Malware 'Crysis': New Strain Combines Multiple Threats, Platforms

By Wayne Rash  |  Posted 2016-06-08 Print this article Print
Crysis malware

NEWS ANALYSIS: The latest release of Crysis malware combines ransomware with a data breach, and then spreads on its own.

In some ways, the latest variation of Crysis (or Crisis, depending on whom you ask) malware either provides something for everyone, or it's a nightmare scenario, depending on how you look at it. When Crysis first came to light, it was a fairly typical, if annoying, form of ransomware. It would encrypt some files and then demand ransom, ostensibly offering to decrypt those files if you paid.

Things have changed. Following a series of monthly updates, this malware is now able to exfiltrate critical files and user information, gain administrator rights to the computer it's infecting and take over as an admin user. It also doesn't matter if the computer is a PC or a Mac because Crysis can infect either platform, and once inside a network, it can also attack virtual machines and any server visible to the computer it's on.

Complicating matters, the Crysis malware that's out now doesn't attack any OS vulnerabilities. According to a study by Symantec, the malware is inserted using a Java applet dropper. Normally, Java applets can't access machine resources, but in this case, the attack includes sophisticated social engineering intended to get the machine's user to allow it to have full access to the system.

Once installed on a machine, the Crysis malware can use a variety of self-running files to spread to other machines, including Windows Phone devices and other computers on the same network. Right now, the malware can only attack certain virtual machines (VMs) from VMware, but not other VMs, but there's no reason this can't be extended.

Adding to the misery, the Crysis malware also copies the admin login information for any computer it attacks to its command-and-control server, allowing that machine and others to be attacked as long as the credentials haven't been changed. And if that's not enough, the bad guys have now raised their ransoms from a few hundred bucks to levels well in excess of $20,000. And, of course, there's no assurance that they will actually deliver the decryption keys or remove the malware.

Fortunately, you don't need to pay the ransom to recover, and you don't need to be infected if you're careful and follow some common-sense security guidelines. First, a good anti-malware package will detect the actions of the Crysis malware once it starts trying to infect a computer, even if the initial Java applets go undetected (which is what they're designed to do). Second, you can recover using backups.

Unfortunately, the malware developers aren't resting. "What we see with most malware is that there is furious innovation," said Stu Sjouwerman, CEO of Knowbe4. "They're using Agile development techniques with monthly releases."

The rapid development is a result of competition, Sjouwerman said. "They're adding new features at a very rapid clip because they're fighting for criminal market share."

While new versions of Crysis and other malware products are coming out rapidly, the creators of these packages are doing their best to hide the details, he said. "It is very hard to identify different versions; they're trying to obfuscate those versions" to keep other criminals off balance, he said.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel