Multi-Stage Attack Campaigns; This Time Ryuk Delivers the FInal Blow

Various attack campaigns have been spotted waiting two weeks after a successful TrickBot infection before deploying the Ryuk ransomware in the final stage.

The scoop

Activity logs on a server compromised by the TrickBot trojan revealed that the handlers took an average waiting period of two weeks to move to valuable hosts before deploying the Ryuk ransomware.

What does this imply?

  • Each machine is profiled to extract the maximum amount of sensitive information. With this, the operators are able to gain complete control of the networks and infiltrate as many hosts as possible.
  • After reconnaissance and pivoting, Ryuk is dropped and deployed to all machines using Microsoft’s PsExec tool for proper remote execution.

Know your TrickBot facts

  • It is the successor of Dyre; initially focusing on banking fraud. Lately, it has upgraded to targeting enterprise environments.
  • TrickBot conducts campaigns using the CloudApp folder. After taking into account every infection, a task is issued to run Cobalt Strike’s DACheck script.
  • This is followed by the impersonation as SYSTEM and run Mimikatz.
  • The IOCs can be found here.

The swan song

  • Ryuk is deployed as the final money-making deathblow.
  • It is deployed at the end of the attack chain since dropping crypto-locking malware is a noisy process and might alert the organization of the attacker’s presence.
  • Ryuk and trickBot have made appearances together in June 2019. Along with Emotet, the trifecta has targeted a Floridian municipality.

The bottom line is that ransomware operators continue to upgrade their skills and bring on new tactics to unleash havoc. However, organizations should take steps to prevent a ransomware attack in the first place by taking proactive steps to bolster their defenses.