A new ransomware is out in the wild, and in an unusual move, it’s being picky with its targets. Unlike most ransomware strains, it’s attacking only targets with cash to spare, instead of indiscriminately spreading to all targets.

But the cyber-crim’s tactics seem to have worked, netting almost $4 million since August. The ransomware is known as Ryuk – potentially named after a “grim reaper” in a famous Japanese anime.

This reaping ransomware infects large enterprises days, weeks, or even years after they were initially infected by a separate malware. This malware in most cases is a powerful trogan known as Trickbot.

But small organizations who have been hit by Trickbot don’t get a visit from Ryuk. Instead, Ryuk engages in big game hunting. Perhaps the second-most unusual thing about Ryuk is the unusually long “dwell time” – the period between the initial infection and the ransomware demand.

Why is this the case? It is believed this delay allows attackers to conduct valuable reconnaissance of the enterprise network, and hit the critical systems once they have the best avenue to infect them.

CrowdStrike researcher Alexander Hanel wrote:

“Some of TrickBot’s modules (such as pwgrab) could aid in recovering the credentials needed to compromise environments—the SOCKS module in particular has been observed tunneling PowerShell Empire traffic to perform reconnaissance and lateral movement. Through CrowdStrike IR engagements, GRIM SPIDER has been observed performing the following events on the victim’s network, with the end goal of pushing out the Ryuk binary:

  • An obfuscated PowerShell script is executed and connects to a remote IP address.
  • A reverse shell is downloaded and executed on the compromised host.
  • PowerShell anti-logging scripts are executed on the host.
  • Reconnaissance of the network is conducted using standard Windows command-line tools along with external uploaded tools.
  • Lateral movement throughout the network is enabled using Remote Desktop Protocol (RDP).
  • Service User Accounts are created.
  • PowerShell Empire is downloaded and installed as a service.
  • Lateral movement is continued until privileges are recovered to obtain access to a domain controller.
  • PSEXEC is used to push out the Ryuk binary to individual hosts.
  • Batch scripts are executed to terminate processes/services and remove backups, followed by the Ryuk binary.”

Ransomware Protection: Make Sure You’re Prepared!

Backups aren’t enough; you need multi-tiered ransomware protection to truly keep your data safe. On top of anti-malware and firewall solutions, a dedicated ransomware protection tool like BackupAssist’s CryptoSafeGuard can help ransomware at bay. Learn more about it here.

Posted by Adam Ipsen

Leave a Reply