Greek Companies victims of CrySIS / Dharma ransomware! An Endless Attack?

February 7, 2020 | ethadmin | blog

According to several reports by small and medium-sized businesses and organizations in Greece, CrySIS or Dharma ransomware, which has been spreading terror to its victims since 2016, has infected several companies.

CrySIS

While the global online community felt that the tyranny of CrySIS ransomware was over, several Greek companies are reporting that they been affected by the malware, paying – most of them – large sums of money for decrypting their files.

In fact, according to Malwarebytes Labs, there is an increase of 148% in CrySIS ransomware attacks from February to March 2019 globally.

In the Greek business world, ransomware seems to have bothered several companies who considered themselves untouchable or who never expected to be targeted by hackers.

According to SecNews’s research, the hackers behind the attacks have pure financial incentives, demanding ransoms from their victims. In simple words, companies are not victims of personal interests or conspiracies by their competitors.

The hackers act as “professionals” and as soon as they receive the demanded ransom, they send the decryption key to the victims.

Based on SecNews’s evidence, Chinese and/or Russians are probably behind the attacks, and they act as organized groups that have made millions (!) of dollars [b. $ 500.000.000 million] from malicious activities.

CrySIS Ελληνικές εταιρείες

CrySIS / Dharma targets Windows systems, aiming primarily at businesses, and using various distribution methods

CrySIS is distributed as malicious attachments to spam emails. Specifically, malicious attachments use duplicate file extensions, which in default Windows settings may appear to be non-executable, while they actually are.

CrySIS may also end up being disguised as installation files for legitimate software, including AV solutions. The hackers behind CrySIS offer apparently harmless installers for various legitimate applications, as executable files, that can be downloaded, which are been distributed through various websites and public networks.

Most of the time, CrySIS / Dharma is delivered manually during targeted attacks, exploiting leaked or weak RDP credentials. This means that the attacker has access to the victims machines before the brute-force attack on a Windows RDP protocol on port 3389.

In a recent attack, CrySIS was sent as a download link to a spam email. The link redirected to a password-protected installer. The password was given to potential victims in the email, and in addition to the CrySIS / Dharma executable, the installer contained an outdated removal tool from a known security vendor.

This social engineering strategy was used to keep users unsuspected. Seeing a familiar security solution in the installation package,  they did immediately considered the downloadable as safe.

CrySIS ransomware Ελληνικές εταιρείες

The Attack

Once CrySIS infects a system, it creates registry entries and encrypts virtually any file type, bypassing system and malware files. It performs encryption using a powerful encryption algorithm (AES-256 in combination with asymmetric RSA-1024 encryption), which is applied to fixed, removable and network drives.

Prior to encryption, CrySIS deletes all Windows Restore Points by running the vssadmin delete shadows / all / quiet command.

Trojan spreaded through the ransomware collects the computer name and the number of encrypted files from certain formats, sending them to a hacker-controlled C2 remote server. In some versions of Windows, it also tries to operate with administrator privileges, thus expanding the list of files that can be encrypted.

After a successful RDP-based attack, it has been observed that before executing the ransomware payload, CrySIS uninstalled the security software installed on the system.

ransomware Ελληνικές εταιρείες

The Ransom

When CrySIS completes the encryption, it leaves a note on the desktop informing the victim for the amount he has to pay in order to retrieve his files, providing two email addresses to contact the hackers.

The ransom required is usually around 1 Bitcoin, but there have been cases where pricing seems to have been adjusted according to the income of the company affected. Economically advanced companies often pay more.

How to protect yourself?

Although you have the option of using other software to operate remotely on your work computers, RDP is essentially a secure and easy-to-use protocol with a pre-installed client on Windows systems, as well as clients available for other operating systems. Here are some steps you can take to make it much more difficult for someone to access your network through unauthorized RDP connections:

  1. To make it more difficult for a brute force attack to succeed, use strong passwords.
  2. Do not disable Network Level Authentication (NLA) as it offers an additional level of authentication. Turn it on if it wasn’t already.
  3. Change the RDP port so that port-scanners looking for open RDP ports can’t detect yours. By default, the server listens on port 3389 for both TCP and UDP.
  4. Otherwise, you can use a remote Gateway Server server, which also gives you some additional security and functionality like 2FA. RDP session logs can be very useful when you want to control the various actions. As these logs are not found on the hacked machine, it is more difficult for hackers to be successful on their attacks.
  5. Restrict access to specific IP addresses, if possible. There should be no need for many IPs that need RDP access.
  6. Use an effective and easy-to-use backup strategy.
  7. Train your staff on phishing attacks and raise awareness for cyber security.
  8. Finally, use a multilevel, advanced security solution to protect your machines from ransomware attacks.

ransomware

Crysis is using the following extensions for encrypted files:

.crysis, .dharma, wallet, .java, .adobe, .viper1, .write, .bip, .zzzzz, .viper2, .arrow, .gif, .xtbl, .onion, .bip, .cezar, .combo, .cesar, .cmb, .AUF, .arena, .brrr, .btc, .cobra,  .gamma, .heets, .java, .monro, .USA, .bkp, .xwx, .btc, .best, .bgtx, .boost, .heets, .waifu, .qwe, .gamma, .ETH, .bet, ta, .air, .vanss, . 888, .FUNNY, .amber, .gdb, .frend, .like, .KARLS, .xxxxx, .aqva, .lock, .korea, .plomb, .tron, .NWA, .AUDIT, .com, .cccmn, .azero, .Bear, .bk666, .fire, .stun, .myjob, .ms13, .war, .carcn, .risk, .btix, .bkpx, .he, .ets, .santa, .gate, .bizer, .LOVE, .LDPR, .MERS, .bat, .qbix, .aa1, and .wal

The following ransom names have been identified so far:

  • HOW TO DECRYPT YOUR DATA.txt
  • Readme to restore your files.txt
  • Decryption instructions.txt
  • FILES ENCRYPTED.txt
  • Files encrypted!!.txt

Commonly used file hashes:

  • 0aaad9fd6d9de6a189e89709e052f06b
  • bd3e58a09341d6f40bf9178940ef6603
  • 38dd369ddf045d1b9e1bfbb15a463d4c