The attack involves 15 steps and involves the use of legitimate security testing tools.
A Russian-speaking cybercriminal group attacking high-income companies using Ryuk ransomware received $ 34 million from one of its victims for a key to recover encrypted files.
Designated as group "one" according to the identification obtained from the Trickbot botnet, which facilitates the deployment of Ryuk on the networks of the companies under attack, it is quite indiscriminate in its victims. According to Vitaliy Kremez, a specialist at Advanced Intelligence, the recent victims of the "one" group include technological and energy companies, financial services, healthcare organizations and government agencies. According to the OctoberAccording to a report by the information security company Check Point, in the third quarter of 2020, the group attacked an average of 20 victims per week.
The average ransom received by Ryuk operators is 48 bitcoins (about $ 750 thousand), and since 2018 they have managed to "earn" $ 150 million in total. According to Kremez, cybercriminals negotiate with their victims in a harsh manner and almost never show condescension.
The largest confirmed ransom that Group One managed to get is 2.2 thousand bitcoins (about $ 34 million). After analyzing this attack, the researcher determined that the attack consists of 15 steps to find available hosts on the network, steal administrator credentials, and deploy Ryuk ransomware.
The attackers use in the attack available software (mostly open source) from the arsenal of red teams of security testers: Mimikatz, PowerShell PowerSploit, LaZagne, AdFind, Bloodhound, and PsExec.
The attack consists of 15 points:
A Russian-speaking cybercriminal group attacking high-income companies using Ryuk ransomware received $ 34 million from one of its victims for a key to recover encrypted files.
Designated as group "one" according to the identification obtained from the Trickbot botnet, which facilitates the deployment of Ryuk on the networks of the companies under attack, it is quite indiscriminate in its victims. According to Vitaliy Kremez, a specialist at Advanced Intelligence, the recent victims of the "one" group include technological and energy companies, financial services, healthcare organizations and government agencies. According to the OctoberAccording to a report by the information security company Check Point, in the third quarter of 2020, the group attacked an average of 20 victims per week.
The average ransom received by Ryuk operators is 48 bitcoins (about $ 750 thousand), and since 2018 they have managed to "earn" $ 150 million in total. According to Kremez, cybercriminals negotiate with their victims in a harsh manner and almost never show condescension.
The largest confirmed ransom that Group One managed to get is 2.2 thousand bitcoins (about $ 34 million). After analyzing this attack, the researcher determined that the attack consists of 15 steps to find available hosts on the network, steal administrator credentials, and deploy Ryuk ransomware.
The attackers use in the attack available software (mostly open source) from the arsenal of red teams of security testers: Mimikatz, PowerShell PowerSploit, LaZagne, AdFind, Bloodhound, and PsExec.
The attack consists of 15 points:
- Domain research using the "Invoke-DACheck" script;
- Collecting host passwords using the Mimikatz command "mimikatz's sekurlsa :: logonpasswords";
- Returning the token to its original state and creating a token for the administrative comment from the data obtained using Mimikatz;
- Browse the host's network using "net view";
- Port scanning for FTP, SSH, SMB, RDP and VNC protocols;
- Creation of an access list on available hosts;
- Downloading the Active Directory search toolkit "AdFind" with batch script "adf.bat" from "net view" and hosts with scanned ports;
- Displaying the name of the anti-virus solution used on the host using the "WMIC" command;
- Downloading the multifunctional password recovery tool LaZagne to scan the host;
- Remove password recovery tool;
- Launching ADFind and saving the received data;
- Removing ADFind tool artifacts and loading the obtained data;
- Providing full net share access for everyone for Ryuk to use;
- Downloading software for remote execution of PSExec and prepared network hosts, removing antivirus solutions;
- Downloading batch scripts for execution and network hosts, launching Ryuk with PSExec on behalf of various compromised users.