skip to Main Content

Cybercrime, Ryuk ransomware actors evolve their TTPs

Advintel: Ryuk ransomware actors evolve their TTPs

Ryuk ransomware cybercrime actors evolve their TTPs. It has been denounced by Advintel cybersecurity experts, who believe the malicious hackers now prefer to target exposed RDP connections to gain an initial foothold on a target network. To compromise the user credentials, they launch large-scale brute force and password spraying attacks against exposed RDP hosts. Targeted phishing emails coupled with the support service center calls such as “BazaCall” have also been observed as an initial infection vector in many malware-attributed attacks. This weaponized document will have instructions that tell the user to “enable content” which will activate a macro and enable the document to download a malicious payload through a PowerShell script that is executed through a command prompt.

The malware operators, once they’re in, study the target to evaluate it

According the cybersecurity experts, once a foothold has been established Ryuk operators will attempt to enumerate domain trusts such as local domains, network shares, users, and Active Directory Organization Units. During this stage, the actors attempt to gather information about the organization to determine what resources within the infected domain are of value to perpetrating the rest of the attack. Bloodhound and AdFind have become popular tools used by cybercrime actors trying to enumerate active directory information within an infected domain. Furthemore, the threat actor conducts OSINT research related to the compromised host domain to identify the infected victim company and evaluate their revenue. Ransomware operators use the total annual revenue of the victim’s company to assess what the ransom amount will be. After infection, ransomware operators utilize also Post-Exploitation toolkits such as Cobalt Strike to conduct further reconnaissance and operation.

Two new TTPs that companies should monitor closely

Advintel has witnessed two new TTPs relative to Ryuk ransomware campaigns that organizations should monitor closely as a means of detecting infections within their domain:

  • CVE-2018-8453 – is an elevation of privilege vulnerability in Windows when the win23k.sys component fails to properly handle objects in memory. The exploitation of this vulnerability allows an attacker to run an arbitrary kernel with read/write privileges;
  • CVE-2019-1069 – is a privilege escalation vulnerability that leverages the way Windows Task Scheduler handles saved tasks. Task Scheduler stores tasks as files in two locations, C:\Windows\Tasks and C:\Windows\System32\Tasks. If an RPC client modifies a task using the service in the C:\Windows\Tasks location when modifications are saved the task will be migrated to C:\Windows\System32\Tasks. When saving a task file, the Task Scheduler service will set ownership and full control of the file to the owner of the task. This process allows an attacker to perpetrate a hard link attack. Therefore, if an attacker manually places a file within C:\Windows\Tasks the attacker will be able to run this file with the highest level of privilege since the Task Scheduler service runs at the maximum level of privilege defined by the local machine.
Back To Top