fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

How Ryuk Ransomware Operators Made $34 Million From One Victim

How Ryuk Ransomware Operators Made $34 Million From One Victim

One hacker group that is targeting high-revenue companies with Ryuk ransomware received $34 million from one victim in exchange for the decryption key that unlocked their computers.

The threat actor is highly proficient at moving laterally inside a compromised network and erasing as much of their tracks as possible before detonating Ryuk ransomware.

Cashing in big time

Referred to as group “one,” as per the identification received from Trickbot botnet that facilitates the network intrusions for Ryuk file-encrypting malware, this threat actor is unscrupulous when it comes to targets.

According to Vitali Kremez of Advanced Intelligence, recent victims of the Ryuk group “one” include companies in the technology, healthcare, energy, financial service, and the government sector.

Organizations in the healthcare and social services segments make a little over 13% of all the victims hit by this threat actor.

Since it resumed activity, Ryuk ransomware has been leaving a large trail of victims. A report from Check Point noted in October that the gang was attacking, on average, 20 companies every week in the third quarter of 2020.

Recent news of Ryuk ransomware reports on encrypted networks belonging to Universal Health Services (UHS), big-league IT services company Sopra SteriaSeyfarth Shaw law firm, office furniture giant Steelcase, and hospitals in Brooklyn and Vermont.

Also Read: Website Ownership Laws: Your Rights And What These Protect

The researcher says that the average payment received by this particular group is 48 bitcoins (close to $750,000), and they made at least $150 million since 2018.

In a report today, Kremez says that this Russian-speaking threat actor is tough during the negotiations and rarely shows any leniency. The largest confirmed payment they got was 2,200 bitcoins, which is currently close to $34 million.

15-step attack chain

Analyzing the attack flow from an incident response engagement, Kremez notes that Ryuk group “one” too 15 steps to find available hosts on the network, steal admin-level credentials, and deploy Ryuk ransomware.

They get initialy available software (much of it open-sourced) that is also used by red-teams for testing network security:

  • Mimikatz – post-exploitation tool for dumping credentials from memory
  • PowerShell PowerSploit – a collection of PowerShell scripts used for post-exploitation
  • LaZagne – similar to Mimikatz, used to collect passwords from locally-stored software
  • AdFind – Active Directory query tool
  • Bloodhound – post-exploitation tool for enumerating and visualizing the domain Active Directory, complete with devices, users logged in, resources, and permissions
  • PsExec – allows executing processes on remote systems

The attack chain starts by running the Cobalt Strike “invoke” command to execute the “DACheck.ps1” script to check if the current user is part of a Domain Admin group.

From there, passwords are retrieved via Mimikatz, the network is mapped, and hosts are identified following port-scanning for FTP, SSH, SMB, RDP, and VNC protocols.

Kremez details the complete steps of the attack, adding the redacted Cobalt Strike commands:

  1. Examine domain admin via “Invoke-DACheck” script
  2. Collect host passwords via Mimikatz “mimikatz’s sekurlsa::logonpasswords”
  3. Revert token and create a token for the administrative comment from the Mimikatz command output
  4. Review the network of the host via “net view”
  5. Portscan for FTP, SSH, SMB, RDP, VNC protocols
  6. List accesses on the available hosts
  7. Upload active directory finder “AdFind” kit with the batch script “adf.bat” from the “net view” and portscanned hosts
  8. Display the antivirus name on the host via “WMIC” command
  9. Upload multi-purpose password recovery tool “LaZagne” to scan the host
  10. Remove the password recovery tool
  11. Run ADFind and save outputs
  12. Delete AdFind tool artifacts and download outputs
  13. Grant net share full access to all for Ryuk ransomware
  14. Upload remote execution software “PSExec” and prepared network hosts and uninstall the anti-virus product
  15. Upload execution batch scripts and the parsed network hosts and run Ryuk ransomware as via PsExec under different compromised users

Trickbot gang started spreading BazarLoader backdoor since at least April 2020 through spear phishing campaigns. Unlike the highly-detected Trickbot malware, the malwre was likely reserved for valuable victims at first, to deploy a Cobalt Strike beacon that provides remote access to the operators.

Also Read: Computer Misuse Act Singapore: The Truth And Its Offenses

Lately, though, phishing attempts with this malware have become more ordinary, using lures tuned to the time of the attack (holidays, events) or themes that lend to any time of the year (complaints, payroll, service or employment notifications).

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us