How Ryuk Ransomware Operators Made $34 Million From One Victim

One hacker group that is targeting high-revenue companies with Ryuk ransomware received $34 million from one victim in exchange for the decryption key that unlocked their computers.

The threat actor is highly proficient at moving laterally inside a compromised network and erasing as much of their tracks as possible before detonating Ryuk ransomware.

Cashing in big time

Referred to as group “one,” as per the identification received from Trickbot botnet that facilitates the network intrusions for Ryuk file-encrypting malware, this threat actor is unscrupulous when it comes to targets.

According to Vitali Kremez of Advanced Intelligence, recent victims of the Ryuk group “one” include companies in the technology, healthcare, energy, financial service, and the government sector.

Organizations in the healthcare and social services segments make a little over 13% of all the victims hit by this threat actor.

Since it resumed activity, Ryuk ransomware has been leaving a large trail of victims. A report from Check Point noted in October that the gang was attacking, on average, 20 companies every week in the third quarter of 2020.

Recent news of Ryuk ransomware reports on encrypted networks belonging to Universal Health Services (UHS), big-league IT services company Sopra Steria, Seyfarth Shaw law firm, office furniture giant Steelcase, and hospitals in Brooklyn and Vermont.

Also Read: Website Ownership Laws: Your Rights And What These Protect

The researcher says that the average payment received by this particular group is 48 bitcoins (close to $750,000), and they made at least $150 million since 2018.

In a report today, Kremez says that this Russian-speaking threat actor is tough during the negotiations and rarely shows any leniency. The largest confirmed payment they got was 2,200 bitcoins, which is currently close to $34 million.

15-step attack chain

Analyzing the attack flow from an incident response engagement, Kremez notes that Ryuk group “one” too 15 steps to find available hosts on the network, steal admin-level credentials, and deploy Ryuk ransomware.

They get initialy available software (much of it open-sourced) that is also used by red-teams for testing network security:

• Mimikatz – post-exploitation tool for dumping credentials from memory
• PowerShell PowerSploit – a collection of PowerShell scripts used for post-exploitation
• LaZagne – similar to Mimikatz, used to collect passwords from locally-stored software
• AdFind – Active Directory query tool
• Bloodhound – post-exploitation tool for enumerating and visualizing the domain Active Directory, complete with devices, users logged in, resources, and permissions
• PsExec – allows executing processes on remote systems

The attack chain starts by running the Cobalt Strike “invoke” command to execute the “DACheck.ps1” script to check if the current user is part of a Domain Admin group.

From there, passwords are retrieved via Mimikatz, the network is mapped, and hosts are identified following port-scanning for FTP, SSH, SMB, RDP, and VNC protocols.

Kremez details the complete steps of the attack, adding the redacted Cobalt Strike commands:

1. Examine domain admin via “Invoke-DACheck” script
2. Collect host passwords via Mimikatz “mimikatz’s sekurlsa::logonpasswords”
3. Revert token and create a token for the administrative comment from the Mimikatz command output
4. Review the network of the host via “net view”
5. Portscan for FTP, SSH, SMB, RDP, VNC protocols
6. List accesses on the available hosts
7. Upload active directory finder “AdFind” kit with the batch script “adf.bat” from the “net view” and portscanned hosts
8. Display the antivirus name on the host via “WMIC” command
9. Upload multi-purpose password recovery tool “LaZagne” to scan the host
10. Remove the password recovery tool
11. Run ADFind and save outputs
12. Delete AdFind tool artifacts and download outputs
13. Grant net share full access to all for Ryuk ransomware
14. Upload remote execution software “PSExec” and prepared network hosts and uninstall the anti-virus product
15. Upload execution batch scripts and the parsed network hosts and run Ryuk ransomware as via PsExec under different compromised users

Trickbot gang started spreading BazarLoader backdoor since at least April 2020 through spear phishing campaigns. Unlike the highly-detected Trickbot malware, the malwre was likely reserved for valuable victims at first, to deploy a Cobalt Strike beacon that provides remote access to the operators.

Also Read: Computer Misuse Act Singapore: The Truth And Its Offenses

Lately, though, phishing attempts with this malware have become more ordinary, using lures tuned to the time of the attack (holidays, events) or themes that lend to any time of the year (complaints, payroll, service or employment notifications).