Cybersecurity News

RDP, Botnet Malware Top Access Point of Updated Ryuk Ransomware

The latest update of the notorious Ryuk ransomware seen throughout 2021, primarily leverages service-based RDP and botnet-based malware delivery to gain access to victims’ networks.

cybersecurity ransomware threat actors Ryuk hacking group targeting RDP botnet malware

By Jessica Davis

- The Ryuk ransomware variant has been updated, yet again. A recent Advanced Intelligence (AdvIntel) report shows the threat actors are increasingly relying on service-based remote desktop protocols (RDPs) and botnet-based malware to gain initial access onto networks.

Observed in the wild since 2018, the attackers behind the notorious variant are constantly evolving Ryuk to improve the effectiveness and efficiency of their attacks. The previous update added worming capabilities, enabling it to automatically proliferate across the network.

Ryuk was initially delivered via the TrickBot trojan but the actors started exploiting the BazarBackdoor to gain a foothold to targeted networks in September -- around the same time federal agencies and researchers warned of a ransomware wave against the healthcare sector.

The group behind the ransomware is considered one of the most successful in recent history, with key global targets including hospitals, governments, and large corporations.

The ransomware has highly preyed on healthcare networks, including successful attacks on a number of high-profile victims like Sky Lakes Medical Center in Oregon, DCH Health System in Alabama, and the massive Universal Health Services attack.

READ MORE: Update to Ryuk Ransomware Variant Adds Network Worming Capability

The latest report sheds light on both new and existing tactics, techniques, and procedures leveraged by the threat actors, which have been observed by AdvIntel researchers in 2021, so far.

RDP and botnet-based malware were overwhelmingly the most common access points. Researchers observed an overall increase in RDP compromise as the initial infection point across all attacks attributed to Ryuk.

The attacks are accomplished through large-scale brute-force measures, as well as password-spraying attacks against exposed endpoints, in an effort to compromise user credentials.

“Targeted phishing emails coupled with the support service center calls, such as ‘BazaCall’ have also been observed as an initial infection vector in many Ryuk-attributed attacks,” researchers noted.

“This weaponized document will have instructions that tell the user to ‘enable content’, which will activate a macro and enable the document to download a malicious payload through a PowerShell script that is executed through a command prompt,” they added.

READ MORE: 5 Providers Still in Downtime, as Sky Lakes Confirms Ryuk Ransomware

After successfully gaining a foothold onto the network, the hackers will then attempt to access a number of key domain trusts, such as network shares, uses, Active Directory Organization Units, and local domains.

While proliferating across connected devices, the attackers simultaneously attempt to gather information about the entity to determine the most valuable resources belonging to the victim organization and that could support the remaining attack measures.

The report also showed the attackers are increasingly using two tools, Bloodhound and AdFind to enumerate active directory data on the victim’s network.

In other observed attacks, the hackers conducted OSINT, open-source intelligence, tied to the victim’s network to identify the company and evaluate its value. Researchers noted the hackers use this information to determine the adequate ransom demand.

In several attacks, the cybercriminals have exploited ZoomInfo to find data on the victim, including its technologies, recent mergers and acquisitions, personnel, and other related data that could prove valuable during the nefarious activities. The hackers then used Cobalt Strike for further reconnaissance activities.

For the botnet-based attacks, the Ryuk group uses bot scans to discover information on antivirus and Endpoint Detection Response tools on potential victim networks, prior to planning their attack.

The actors have also been observed hunting for local administrator access to EDR software, then extracting the credentials using a PowerShell. They’ve also deployed portable NotePad to deploy PowerShells that bypass restrictions.

“It is worth noting that operators will leverage OSINT methods and communication with other threat actors to gain information on the AV and EDR systems present in the networks that they are attacking, especially if a network has been previously compromised,” researchers noted. 

“The information obtained from the attack can be shared between threat groups,” they added. “Once the operators successfully compromise a domain administrator account, they will work to disable AV and EDR services.”

The hackers are also exploiting vulnerabilities CVE-2018-8453 and CVE-2019-1069 to gain access to targeted networks.

Once a local or domain account has been compromised, the actors distribute Ryuk through Group Policy Objects, domain controller, PsExec sessions, or a SYSVOL share startup item.

Administrators should review logs for detections of Mimikatz or PsExec execution or the presence of AdFind, Bloodhound, and LaZagne within the network, while ensuring all devices and operating systems are up-to-date with the latest security patches.

Further, all RDP access points should have multi-factor authentication. Administrators should also routinely review account permissions, Group Policy Objects, and logon scripts.

For healthcare entities, previously provided ransomware insights from the Office for Civil Rights and Microsoft can help support the prevention, detection, and response to human-operated or targeted ransomware campaigns.