Crysis Ransomware Infects Windows, Mac, and VMware Machines

The Crysis ransomware is quickly yet quietly spreading to businesses across the globe. Even though it is more common and destructive than the Locky ransomware, Crysis has not received nearly as much press attention.

Two traits make Crysis one of the most troublesome ransomware variants:

  • Crysis works on multiple platforms. Crysis can infect Microsoft Windows computers and phones, Apple Macintosh computers, and some VMware virtual machines.
  • A Crysis infection can be considered a data breach. Besides encrypting files for ransom, Crysis sends the infected computers' names and some of the computers' encrypted files to a remote server controlled by cybercriminals. As a result, a Crysis ransomware attack can be considered a data breach. This is particularly problematic in businesses governed by regulations such as the U.S. Health Insurance Portability and Accountability Act (HIPAA) and the EU Data Protection Regulation.

How Crysis Is Spread

Crysis is mainly spread through phishing emails. Sometimes, the phishing emails contain attachments that have double file extensions, which make the malicious files appear as non-executable files. Other times, the phishing emails include URLs that lead to malicious websites.

Cybercriminals are also spreading Crysis by disguising it as an installer for various legitimate programs such as WinRAR, Microsoft Excel, and iExplorer. They are distributing these disguised installers in online locations and shared networks.

Another way Crysis is spreading is through self-propagation. It uses a variety of self-running files to spread to other machines, including Windows Phone devices and other computers on the same network.

What Crysis Does

Once on a computer, Crysis uses Advanced Encryption Standard (AES) and Rivest-Shamir-Adleman (RSA) algorithms to encrypt more than 185 file types on fixed drives, removable drives (e.g., USB drives), and network shares. It even encrypts many operating system files, which can make the computer unstable.

After the files are encrypted, Crysis sends the computer's name and a number of encrypted files to a remote server controlled by the cybercriminals. It also delivers a ransom note to the victim. The ransom varies, typically ranging from 0.8 to 1.8 bitcoins. (The exchange rate fluctuates, but a bitcoin is usually worth more than $500 USD.)

In Windows computers, the ransomware deletes any shadow copies made by the Volume Shadow Copy Service so that the victim cannot recover the files. It also creates new registry values that enable it to run every time the victim logs in to the computer. This makes it more difficult to remove the ransomware.

How to Protect Your Business from Crysis

To protect your business from Crysis, it is best to prepare a multilayer defense. The first line of defense is to make sure that all your computers and Windows Phone devices are protected against known vulnerabilities. This is achieved by using anti-malware software and regularly updating the operating system and applications on each device.

The second line of defense is educating employees about the dangers of opening attachments and clicking links in emails from unknown senders. It is also helpful for employees to receive some training on how to spot phishing emails

The last line of defense is to regularly back up files and systems on your business's computers and test those backups. This will not prevent a Crysis infection and the subsequent data breach, but it can save you from having to pay the ransom.

Contact your IT service provider for help in getting these lines of defense in place. Your IT service provider can also recommend other measures you can take to protect your business from Crysis and other ransomware.