Experts provided a detailed description of all stages of the attack using the ransomware Ryuk.
According to the specialists of the DFIR Report project, an attack using Ryuk ransomware takes 29 hours - from sending an email to the victim and ending with a complete compromise of the environment and encryption of systems.
Ryuk attacks were first reported in 2018. Back then, it was assumed that the ransomware program was the work of North Korean hackers due to its similarity to the Hermes ransomware program. However, the experts then linked Ryuk with Russian hackers.
Over the past two years, Ryuk has been used in a huge number of cyberattacks against serious organizations , including medical facilities during the coronavirus pandemic. In the case of the attacks studied by the DFIR Report specialists, everything starts with a malicious letter with a link to the Bazar / Kegtap loader, which infiltrates many processes and conducts reconnaissance of the infected system using Windows utilities such as nltest and net group, and the third-party tool AdFind.
Then the malware does not show any activity during the day, after which it again conducts reconnaissance using the same tools and Rubeus. The received data is sent to a server controlled by the attackers, and the attackers begin lateral movement across the network.
Attackers use a variety of methods to compromise additional systems on the network, including WMI, PowerShell Remote Execution, and the Cobalt Strike component downloaded over SMB. Further, this component was used as a turning point.
Then additional components are installed in the environment and Windows Defender is disabled using PowerShell. A minute after the SMB transfer, Ryuk is executed and encryption begins (servers with backups are encrypted first).
According to the DFIR Report detailing all stages of the attack, Ryuk is also transmitted to the rest of the hosts on the network via SMB, and then executed via an RDP connection from the domain controller.
“In total, the campaign lasted 29 hours - from the initial launch of Bazar to the execution of the ransomware,” the DFIR Report says.
After encryption, the ransomware demanded a ransom in the amount of about 600 bitcoins (about $ 6 million). However, Ryuk operators are ready to bargain.