HKCert
  

CrySIS/Dharma-variant .arena Ransomware Encrypts Victim Data

Release Date: 24 / 10 / 2017
Last Update: 24 / 10 / 2017
Risk Level:  


HKCERT has received a number of infection reports of the Crysis/Dharma ransomware variant, mostly by taking total control of the server through the Remote Desktop Service (RDP) on Windows platform.

 

Impacts

  • The ransomware encrypts files on victims’ computers and adds an ID, email address and .arena file extension to them, i.e. [Original filename and extension].id-[ID].[email address].arena .
  • Files on network drives are affected.
  • Data will be unrecoverable due to encryption by ransomware.

Note:

Do not confuse it with another CryptoMix variant which also appends .arena to the encrypted files as the file extension. To distinguish between them, the CryptoMix variant changes the filenames into some random alphanumeric strings upon infection. The ransom notes also differ in content.

  • Denial of Service

For general users/ companies,

If infected:

  • Isolate the infected computer immediately from the network, and disconnect from external storage.
  • Isolate other computers and file servers from the network immediately. The quickest way is to turn off the network switch.
  • Do not open any file before removing the malware.
  • We do not recommend paying the ransom.

 

For prevention:

  • Perform offline backup (i.e. backup in another storage device, disconnect it after backup).
  • Apply control to the Remote Desktop Service (RDP):
    - Do not open the Remote Desktop Service of the workstation to the Internet unless necessary.
    - Restrict only specific IP(s) to access the RDP-enabled workstation.
    - Limit the time period allowed for remote connection, e.g. not allowing non-office-hour connection.
    - Apply the least privilege principle to the account(s) that can remotely access the workstation. Do not grant the admin right unless necessary.
    - Use a complex password and change it frequently.
    - Consider using VPN solution, preferrably with two-factor authentication (2FA) function, to secure the logon process and connection.
    - If the workstation requires third party management like vendor support, liaise with the third party to implement secure channels for remote connection.
  • Do not open links and attachment in any suspicious emails.
  • Ensure that your computer have baseline protection, i.e. enable and run Windows Update, install anti-virus application with signature updated, enable Windows Firewall.

 

For third parties like vendors,

  • If remote management is required, proactvely remind your clients to apply controls to their remote desktop service.
  • Perform hardening to your workstations that are used to connect to the client site.