Ryuk Ransomware Operators Have Updated Hacking Methods


Security researchers at Advanced Intelligence (AdvIntel) have reported new hacking techniques used by Ryuk ransomware operators. According to experts, Ryuk hackers have recently started exploiting open RDP connections to gain access to victims' networks.

The attackers carried out large-scale brute-force attacks and used the password spray technique in attacks on systems with Remote Desktop Protocol enabled to compromise user credentials. Criminals targeted phishing and used BazaCall campaigns to spread malware through malicious call centers. Attackers redirected corporate users to malicious resources and tricked them into downloading an infected Microsoft Excel document.

Exploration by Ryuk operators takes two stages, say experts. The first step is to identify valuable resources on the compromised domain, including information about network shares, users, and Active Directory organizational units. The second is in discovering information about the company's earnings to determine the ransom amount that the victim can afford to pay to restore systems.

They used the AdFind and Bloodhound tools to gather information about the active directory. Additional scouting is performed using the Cobalt Strike tool.

Additionally, criminals also used open-source tools KeeThief and CrackMapExec to steal administrator credentials and navigate the victim's network. A key tool used in bypassing EDR measures was KeeThief, which steals local administrator credentials. Another tactic was using the portable version of Notepad as an editor for PowerShell scripts in environments with PowerShell execution constraints.

AdvIntel discovered that Ryuk operators exploited Windows Win32k (CVE-2018-8453 ) and Microsoft SharePoint (CVE-2019-1069 ) vulnerabilities this year .

Previous Post Next Post