Ryuk Ransomware Operators Uses Pentester Toolkits for Targeted Cybercrime Operations

Nowadays, ransomware attacks have been growing at an increasing rate, and the threat actors are gaining a lot of access to today’s workstations. Recently, the economy has almost stopped, morning commutes end, and traditional offices are already disappeared.

The Advanced Intel group had detected that Ryuk ransomware operators had used pentester toolkit for targeted cybercrime operations, and they have succeeded in their operation.

However, the cybersecurity research team has already detected the kill chain that has been utilized and operated by the threat actors.

The threat actors of Ryuk ransomware have used pure malware, like BazarBackdoor, BazarLoader, and Ryuk. Many intermediate steps are present in the kill chain, which involves all kinds of commercial or open-source tools.

Ryuk “one” Adversaries

  • Average Payment: 48 Bitcoin
  • Largest Confirmed Payment: 2,200 Bitcoin
  • Crime Salary: Over $150 Million in Bitcoin
  • Psychology Type: Tough Negotiator, Rare Leniency
  • Actor Origin: Russian-speaking Eastern Europe
  • Reliability: High

Recent Sector Breach Activities

  • Technology
  • Healthcare
  • Energy
  • Financial services
  • Government

Infect Victims in 15 steps

The operators of the Ryuk ransomware group includes 15 different steps from the initial infection point to the distribution of ransomware payloads upon a victim’s network. And here are the 15 steps through which the operators infect their victims:-

  • Check the domain admin through the “Invoke-DACheck” script
  • Accumulate host passwords through Mimikatz “mimikatz’s sekurlsa::logonpasswords”
  • Return the token and generate a token for the official comment from the Mimikatz command output
  • Analyze the network of the host through “net view.”
  • Portscan for FTP, SSH, SMB, RDP, VNC protocols
  • File accesses on the accessible hosts
  • Upload active directory finder “AdFind” kit with the batch script “adf.bat” from the “net view” and portscanned hosts
  • Demonstrate the antivirus name on the host by the “WMIC” command
  • Upload multi-purpose password restoration tool “LaZagne” to scan the host
  • Extract the password recovery tool
  • Operate ADFind and save outputs
  • Remove AdFind tool artifacts and download outputs
  • Grant net share full access to all during Ryuk ransomware
  • Upload remote execution software “PSExec” and programmed network hosts and uninstall the antivirus product
  • Upload execution batch scripts and the parsed network hosts and operate Ryuk ransomware through PsExec under various compromised users

Detections & Mitigations

According to report, there are some detections and mitigations that users should follow strictly to stay safe, and here they are mentioned below:-

  • Disclosure of Mimikatz execution over the network host.
  • Identify, inform, and flag any surveillance activity using “ipconfig,” “net view,” and “nltest” commands for review.
  • Discover and inform on portscan activity inside the network.
  • Identify and warn regarding PsExec execution over the network.
  • Identify and inform WMIC commands for all the antivirus products.
  • Detect and inform AdFinder and LazaGne toolset that is present inside the environment.
  • Discover and alert on net share/GRANT: Everyone, FULL commands.

Apart from this, the security experts also affirmed that if any victim or users need optimum protection, then they should use the virtual home offices, especially those operating in the C-suite, to reconsider segmenting home networks.

You can follow us on LinkedinTwitterFacebook for daily Cyber security and hacking news updates.

Balaji N

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Volkswagen Hacked – Hackers Stolen 19,000 Documents From VW Server

Volkswagen, one of the world's leading automotive manufacturers, has fallen victim to a sophisticated hacking…

3 hours ago

Beware Of Fake MetaMask Android Apps That Steal Login Details

Threat actors exploit fake Android apps primarily for illicit reasons, such as stealing sensitive and…

4 hours ago

CrushFTP Zero-Day Could Allow Attackers To Gain Complete Server Access

CrushFTP disclosed a zero-day vulnerability (CVE-2024-4040) affecting versions below 10.7.1 and 11.1.0. The vulnerability allows…

4 hours ago

IBM QRadar XSS Flaw Let Attackers Arbitrary JavaScript Code

A significant vulnerability was detected in IBM QRadar Suite Software and Cloud Pak for Security,…

5 hours ago

Seedworm Hackers Exploit RMM Tools to Deliver Malware

The notorious hacking group Seedworm, also known as MuddyWater, has been found exploiting legitimate remote…

5 hours ago

WordPress Plugin Flaw Exposes 10k+ Websites to Cyber Attacks

A critical vulnerability in the WP Datepicker WordPress plugin was identified, affecting over 10,000 active…

6 hours ago