Crysis worldwide via RDP protocol

Two weeks ago, we observed an encryption attack on a server owned by a French company. It was one of the variants of the Crysis encryption family . Every day we see thousands of infection attempts by encrypters, but this incident caught our attention, because the file that somehow appeared on the computer was allegedly not used and should not be used , and no mail agent or Internet browser was running on the computer.

How did he get on the computer?

Why did the security tools on the server allow this file to go there? We decided to find the answer to this question, and therefore we began our research. It turns out that the Remote Desktop Protocol (RDP) works on this server, and the cyber criminals used a brute force attack , thanks to which they were able to pick up the registration data and get remote access to the server.
')
A bit of history: most users do not include two-factor authentication, and their passwords are not so complicated or random, it is enough just to get to the server using this type of brute-force attack using a good dictionary or checking the most frequently used combinations. This technique is not new. I remember more than a year ago, a wave of cryptographers using exactly the same technique fell on Spanish companies. As a rule, cyber criminals carry out such attacks at night or during weekends, when there are few people in the offices or no one at all.

Cyber ​​criminals infiltrated the server using a brute force attack, sorting out passwords using a good dictionary or checking the most frequently used combinations.

In this case, the attack on the server began on May 16, when they made 700 connection attempts. They were carried out automatically, approximately within two hours. Most of these attacks were carried out from 1 to 3 o'clock or from 3 to 5 o'clock at night. Everyday. The number of connection attempts changed: for example, on May 18 there were 1976, and on July 1, 1342.

After almost four months and having completed over 100,000 connection attempts, the hackers still managed to penetrate the server and launch the Crysis cryptographer.

This is a worldwide Crysis

This week, our Trend Micro colleagues published an article that warned of similar attacks in Australia and New Zealand, when they also used Crysis variants. Unfortunately, we can say that they were not only in these countries - these attacks are carried out throughout the world (at least since May).

Suppose that you need to have RDP running and connected to the Internet, and therefore, in addition to monitoring connection attempts, which will allow you to know that you are under attack, you should also use complex passwords. The best option is to implement two-factor authentication, for example, with a password via SMS, as a result of which the selection of passwords will become a useless exercise.

Article author: Louis Corrons