Intro

The Ryuk group went from an email to domain wide ransomware in 29 hours and asked for over $6 million to unlock our systems. They used tools such as Cobalt Strike, AdFind, WMI, vsftpd, PowerShell, PowerView, and Rubeus to accomplish their objective.

Ryuk has been one of the most proficient ransomware gangs in the past few years, with the FBI claiming $61 million USD having been paid to the group as of February 2020. Earlier in the year, the group grew a little quiet, but that seems to have changed in the past few weeks, with incidents like what occurred at UHS hospitals.

Case Summary

In this case, the actions began via a loader malware known as Bazar/Kegtap. Reports indicate an email delivery via malspam, which has been creeping up in volume over the month of September.

From the initial execution of the payload, Bazar injects into various processes including explorer.exe and svchost.exe, as well as, spawning cmd.exe processes. The initial goal of this activity was to run discovery using built in Windows utilities like nltestnet group, and the 3rd party utility AdFind.

After the initial discovery activity the Bazar malware stayed relatively quiet, until a second round of discovery the following day. Again, the same tools were employed in the second round of discovery, plus Rubeus. This time the discovery collection was exfiltrated via FTP to a server hosted in Russia. Next, the threat actor began to move laterally.

It took a few attempts, using various methods, from remote WMI, to remote service execution with PowerShell, until finally landing on Cobalt Strike beacon executable files transferred over SMB to move around the environment. From here forward, the threat actors relied on a Cobalt Strike beacon running on a domain controller as their main operations point.

After picking the most reliable method to move through the environment, the threat actor then proceeded to establish beacons across the enterprise. In preparation for their final objectives, they used PowerShell to disable Windows Defender in the environment.

The server utilized for backups in the domain was targeted first for encryption, with some further preparation completed on the host. However, once the Ryuk ransom executable was transferred over SMB from their domain controller (DC) pivot, it only took one minute to execute it.

At this point Ryuk was transferred to the rest of the hosts in the environment via SMB and executed through an RDP connection from the pivot domain controller. In total, the campaign lasted 29 hours–from initial execution of the Bazar, to domain wide ransomware. If a defender missed the first day of recon, they would have had a little over 3 hours to respond before being ransomed.

The threat actors requested 600+ bitcoins, which have a market value of around 6+ million USD.

Timeline

Ryuk’s Return

For a full breakdown of the technical details and threat actor tactics, techniques, and procedures continue into the MITRE ATT&CK breakdown.

[출처 : The DFIR Report / 10.08.]