Recent attacks from the gang behind the Ryuk Ransomware have shown that the notorious virus has been updated to contain a new attack vector when it comes to gaining initial access to a victim’s network. According to BleepingComputer, “The trend observed in attacks this year reveals a predilection towards targeting hosts with remote desktop connections exposed on the public internet.”. The Ryuk gang do still seem to favor their initial attack vector, however – phishing emails.
Security researchers from the threat intelligence boutique Advanced Intelligence (AdvIntel) observed that Ryuk ransomware attacks this year relied more often on compromising exposed RDP connections to gain an initial foothold on a target network.
The actors have been running “large-scale brute force and password spraying attacks against exposed RDP hosts” to compromise user credentials.
Another attack vector used by the gang recently has been the spear-phishing BazarCall campaign. This campaign saw the attackers distribute malware through malicious call centers that targeted corporate users and directed them to weaponized Excel documents. SaferNet covered that campaign in a recent post.
AdvIntel noted that attacks this year in 2021 have relied more on scanning for exposed RDP hosts, rather than phishing.
Researchers stated that the Ryuk gang undertook reconnaissance in two stages. One was to determine what kind of valuable resources are on the compromised domain. The second stage is to find information about the company’s finances, in order to set an appropriate ransom fee for the ransomware.
While searching the active directory, Ryuk Ransomware uses Adfind, an AD query tool, and the post-exploitation tool Bloodhound that explores relationships in an Active Directory domain to find attack paths.
Getting financial details about the victim relies on open-source data. AdvIntel says that the actors search on services like ZoomInfo for information about the company’s recent mergers and acquisitions and other details that can increase the profitability of the attack.
Additional reconnaissance is carried out using the Cobalt Strike post-exploitation tool that’s become a standard in most ransomware operations and scans that reveal the security products like antivirus and endpoint detection response (EDR) defending the network.
Among other new attacks used by the Ryuk Ransomware gang was the use of KeeThief, an open-source tool for extracting credentials from KeePass password manager.
KeeThief works by extracting key material (e.g. master password, key file) from the memory of a running KeePass process with an unlocked database.
Vitali Kremez, the CEO of AdvIntel, told BleepingComputer that the attackers used KeeThief to bypass EDR and other defenses by stealing the credentials of a local IT administrator with access to EDR software.
Another tactic was to deploy a portable version of Notepad++ to run PowerShell scripts on systems with PowerShell execution restriction, Kremez says.
According to researchers, Ryuk Ransomware attacks in 2021 are making use of exploits on two vulnerabilities, both of which can be patched out. These are:
CVE-2018-8453 – high-severity (7.8/10) privilege escalation in Windows 7 through 10 and Windows Server 2008 through 2016 that allows running an arbitrary kernel with read/write permissions because the Win32k component fails to properly handle objects in memory.
CVE-2019-1069 – high-severity (7.8/10) privilege escalation in Windows 10, Windows Server 2016, and 2019 because of the way the Task Scheduler Service validates certain file operations, which enables a hard link attack.
“Once actors have successfully compromised a local or domain admin account, they distribute the Ryuk payload through Group Policy Objects, PsExec sessions from a domain controller, or by utilizing a startup item in the SYSVOL share”, AdvIntel said.
According to the company, organisations should take the following mitigation steps:
- Detect the use of Mimikatz and the execution of PsExec on the network
- Alerts for the presence of AdFind, Bloodhound, and LaZagne on the network
- Ensure that operating systems and software have the latest security patches
- Implement multi-factor authentication for RDP access
- Network segmentation and controls to check SMB and NTLM traffic
- Use the principle of least privilege and routine checks for account permissions
- Routine review of Routinely review account permissions to prevent privilege creep and maintain the principle of least privilege
- Routinely review of Group Policy Objects and logon scripts
- Patch systems against CVE-2018-8453 and CVE-2019-1069
Ryuk Ransomware is the most notorious Ransomware client on the web today, and has collected over $150 million in ransom demands. Changing up tactics is just a sign of an ever-evolving threat.
When cyberthreats grow every day, it’s important business owners use updated tools to combat the dangers their businesses face. One of these tools is SaferNet.
SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories
Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.