This report illustrates some of the new and existing Tactics, Techniques, and Procedures (TTPs) of the Ryuk ransomware variants

Initial Access: RDP Brute Force / Phising

Initial access is based on major 2 category

  • RDP Poisoning
  • Malvarised payload

The initial infection vector across Ryuk-attributed attacks. Threat actors have been observed in the wild employing large-scale brute force and password spraying attacks against exposed RDP-hosts to compromise user credentials.

Targeted phishing emails coupled with the support service center calls such as “BazaCall” have also been observed as an initial infection vector in many Ryuk-attributed attacks. This weaponized document will have instructions that tell the user to “enable content” which will activate a macro and enable the document to download a malicious payload through a PowerShell script that is executed through a command prompt.

Reconnaissance :

Once a foothold has been established Ryuk operators will attempt to enumerate domain trusts such as local domains, network shares, users, and Active Directory Organization Units using OSINT . During this stage, the actors attempt to gather information about the organization to determine what resources within the infected domain are of value to perpetrating the rest of the attack. Bloodhound and AdFind have become popular tools used by actors trying to enumerate active directory information within an infected domain.

Post-Exploitation: Cobalt Strike

Ryuk operators utilize Post-Exploitation toolkits such as Cobalt Strike to conduct further reconnaissance and operation.

Roadblocks: Bypass EDR

Ryuk operators will utilize information collected by scans to gain information about AV & EDR tools present on hosts before readying their attack. It is worth noting that operators will leverage OSINT methods and if previously compromised the information obtained from the attack can be shared between threat groups. Once the operators successfully compromise a domain administrator account, they will work to disable AV and EDR services.

Some of the more sophisticated and novel red teaming techniques used to target and bypass EDR and protection tools:

  • Hunting for a local IT administrator with access to EDR software and leveraging a PowerShell too to extract administrator credentials for EDR software from popular password manager
  • Backdooring and enumerating using memory.
  • Deploying Notepads++ to execute PowerShell scripts since it has PowerShell has inbuilt

Host Privilege Escalation

NEW TTP’s used by Ryuk operators

CVE-2018-8453

CVE-2018-8453 is an elevation of privilege vulnerability in Windows when the win23k.sys component fails to properly handle objects in memory. The exploitation of this vulnerability allows an attacker to run an arbitrary kernel with read/write privileges.

CVE-2019-1069

CVE-2019-1069 is a privilege escalation vulnerability that leverages the way Windows Task Scheduler handles saved tasks. Running this file with the highest level of privilege since the Task Scheduler service runs at the maximum level of privilege defined by the local machine.

Lateral Movement

Ryuk operators demonstrate high levels of sophistication in their abilities to gather information and move laterally within a network. Specific built-in tools of the Cobalt Strike toolkit have been witnessed being executed by actors including DACheck, and Mimikatz. Actors will also use Mimikatz and LaZagne, CrackMapExec to collect passwords.

Ransomware Installation

Once after sucessful comromise a local or domain admin account, they distribute the Ryuk payload through Group Policy Objects, PsExec sessions from a domain controller, or by utilizing a startup item in the SYSVOL share.

Risk Mitigation

  • Detecting the use of Mimikatz and PsExec execution within the network.
  • Detections and alerts for the presence of AdFind, Bloodhound, and LaZagne within the network.
  • Clients aare patched with latest Security updates
  • Implement multi-factor authentication for RDP access.
  • Implement network segmentation and controls to scrutinize SMB and NTLM traffic within the network.
  • Routinely review account permissions to prevent privilege creep and maintain principle of least privilege.