In a recent trend, Ryuk ransomware operators have been discovered to be preferring hosts with RDPs exposed on the public internet. In addition, the group is using targeted phishing emails to spread its malware and gain initial access to the target network.

What is happening?

Security researchers from AdvIntel discovered that Ryuk ransomware attacks are now mostly using exposed RDP connections to gain an initial foothold inside a targeted network.
  • The ransomware operators are running large-scale brute force and password spraying attacks aimed at exposed RDP hosts to compromise user credentials.
  • They are using spear-phishing and BazaCall malware to propagate malware using malicious call centers that target and direct corporate users to weaponized Excel documents. Furthermore, the use of AdFind (an AD query tool) and Bloodhound (a post-exploitation tool) was observed.
  • In addition, the operators conduct reconnaissance on the victim in two stages. The first stage is to find out valuable resources on the compromised domain (such as users, network shares, Active Directory Organization Units).
  • The second stage involves finding out information about the targeted organization’s revenue to decide a ransom amount that the victim will be able to pay to recover its systems.

Newer EDR bypass techniques

Ryuk operators are engaging other cybercriminals to learn about the defenses of targeted networks and how to disable them. Moreover, they have used other novel techniques, as well, in their recent attacks.
  • The attackers used KeeThief, an open-source tool, to steal the credentials of a local IT administrator with access to EDR software to bypass that and other defenses.
  • In addition, the attackers have been discovered to be deploying a portable Notepad++ software to execute PowerShell scripts on systems restricting the execution of the PowerShell scripts.

Exploitation of known vulnerabilities

According to AdvIntel, the operators are exploiting two known vulnerabilities to increase their permissions on an infected machine. Both the flaws have patches available for them.
  • CVE-2018-8453: A privilege escalation flaw that exists in Windows 7, 10, and Windows Server 2008 through 2016.
  • CVE-2019-1069: A privilege escalation flaw that exists in Windows 10, and Windows Server 2016 and 2019 versions.


Ryuk ransomware operators are continuously improving their capabilities by adding new tools and vulnerabilities to their arsenal. Therefore, it is important to continuously monitor this threat and share all relevant IOCs to stay protected.

Cyware Publisher