The CrySIS ransomware family has evolved to newer versions, which allowed them to remain active in the cybercriminal landscape.
Its operators have continued to repurpose and utilise new versions despite the leak of source code in one of its variants. Hence, the ransomware stayed afloat, and researchers encountered new variants of this ransomware family.
CrySIS operators exploit exposed RDP servers and try to breach systems using phishing attacks to gain access to a targeted device. Their phishing attacks commonly use malicious attachments, often obfuscated as installation files for authentic software.
The CrySIS ransomware operators usually include minor alterations to its new variants.
According to investigations, multiple CrySIS ransomware variants have slight changes compared to their previous versions. Most of these changes are in the ransom notes and file extensions.
Moreover, some of the new variants set the console to codepage 1251 after execution, which allows the ransomware to use Cyrillic languages. Subsequently, the latest variants delete the shadow copies of the device to obstruct any attempts to recover samples.
However, the actors’ additional copy of the ransomware is duplicated to the admin’s startup folder to ensure it restarts the system before encryption. Encrypted file extension indicates that the actors have commanded the ransomware. Currently, the confirmed file extensions from the attackers include [.]CY3, [.]mao, and [.]d0n.
The ransomware actors execute the MSHTA to process and display a file that contains the ransom info for their post-encryption. In addition, copies of this are kept in four separate locations. All ransom notes include a reach to the attackers despite numerous variations.
Furthermore, the Info[.]hta file includes a separate archive called info[.]txt. This additional file contains a shortened set of commands to communicate with the attackers. Additionally, a copy of this archive is stored in several locations.
Since new malware strains have frequently appeared, AV solutions should adopt behaviour-based detection protocols to add to the traditional signature-based security. Organisations should create changes to their location, frequency, and security of data backups to address the evolving threat of ransomware attacks.
