Operators of the Ryuk Ransomware Have Modified Their Attack Techniques.
Actors of Danger 3rd of May, 2021 Hacker News – Cyware Alerts
Operators of the Ryuk Ransomware have modified their attack techniques.
Ryuk ransomware operators have been discovered to favour hosts with RDPs exposed on the public internet in a recent trend. In addition, the group is spreading malware and gaining initial access to the target network through targeted phishing emails.
what is happening?
- Ryuk ransomware attacks are now often using exposed RDP connections to gain an initial foothold within a targeted network, according to security researchers from AdvIntel.
- To compromise user accounts, the ransomware operators are conducting large-scale brute force and password spraying attacks against exposed RDP hosts.
- They use spear-phishing and BazaCall malware to spread malware through malicious call centres that target corporate users and guide them to weaponized Excel documents. There was also evidence of the use of AdFind (an AD query tool) and Bloodhound (a post-exploitation tool).
- In addition, the operators perform two stages of reconnaissance on the victim. The first step is to search the compromised domain for useful resources (such as users, network shares, Active Directory Organization Units).
- The second stage entails obtaining information about the targeted organization’s income in order to determine a ransom sum that the victim would be able to pay in order to regain access to its networks.
Newer EDR bypass techniques
- Ryuk operators are collaborating with other cybercriminals to learn about targeted network protections and how to circumvent them. In addition, in recent attacks, they have used other novel techniques.
- To get around EDR software and other protections, the attackers used KeeThief, an open-source tool, to steal the credentials of a local IT administrator with access to it.
- Furthermore, the attackers were discovered to be using a portable Notepad++ programme to run PowerShell scripts on systems that did not allow PowerShell scripts to run.
Exploitation of known vulnerabilities
According to AdvIntel, the operators are increasing their permissions on an infected computer by exploiting two known vulnerabilities. There are fixes available for both flaws.
- CVE-2018-8453: A privilege escalation flaw that exists in Windows 7, 10, and Windows Server 2008 through 2016.
- CVE-2019-1069: A privilege escalation flaw that exists in Windows 10, and Windows Server 2016 and 2019 versions.
Ryuk ransomware operators are continuously improving their capabilities by adding new tools and vulnerabilities to their arsenal. Therefore, it is important to continuously monitor this threat and share all relevant IOCs to stay protected.