCIC strongly discourages paying ransom of any kind, as it perpetuates the crime does not guarantee the restoration of encrypted files and, instead, encourages organizations to take proactive steps to reduce the risk of exposure to ransomware and limit the impact, if infected.

  • CrySiS affects systems running the Windows operating system and is distributed primarily via malicious email attachments and RDP compromise. Once a system is infected, CrySiS injects itself into the registry to maintain persistence and encrypts all file types it encounters except for system files and malware files. CrySiS appends either .wallet or .dharma to the filenames of encrypted files; however, all incidents reported to the NJCCIC in 2017 involved the .wallet extension.
  • All CrySiS reports received thus far indicate that the criminals behind this campaign are using the @india.com email domain as their primary contact method. Most infections have displayed the same email address, stopper[@]india.com, indicating that a single actor or group is behind this campaign.
  • CryptON, also known as Nemesis and X3M, is another ransomware variant distributed manually via RDP brute force attacks to infect victims. Once executed, CryptON deletes system restore points to prevent victims from recovering files from Shadow Volume Copies, and encrypts all files types except for system files and the user profile folder. On March 7, the cybersecurity company Emsisoft released a publicly available decryption tool to help victims recover files encrypted by CryptON and avoid paying the ransom.

Recommendations

The NJCICC recommends all organizations implement a robust data backup and restoration plan, which mitigates the risk of data loss resulting from ransomware. Backups should be scheduled as frequently as possible, tested regularly, and stored off the network in a separate and secure location. To mitigate the risk posed by CrySiS and other ransomware variants that exploit RDP, organizations should restrict or completely disable unnecessary remote access options. If RDP is necessary, implement a two-factor authentication solution to prevent brute force attempts against login credentials. The following are basic security measures to prevent ransomware infections; a comprehensive list of mitigation strategies and information on ransomware variants is available on the NJCCIC’s Ransomware Threat Profile.

  • Ensure anti-virus or endpoint protection software is kept up-to-date with the latest virus definitions.
  • Update operating systems, web browsers, plugins, and other applications as soon as security patches are available; if possible, enable automatic updates.
  • Implement application whitelisting to prevent unauthorized or malicious software from executing.
  • Follow the Principle of Least Privilege for all user accounts and enable User Access Control (UAC) to prevent unauthorized changes to account privileges.

If your organization is impacted by CrySiS or any other ransomware variant, please report the incident to the NJCCIC using the Cyber Incident Reporting Form on our website or by calling (609) 963-6900 extension 7865.

Traffic Light Protocol: WHITE information may be distributed without restriction.