The Crysis server-side ransomware is used to take a victim’s files hostage and then demand payment in exchange for a code or key that returns access of the seized files back to the victim. The primary method of distribution has been phishing emails and successful brute force attacks against internet-facing remote desktop protocol (RDP) servers. The Crysis server-side ransomware is just one of many ransomware that is being used to extort money from its victims.
- A malicious user performs a brute force attack against the RDP service on the target host.
- The malicious user successfully compromises the host via the RDP service.
- The malicious user requests the ransomware binary from a remote host.
- The ransomware binary is transferred to the compromised host.
- The malicious user interacts with the binary and causes it to execute.
The attacker must be able to send crafted packets to the target system.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
Detection of this threat is provided via the Alert Logic ActiveWatch for Log Manager™ service. Log messages are produced by the vulnerable system when an exploit of this type is leveraged. An incident will be generated in the Alert Logic console if these log messages are observed.
Recommendations for Mitigation
The attacker must have exploited some other entry vector to gain access to the local victim host. Ensure that all software on internet-facing hosts is up-to-date.