HQ/EMEAFind out how we can help your business
The Crysis ransomware operators are scouring the internet for vulnerable RDP endpoints to distribute the Venus ransomware on systems. Remote Desktop Protocol (RDP) has been a primary attack vector for many threat actors since it could enable an attacker to acquire remote access or control over a targeted system.
Several threat actors sell unauthorised access via RDP for about $1,000 on underground forums or dark web marketplaces.
Crysis ransomware group uses dictionary attacks to deploy the Venus ransomware.
According to the investigation, the Crysis ransomware uses brute-force or dictionary tactics to scan the internet for exposed RDP endpoints to install the Venus ransomware.
The attackers attempted to encrypt a targeted system with Crysis ransomware but failed. However, their second attempt at encryption became successful after deploying Venus.
Researchers noted that if the Crysis ransomware encrypts the file, it will show a ransom note with an onion email address that displays instructions on contacting the attackers. On the other hand, if the attack uses the Venus ransomware, a message will inform the victim that an attacker has compromised its systems. In addition, the prompt will also display a deadline of 48 hours for the victims to contact the attackers.
During encryption, the Venus ransomware could terminate various programs such as databases, email clients, and Office.
Furthermore, researchers noted that RDP attacks could deploy various malware types. These malware strains could also include scanning and account credentials theft tools. Additionally, a different threat group has deployed Mimikatz to execute internal reconnaissance attacks during an RDP attack.
Cybersecurity experts have observed the surge of attacks against unsecured RDP endpoints for the past months. Recently, an investigation revealed details about a cyberespionage operation that allowed the attackers to spread RDStealer by exploiting remote desktop connections.
Remote Desktop Protocol connections are an essential tool for remote access. Therefore, hackers relentlessly pursue the tool to execute RDP attacks to access and exploit networks.
Organisations should follow straightforward methods to prevent such attacks. Some of these methods include the implementation of MFA protocols across all devices and systems, changing default credentials with strong passwords, and constantly monitoring RDP server logs.
