According to CrowdStrike and FireEye report, since last August, a new Ryuk ransomware has earned nearly $4 million by installing the malicious encryption software on previously infected targets with deep pockets. The researchers found that this ransomware selectively implanting malicious encryption software for targets that were initially infected and financially strong. This is different from the common strategy of infecting all possible victims with ransomware.
FireEye reports, ” this campaign was widely distributed primarily to organizations in the United States, and across diverse industries including government, financial services, manufacturing, service providers, and high-tech. Once a victim opened the attachment and enabled macros, it downloaded and executed an instance of the TrickBot malware from a remote server.”
In contrast, small businesses are rarely attacked by Ryuk after infecting Trickbot. CrowdStrike said that this method is “big-game hunting”, and since August last year, its operators have already earned $3.7 million in bitcoin in 52 transactions.
CrowdStrike researcher Alexander Hanel wrote:
Some of TrickBot’s modules (such as pwgrab) could aid in recovering the credentials needed to compromise environments — the SOCKS module in particular has been observed tunneling PowerShell Empire traffic to perform reconnaissance and lateral movement. Through CrowdStrike IR engagements, GRIM SPIDER has been observed performing the following events on the victim’s network, with the end goal of pushing out the Ryuk binary:
- An obfuscated PowerShell script is executed and connects to a remote IP address.
- A reverse shell is downloaded and executed on the compromised host.
- PowerShell anti-logging scripts are executed on the host.
- Reconnaissance of the network is conducted using standard Windows command line tools along with external uploaded tools.
- Lateral movement throughout the network is enabled using Remote Desktop Protocol (RDP).
- Service User Accounts are created.
- PowerShell Empire is downloaded and installed as a service.
- Lateral movement is continued until privileges are recovered to obtain access to a domain controller.
- PSEXEC is used to push out the Ryuk binary to individual hosts.
- Batch scripts are executed to terminate processes/services and remove backups, followed by the Ryuk binary.