Rewterz Threat Alert – CrySIS (aka Dharma) Ransomware Active Again

Severity

Medium

Analysis Summary

CrySIS, aka Dharma, is a family of ransomware that has been evolving since 2006 and actively targeting different businesses via email attachment or installable files masquerading as a legitimate application. It is most commonly delivered through RDP. The attackers obtain the RDP credentials through leaks or brute forcing weak credentials. Once installed the malware achieves persistence through registry entries and may, on certain versions of Windows, attempt to run with administrator privileges. This would allow for a greater number of files which it can encrypt. Once the encryption routines have been completed and certain details have been sent to a C&C server, a ransom note is put on the infected system’s desktop. Malwarebytes notes that typically the ransom amount is 1 Bitcoin but this can vary and may be adjusted depending on the revenue of the target company. 

Impact

• File encryption
• Loss of sensitive information

Indicators of Compromise

Filename

• README.txt
• HOW TO DECRYPT YOUR DATA.txt
• Readme to restore your files.txt
• Decryption instructions.txt
• FILES ENCRYPTED.txt
• Files encrypted!!.txt
• Info.hta

Malware Hash (MD5/SHA1/SH256)

• 0aaad9fd6d9de6a189e89709e052f06b 
• bd3e58a09341d6f40bf9178940ef6603 
• 38dd369ddf045d1b9e1bfbb15a463d4c 

Remediation

• Block all threat indicators at your respective controls
• Always be suspicious about emails sent by unknown senders
• Never click on link/attachments sent by unknown senders