Heimdal Security Blog

New Ryuk Ransomware Hacking Techniques Revealed

This year reveals Ryuk Ransomware’s predilection towards targeting hosts with remote desktop connections exposed on the public Internet. What’s more, the threat actors’ personal favorite initial infection vector continues to be the targeted phishing emails for malware delivery.

Image Source: AdvIntel

According to a report issued by Advanced Intelligence (AdvIntel) security researchers, this year, Ryuk ransomware attacks relied more often on compromising exposed RDP connections to gain an initial foothold on a target network.

Additionally, spear phishing was another vector for initial compromise, as well as the use of the BazarCall campaign to distribute malware through malicious call centers. The latter targeted corporate users and directed them to weaponized Excel documents.

AdvIntel has noticed an overall increase of RDP compromise as the initial infection vector across Ryuk-attributed attacks. Threat actors have been observed in the wild employing large-scale brute force and password spraying attacks against exposed RDP-hosts to compromise user credentials.
Targeted phishing emails coupled with the support service center calls such as “BazaCall” have also been observed as an initial infection vector in many Ryuk-attributed attacks. This weaponized document will have instructions that tell the user to “enable content” which will activate a macro and enable the document to download a malicious payload through a PowerShell script that is executed through a command prompt.

Source

Ryuk attackers ran reconnaissance on the victim in two stages, researchers say. First, to determine the valuable resources on the compromised domain (network shares, users, Active Directory Organization Units). And second, to find information on the company’s revenue in order to set a ransom amount that the victim can afford to pay to recover systems.

What’s more, to discover attack paths, Ryuk ransomware operators rely on the tried and tested AdFind (AD query tool) and the post-exploitation tool Bloodhound that explores relationships in an Active Directory (AD) domain.

Accessing victims’ financial details relies on open-source data. AdvIntel researchers say that the hackers look for information about the company’s recent mergers and acquisitions and other details that can benefit them on services like ZoomInfo.

The Cobalt Strike post-exploitation tool has become a standard in most ransomware operations and scans that reveal the security products like antivirus and endpoint detection response (EDR) defending the network.

New Ryuk Ransomware Techniques

Ryuk ransomware operators engage other cybercriminals to learn about the defenses on a network they attack to find a way to disable them.

New Ryuk techniques the researchers saw in their attacks include KeeThief, an open-source tool for extracting credentials from KeePass password manager, the deployment of a portable version of Notepad++ to run PowerShell scripts on systems with PowerShell execution restriction, as well as the usage of the open-source CrackMapExec penetration tool to extract admin credentials and move laterally on the victim network.

This year, researchers say that Ryuk ransomware attacks are exploiting two high-severity vulnerabilities to increase their permissions on a compromised machine.

AdvIntel security researchers recommend the following risk mitigations: