Ryuk Ransomware Operators Uses Pentester Toolkits for Targeted Cybercrime Operations

Nowadays, ransomware attacks have been growing at an increasing rate, and the threat actors are gaining a lot of access to today’s workstations. Recently, the economy has almost stopped, morning commutes end, and traditional offices are already disappeared.

The Advanced Intel group had detected that Ryuk ransomware operators had used pentester toolkit for targeted cybercrime operations, and they have succeeded in their operation.

However, the cybersecurity research team has already detected the kill chain that has been utilized and operated by the threat actors.

The threat actors of Ryuk ransomware have used pure malware, like BazarBackdoor, BazarLoader, and Ryuk. Many intermediate steps are present in the kill chain, which involves all kinds of commercial or open-source tools.

Ryuk “one” Adversaries

  • Average Payment: 48 Bitcoin
  • Largest Confirmed Payment: 2,200 Bitcoin
  • Crime Salary: Over $150 Million in Bitcoin
  • Psychology Type: Tough Negotiator, Rare Leniency
  • Actor Origin: Russian-speaking Eastern Europe
  • Reliability: High

Recent Sector Breach Activities

  • Technology
  • Healthcare
  • Energy
  • Financial services
  • Government

Infect Victims in 15 steps

The operators of the Ryuk ransomware group includes 15 different steps from the initial infection point to the distribution of ransomware payloads upon a victim’s network. And here are the 15 steps through which the operators infect their victims:-

  • Check the domain admin through the “Invoke-DACheck” script
  • Accumulate host passwords through Mimikatz “mimikatz’s sekurlsa::logonpasswords”
  • Return the token and generate a token for the official comment from the Mimikatz command output
  • Analyze the network of the host through “net view.”
  • Portscan for FTP, SSH, SMB, RDP, VNC protocols
  • File accesses on the accessible hosts
  • Upload active directory finder “AdFind” kit with the batch script “adf.bat” from the “net view” and portscanned hosts
  • Demonstrate the antivirus name on the host by the “WMIC” command
  • Upload multi-purpose password restoration tool “LaZagne” to scan the host
  • Extract the password recovery tool
  • Operate ADFind and save outputs
  • Remove AdFind tool artifacts and download outputs
  • Grant net share full access to all during Ryuk ransomware
  • Upload remote execution software “PSExec” and programmed network hosts and uninstall the antivirus product
  • Upload execution batch scripts and the parsed network hosts and operate Ryuk ransomware through PsExec under various compromised users

Detections & Mitigations

According to report, there are some detections and mitigations that users should follow strictly to stay safe, and here they are mentioned below:-

  • Disclosure of Mimikatz execution over the network host.
  • Identify, inform, and flag any surveillance activity using “ipconfig,” “net view,” and “nltest” commands for review.
  • Discover and inform on portscan activity inside the network.
  • Identify and warn regarding PsExec execution over the network.
  • Identify and inform WMIC commands for all the antivirus products.
  • Detect and inform AdFinder and LazaGne toolset that is present inside the environment.
  • Discover and alert on net share/GRANT: Everyone, FULL commands.

Apart from this, the security experts also affirmed that if any victim or users need optimum protection, then they should use the virtual home offices, especially those operating in the C-suite, to reconsider segmenting home networks.

You can follow us on LinkedinTwitterFacebook for daily Cyber security and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.