Friday, January 15, 04:47
Home security Ryuk: Developed two weeks after Trickbot infection

Ryuk: Developed two weeks after Trickbot infection

Recording activity on a server used by trojan TrickBot after the attack shows that the hacker has been circulating the system for about two weeks and is looking for valuable targets before developing Ryuk ransomware.

Ryuk ransomware Trickbot

After the network is compromised, the intruder starts scanning for live systems that have specific ports open and steals password hashes by the Domain Admin team.

SetinelOne researchers have analyzed in detail the activity observed from the log files on a Cobalt Strike server that used TrickBot for networks and systems.

When the malicious agent became interested in a compromised network, it used modules from Cobalt Strike risk simulation software for penetration testers.

One component is the DACheck script that checks if the current user has Domain Admin rights. Mimikatz was also used to extract passwords that would help with lateral traffic.

The researchers found that the discovery of computer interests in the network is done by scanning for live hosts that have specific ports open.

Services such as FTP, SSH, SMB, SQL server, remote desktop and VNC are targeted because they help move to other computers on the network or indicate a valuable target.

According to SentinelOne, hackers are exploring every system to extract as many useful things as possible. information. This allows them to take full control of the network and access as many central computers as possible.

The recognition and wandering stages are followed by the "implantation" of Ryuk ransomware and the development of all accessible machines using the tool. PsExec Microsoft for remote process execution.

Based on the timing, SentinelOne researchers estimate it took two weeks for the intruder to gain access to the network's machines and investigate them before Ryuk executes them.

Advanced Intelligence (AdvIntel) Vitali Kremez told BleepingComputer that this average for the "incubation" period is accurate, although it may differ from one victim to another.

In some cases, Ryuk developed after just one day, while in other cases the encrypted malware ran after the intruder had been hiding for months. network.

Kremez told us that Ryuk's infections have slowed down recently, as the threatening factor is probably "empty."  

It is important to note that not all TrickBot infections are followed by Ryuk ransomware, probably because hackers take the time to analyze the data collected and determine whether or not the victim deserves to be encrypted.


Please enter your comment!
Please enter your name here

Teo Ehc
Teo Ehc
Be the limited edition.



Why do scientists say AI hyperintelligence cannot be controlled?

AI artificial intelligence, which has come to overturn the data of humanity, has been the subject of debate for many decades. Now,...

iPhone vs Android: Which is best for you?

The battle between iPhone and Android will last forever. IOS (iPhone OS) and Android are the two ...

Owner of bitcoin exchange service arrested for money laundering

The owner of a Bulgarian bitcoin exchange service was sentenced to prison in the United States, for his involvement in fraud and providing ...

How to boot shortcuts from an Apple Watch Face

IPhone shortcuts help you automate tasks, no matter how simple or complex. But did you know that you can ...

The "New Pokémon Snap" is coming to the Nintendo Switch on April 30

Pokémon photographers better prepare, as "New Pokémon Snap" comes to the Nintendo Switch on April 30th. The release date ...

In 2020 the average price of a new car reached 33.000 euros

Among all that happened in 2020, car buyers and the car industry set another new record which we would not say ...

Qualcomm acquires NUVIA, faster processors are coming!

Qualcomm announced the acquisition of startup NUVIA. The deal is valued at $ 1,4 billion, Qualcomm said. The acquisition could ...

Telegram: 25 million new users in three days

Following the announcement of WhatsApp that it will share user data with Facebook, the encrypted Telegram messaging application saw an explosive ...

A huge flash scans the solar system after a powerful explosion!

The source of a huge flash that penetrated our solar system has been identified by scientists. The discovery of the flash will ...

The scientists analyzed the DNA of the anthropolytics

According to a new study published today in Nature, scientists have finally managed to analyze the DNA of antaroli - creatures ...