Friday, October 23, 01:52
Home security Ryuk: Developed two weeks after Trickbot infection

Ryuk: Developed two weeks after Trickbot infection

Recording activity on a server used by trojan TrickBot after the attack shows that the hacker has been circulating the system for about two weeks and is looking for valuable targets before developing Ryuk ransomware.

Ryuk ransomware Trickbot

After the network is compromised, the intruder starts scanning for live systems that have specific ports open and steals password hashes by the Domain Admin team.

SetinelOne researchers have analyzed in detail the activity observed from the log files on a Cobalt Strike server that used TrickBot for networks and systems.

When the malicious agent became interested in a breached network, he used modules from Cobalt Strike's risk simulation software for them. penetration testers.

One component is the DACheck script that checks if the current user has Domain Admin rights. Mimikatz was also used to extract passwords that would help with lateral traffic.

The researchers found that the discovery of computer interests in the network is done by scanning for live hosts that have specific ports open.

Services such as FTP, SSH, SMB, SQL server, remote desktop and VNC are targeted because they help move to other computers on the network or indicate a valuable target.

According to SentinelOne, hackers are exploring every system to extract as many useful things as possible. information. This allows them to take full control of the network and access as many central computers as possible.

The recognition and wandering stages are followed by the "implantation" of Ryuk ransomware and the development of all accessible machines using the tool. PsExec Microsoft for remote process execution.

Based on the timing, SentinelOne researchers estimate it took two weeks for the intruder to gain access to the network's machines and investigate them before Ryuk executes them.

Advanced Intelligence (AdvIntel) Vitali Kremez told BleepingComputer that this average for the "incubation" period is accurate, although it may differ from one victim to another.

In some cases, Ryuk developed after just one day, while in other cases the encrypted malware ran after the intruder had been hiding for months. network.

Kremez told us that Ryuk's infections have slowed down recently, as the threatening factor is probably "empty."

It is important to note that not all TrickBot infections are followed by Ryuk ransomware, probably because hackers take the time to analyze the data collected and determine whether or not the victim deserves to be encrypted.


Please enter your comment!
Please enter your name here

Teo Ehc
Teo Ehc
Be the limited edition.


How to remove Edge tabs from Alt + Tab in Windows 10

Starting with the October 2020 update, Windows 10 now displays Microsoft Edge browser tabs in the Alt + Tab task ...

Patient information is held for ransom by hackers

A company offering psychological support and psychotherapy services to thousands of patients in Finland has fallen victim to hackers. As the company stated, ...

ESafety believes that social media authentication would not be practical

Australian eSafety Commissioner Julie Inman-Grant has dismissed the practice of verifying users' identities on social media.

First beta version of the "1Password" application for Linux

One and a half months after the first rumors about the release of the 1Password application for the Linux desktop, the co-founder of Dave Teare announced now ...

The price of Bitcoin skyrockets after PayPal adds cryptocurrency

The price of Bitcoin reached a very high record on Wednesday, after the announcement of PayPal for the integration of cryptocurrency in the online ...

Dr Reddy is closing its laboratories worldwide following a data breach

The pharmaceutical company Dr Reddy 's Laboratories (DRL) was forced to close its laboratories worldwide, after a data breach that ...

PayPal lets users use cryptocurrency

PayPal on Wednesday announced a new feature that will allow users to buy, store and sell cryptocurrency.

Activists are developing face recognition technology to reveal the identities of police officers

In early September, Portland, Oregon City Council held a virtual meeting to consider legislation that ...

Tesla share rises almost 5%

Tesla's Elon Musk released the results for the third quarter of 2020 on Wednesday. The share rose almost 5% on ...

Account Takeover Attacks: How to Avoid Them?

Account Takeover (ATO) attacks are a form of theft, often used by criminals. The attackers are trying to break into accounts ...