Meet the 'number one prevalent' new ransomware: Crysis

The virus is able to access administrative features, allowing it to not only encrypt files, but send data to a command server.
By Jessica Davis
10:31 AM
Share

The Crysis ransomware strain doesn't just encrypt files, it can pull them from the network – placing organizations into the "territory of an actual data breach," says one security expert. "Especially in HIPAA-compliant organizations, (that's) an area no one wants to be."

Ransomware has dominated the cybersecurity headlines these past few months, and one of its more recent and advanced variants, Crysis, suggests the threat won't be ending any time soon.

First discovered in February 2016, Crysis is multi-platform – able to permeate both Mac and Windows systems. It's also much more insidious than any form of the virus seen before, according to Stu Sjouwerman, founder and CEO of KnowBe4, developer of a platform that increases security awareness training with simulated phishing attacks.

One of the more alarming things about Crysis is that its highly-advanced code gains administrative control of its target's system, he said.

Once a cybercriminal has that kind of access they can "do more damage," said Sjouwerman.

But his biggest concern is Crysis' ability to encrypt files and usernames, which are then sent to a command server. The strain copies files and pulls them from the network, placing organizations into the "territory of an actual data breach," says one security expert. "Especially in HIPAA-compliant organizations, (that's) an area no one wants to be."

It can be hard to keep tabs on these types of ransomware strains, Sjouwerman said. "They compete; they come and go. We were expecting with the sudden demise of TeslaCrypt (a ransomware Trojan) that Locky would take over. But no.

"If you look at the majority of ransomware attacks," he added. "Crysis, at the moment, is the number one prevalent attack."

These attacks first began at financial institutions, and then moved to healthcare. While the next big target is the manufacturing industry, according to Sjouwerman, cybercriminals still have healthcare in their crosshairs and "this is unfortunately going to get a lot worse before it gets better."

"There are no groups immune to ransomware attacks," said Lysa Myers, security researcher for ESET, a security company. "Hospitals can be lucrative targets, and many are still poorly protected. My hope, with all the coverage about hospitals being hit, is that this serves as a wakeup call and motivates hospitals to start performing thorough risk assessments and moving quickly to mitigate those risks."

Backups are the most important action hospitals can take to protect data, according to Myers. And these backups need to be offsite and offline, as affected machines will attempt to infect all files connected to the main network.

However, these backups must be up-to-date, Sjouwerman said. Many hospitals back-up files, but fail to take the extra step to restore them– rendering the backups obsolete.

"The human is a weak link of cybersecurity and bad guys are counting on that," Sjouwerman said. "On a board level, it needs to be clear that cybersecurity cannot take the backseat. And they have to open up resources to improve their cybersecurity posture."

"Cybercriminals have realized they're onto something very lucrative," Myers added. "Whether or not attacks increase, they're likely to be around for a very long time. It's good to start beefing up our defenses now because that threat is unlikely to go away for the foreseeable future."

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com


Like Healthcare IT News on Facebook and LinkedIn