Hackers use new extortion strategy by combining the power of Crysis and Venus
Using two ransomware in one attack is a new level of threat for organizations.
Cybersecurity researchers from ASEC (AhnLab Security Emergency Response Center) discovered that Crysis ransomware operators are actively using Venus ransomware in their operations.
Crysis and Venus are well known for targeting Remote Desktop Protocol, RDP) available online. Attacks are launched via RDP using AhnLab Smart Defense (ASD) logs.
Attackers use RDP as an attack vector and look for active and externally accessible systems. The hackers then carry out a brute-force or dictionary attack on vulnerable systems – weak credentials allow attackers to easily gain access to accounts on the system.
The Venus ransomware then uses RDP as an attack vector, generating several types of malware through “explorer.exe”, a legitimate Windows Explorer process.
Installation log of various malware
Moreover, the attacker has consistently used the Crysis ransomware to attack systems on the network and has similarly targeted RDP services exposed from the outside. If successful, the hacker would infect target systems with Crysis ransomware via RDP.
On the infected system, in addition to Venus and Crysis, the cybercriminal deploys various scanners and credential stealing tools, including Port Scanner and Mimikatz.
The attacker takes over the system using RDP and scans the network to see if the infected system belongs to a specific network. If the system is chosen correctly, the ransomware performs internal reconnaissance, gathers credentials, and encrypts other systems on the network. All of these actions also allow for lateral movement through the network.
Once launched, the Crysis ransomware displays a ransom note, and Venus in turn displays a ransom note in which the cybercriminal asks users to make contact within 48 hours.
Crysis (top) and Venus (bottom) ransom note
Such attacks are a reminder that ransomware remains a major threat to data and business security. They also highlight how attackers can exploit RDP to infiltrate systems and spread malware. Users are advised to keep their software updated, set strong passwords, especially for RDP services, and back up data, and be careful when opening unknown attachments or links.