A Quick Breakdown of CrySIS / Dharma – October 2019

There’s a new variant of CrySIS and Dharma going around. It appears to be very similar to the variant floating around in July, but the toolkit it drops alongside the ransomware payload is a little different. This infection is nasty, and frighteningly efficient.

What Happened

The infection requires a human element which complicates things. Basically, an attacker gains access through a credential exploit, RDP exploit, or similar and works to privilege escalate using the toolkit. Once they get administrative access, they target AV where relevant and get other credentials. From here, they begin running the payload on profitable looking machines and shares.

The infection is a bit hard to detect as there is a human element which can adapt to the environment. Products which prevent scripts do nothing as this isn’t scripted, it’s a person in the cases I’ve seen. They also avoid hitting the whole environment to further incentivize a payout.

What’s in the Toolkit

The toolkit which drops contains IOBit Unlocker, Process Hacker, Mimikatz, and a few binaries we couldn’t identify. They appeared to be exploit tools and potentially Trojans to compromise the machine. The core ransomware payload is also present. The toolkit typically drops in the compromised user’s “Download” folder.

Each of the tools uses a very generic name which varies depending on the attacker. The main payload I analyzed used short names which were humanly accessible to track the executables. “Process Hacker” was PH.exe or P.exe. The other tools were named similarly, or numerically for steps.

What Makes the Attack Work

Our attacker was very capable and fast. We use a relatively unknown antivirus product with extremely robust self-protection, but the attacker was able to use a combination of IOBit Unlocker and Process Hacker to break it. The attacker then mined credentials for other systems of interest and jumped to the next targets. They were in and out in a few hours for basically everything. They also targeted a time when there were few resources available, let alone looking at security.’

The attacker had clearly looked at the site previously and tested the waters first. They also tanked a workstation, which may or may not have been their way in. This workstation may have been their way in, or something they used, or it may have just been a convenient target. Doing an audit was near impossible as they cratered the domain controller in a way they hadn’t hit other targets.

Since there wasn’t a C&C server or similar, the attack is more controlled. You can’t intercept the keys going out if they don’t go out. The human element gets around even the most advanced security solutions without specifically tuning for it. Most threats are automated anymore, but this isn’t and that’s what makes it dangerous.

Cost

This attack was very personalized and targeted from the cost. It worked out to a bit over $30,000. The attacker was most likely foreign with little experience doing this as most people who target American businesses aim to stay under $10,000 due to the IRS requirements to report income over $10,000. Some will go up to just under $30,000 with larger businesses which hits up against another soft ceiling from my understanding.

Most previous CrySIS and Dharma ransoms sit around 0.125 to 0.25 BTC for individuals and up to around 0.6 BTC (basically, roughly $5,000) for businesses. This was a very targeted attack and the attacker apparently wanted to be well paid for their efforts. Had the cost been lower, the organization affected would probably have gone ahead and paid. We ended up just restoring from backup.

What Was Left in the Aftermath

Aside from the ransomed file, the note, and the process displaying the ransom, absolutely nothing else was left behind. They had cleared out some logs, and destroyed the antivirus on the targeted machines, but other than that, the attack was pretty clean. This appears to be a shift back to basics. They leave the actual OS alone aside from getting to where they can encrypt it.

An Ounce of Prevention is Worth ~4 BTC

This entire attack propagated across the target machines within about 3 hours. A person was driving, but once they figured out the trick on one machine, they hit everything else all at once. They used RDP and other tools using legitimate accounts. It would have been extremely hard to prevent with what was open.

To secure against this attack, block IOBit Unlocker and Process Hacker and make sure that your antivirus is applied across the site. Limit RDP from the outside world, and ideally, limit it even inside the network. The attack used either an RDP exploit (many of our older run-ins with CrySIS or Dharma ultimately come from RDP exploits), or compromised a user’s credentials. There wasn’t much in the way of forensics when they were done.

Better monitoring would definitely have helped detect it earlier on, but even with an advanced antivirus solution and similar, the attacker used built-in features and (pseudo-)legitimate processes to get the job done. We could block the tools, but only until they change them. Their actions would have been hard to determine as illegitimate when they were testing the waters as well. The user had actually bumped into them, but thought it was a fluke. They had timed their testing to believable times for the user to be on the machine.

Better network monitoring might have helped, but even then, the attackers were very careful with what they did, and when. The site had decent monitoring and a decent security setup. More could have been done, but not much that wouldn’t have become an imposition on the client (financially and in terms of convenience) without having experienced this kind of attack previously.

Conclusion

These newer attacks are carefully treading the line of legitimate and illegitimate tools to get through. The only real way to handle this sophisticated of an attack is restoring from backup. They studied the environment and very calculatedly targeted specific machines and tailored their demands and attack to the business to maximize their chance of a payout. Even though the payload was originally easily detected, it doesn’t help much when the attacker can rip the antivirus off the machine. They chained legitimate tools to build an illegitimate attack.

Image by Pete Linforth from Pixabay