CrySIS, aka Dharma, is a family of ransomware that has been evolving since 2006 and actively targeting different businesses via email attachment or installable files masquerading as a legitimate application. It is most commonly delivered through RDP. The attackers obtain the RDP credentials through leaks or brute forcing weak credentials. Once installed the malware achieves persistence through registry entries and may, on certain versions of Windows, attempt to run with administrator privileges. This would allow for a greater number of files which it can encrypt. Once the encryption routines have been completed and certain details have been sent to a C&C server, a ransom note is put on the infected system’s desktop. Malwarebytes notes that typically the ransom amount is 1 Bitcoin but this can vary and may be adjusted depending on the revenue of the target company.
Indicators of Compromise
Malware Hash (MD5/SHA1/SH256)