Tuesday, October 27, 16:38
Home security Ryuk ransomware: It takes 29 hours to send the email for system breach

Ryuk ransomware: It takes 29 hours to send email for system breach

A attack Ryuk ransomware took 29 hours to send e-mail to the prospective victim for the full infringement and encryption of systems, according to DFIR Report, a project that provides information on threats from real attacks observed by honeypots of.

Ryuk ransomware was originally thought to be a project hackers North Korea because of its resemblance to the "Hermes" ransomware, but was later linked to Russian hackers. Over the past two years, Ryuk ransomware has been behind a large number of high-profile attacks, including those involving the Pennsylvania-based Universal Health Services (UHS) and the hospital system of the Alabama DCH Regional Medical Center.

Ryuk ransomware

In the case of the attack observed by the DFIR Report, it all started with a malicious email carrying a link to download it. Bazar / Kegtap loader, which was injected in multiple procedures and identified the infected system using utilities Windows like the nltest and net group, as well as the third-party tool AdFind.

The malware remained silent for about a day, after which a second phase of reconnaissance began, using the same tools as Rubeus. The data was transferred to a remote server and the invaders made a lateral movement.
To compromise other systems on the network, intruders used various methods, such as remote WMI (Windows Management Instrumentation), remote service execution with PowerShell and a Cobalt Strike beacon "thrown" into the SMB. The Cobalt Strike beacon was then used as the main focal point.

Ryuk ransomware

Then additional beacons were created throughout the environment and PowerShell was used to disable Windows Defender. The Ryuk ransomware ran one minute after being transported via SMB from the shaft and, as soon as encryption started, the servers used to store the backups were "hit" first.

The DFIR Report, which provides a comprehensive technical analysis of the attacks, reveals that the Ryuk ransomware was also transferred to other servers on the network via SMB. In addition, according to the DFIR Report, overall, this campaign lasted 29 hours - from the initial execution of Bazar, to the domain wide ransomware. If the victims missed the first day of the discovery, they would have just over 3 hours to respond before being asked. ransom.

Ryuk ransomware

After encrypting the systems, the attackers demanded about 600 bitcoins (about $ 6 million) in ransom. However, they were willing to negotiate with the victims.

Yesterday, the Microsoft announced that it had destroyed its infrastructure TrickBot, the botnet used as the main delivery channel for Ryuk ransomware.


Please enter your comment!
Please enter your name here

Every accomplishment starts with the decision to try.


How to enable the new Chrome Read more feature

The latest version of Google Chrome browser, v86, released earlier this month, contains a secret feature called Read ...

How to choose a custom color for the Start menu

Starting with the October 2020 update, Windows 10 is the default on a theme that removes bright colors from ...

NASA telescope discovers drinking water on the moon

Eleven years ago, a spacecraft changed our view of the moon forever. The data collected by ...

Microsoft: Enhances password spray attack detection capabilities

Microsoft has significantly improved the ability to detect password spray attacks in the Azure Active Directory (Azure AD) and has reached the point ...

How to prevent companies from finding our phone number

In the age of advertising, the more user information is known the more convenient it is for companies. And in particular, the ...

Violation in a psychotherapy clinic led to blackmail of patients

Two years ago, a cyber attack took place in a Finnish psychotherapy clinic, which resulted in data theft and ransom demand. Now,...

Australia: Enhances cybersecurity and privacy!

The Government of New South Wales in Australia has set up a task force to strengthen cybersecurity and protection ...

More than 100 irrigation systems were left exposed on the internet

More than 100 smart irrigation systems were left exposed on the internet without a password last month, allowing anyone to access ...

Violation in Nitro Software most likely affects Google, Apple, Microsoft

Nitro PDF (Nitro Software) service has suffered a data breach, which is said to affect many well-known companies, such as Google, ...

Hacker steals $ 24 million from cryptocurrency service Harvest Finance

A hacker has stolen "cryptocurrency assets" worth about 24 million dollars from the decentralized financing service (DeFi) Harvest Finance, a web portal ...