Threat spotlight: CrySIS, aka Dharma ransomware, causing a crisis for businesses

CrySIS, aka Dharma, is a family of ransomware that has been evolving since 2016. We have noticed that this ransomware has become increasingly active lately, increasing by a margin of 148 percent from February until April 2019. The uptick in detections may be due to CrySIS’ effective use of multiple attack vectors.

Profile of the CrySIS ransomware

CrySIS/Dharma, which Malwarebytes detects as Ransom.Crysis, targets Windows systems, and this family primarily targets businesses. It uses several methods of distribution:

In a recent attack, CrySIS was delivered as a download link in a spam email. The link pointed to a password-protected, self-extracting bundle installer. The password was given to the potential victims in the email and, besides the CrySIS/Dharma executable, the installer contained an outdated removal tool issued by a well-known security vendor.

This social engineering strategy worked to bring down user defenses. Seeing a familiar security solution in the installation package tricked users into believing the downloadable was safe, and the attack was successful.

The infection

Once CrySIS has infected a system, it creates registry entries to maintain persistence and encrypts practically every file type, while skipping system and malware files. It performs the encryption routine using a strong encryption algorithm (AES-256 combined with RSA-1024 asymmetric encryption), which is applied to fixed, removable, and network drives.

Before the encryption routine, CrySIS deletes all the Windows Restore Points by running the vssadmin delete shadows /all /quiet command.

The Trojan that drops the ransomware collects the computer’s name and a number of encrypted files by certain formats, sending them to a remote C2 server controlled by the threat actor. On some Windows versions, it also attempts to run itself with administrator privileges, thus extending the list of files that can be encrypted.

After a successful RDP-based attack, it has been observed that before executing the ransomware payload, CrySIS uninstalls security software installed on the system.

The ransom

When CrySIS has completed the encryption routine, it drops a ransom note on the desktop for the victim, providing two email addresses the victim can use to contact the attackers and pay the ransom. Some variants include one of the contact email addresses in the encrypted file names.

The ransom demand is usually around 1 Bitcoin, but there have been cases where pricing seems to have been adapted to match the revenue of the affected company. Financially sound companies often have to pay a larger ransomware sum.

Some of the older variants of CrySIS can be decrypted using free tools that have been made available through the NoMoreRansom project.

Countermeasures

While you do have a choice to deploy other software to remotely operate your work computers, RDP is essentially a safe and easy-to-use protocol with a client that comes pre-installed on Windows systems, as well as clients available for other operating systems. There are a few measures you can take to make it a lot harder to gain access to your network over unauthorized RDP connections:

IOCs

Ransom.Crysis has been known to append these extensions for encrypted files:

.crysis, .dharma, wallet, .java, .adobe, .viper1, .write, .bip, .zzzzz, .viper2, .arrow, .gif, .xtbl, .onion, .bip, .cezar, .combo, .cesar, .cmb, .AUF, .arena, .brrr, .btc, .cobra,  .gamma, .heets, .java, .monro, .USA, .bkp, .xwx, .btc, .best, .bgtx, .boost, .heets, .waifu, .qwe, .gamma, .ETH, .bet, ta, .air, .vanss, . 888, .FUNNY, .amber, .gdb, .frend, .like, .KARLS, .xxxxx, .aqva, .lock, .korea, .plomb, .tron, .NWA, .AUDIT, .com, .cccmn, .azero, .Bear, .bk666, .fire, .stun, .myjob, .ms13, .war, .carcn, .risk, .btix, .bkpx, .he, .ets, .santa, .gate, .bizer, .LOVE, .LDPR, .MERS, .bat, .qbix, .aa1, and .wal

The following ransom note names have been found:

Common file hashes:

COMMENTS