A attack Ryuk ransomware took 29 hours to send e-mail to the prospective victim for the full infringement and encryption of systems, according to DFIR Report, a project that provides information on threats from real attacks observed by honeypots of.
Ryuk ransomware was originally thought to be a project hackers North Korea because of its resemblance to the "Hermes" ransomware, but was later linked to Russian hackers. Over the past two years, Ryuk ransomware has been behind a large number of high-profile attacks, including those involving the Pennsylvania-based Universal Health Services (UHS) and the hospital system of the Alabama DCH Regional Medical Center.
In the case of the attack observed by the DFIR Report, it all started with a malicious email carrying a link to download it. Bazar / Kegtap loader, which was injected in multiple procedures and identified the infected system using utilities Windows like the nltest and net group, as well as the third-party tool AdFind.
The malware remained silent for about a day, after which a second phase of reconnaissance began, using the same tools as Rubeus. The data was transferred to a remote server and the invaders made a lateral movement.
To compromise other systems on the network, intruders used various methods, such as remote WMI (Windows Management Instrumentation), remote service execution with PowerShell and a Cobalt Strike beacon "thrown" into the SMB. The Cobalt Strike beacon was then used as the main focal point.
Then additional beacons were created throughout the environment and PowerShell was used to disable Windows Defender. The Ryuk ransomware ran one minute after being transported via SMB from the shaft and, as soon as encryption started, the servers used to store the backups were "hit" first.
The DFIR Report, which provides a comprehensive technical analysis of the attacks, reveals that the Ryuk ransomware was also transferred to other servers on the network via SMB. In addition, according to the DFIR Report, overall, this campaign lasted 29 hours - from the initial execution of Bazar, to the domain wide ransomware. If the victims missed the first day of the discovery, they would have just over 3 hours to respond before being asked. ransom.
After encrypting the systems, the attackers demanded about 600 bitcoins (about $ 6 million) in ransom. However, they were willing to negotiate with the victims.