National Cyber Security Centre (NCSC) from the UK issued an alert for Ryuk ransomware attack that is actively targeting global organization associated with Emotet and TrickBot malware.
Researcher uncovered this ongoing Ryuk ransomware infection identified in the various organization network along with Emotet and TrickBot infection.
Ryuk Ransomware initially uncovered in August 2018 since then it infects and compromise various organization and steals millions of dollars from affected victims.
Emotet is one of the notorious malware family that infects various victims around the world and is used as a dropper for initial stage infection by other Trojans.
Trickbot is a banking malware which steals login credentials from applications. Since it was discovered long back ago, the threat actors continuously adding new capabilities to the malware.
Ryuk Ransomware using TrickBot and Emotet malware in its attack chain targeting large organizations for a high-ransom return and the Ryuk believed to be operated by GRIM SPIDER, a sophisticated hacking group.
Ryuk Ransomware infection Functionality
Ryuk ransomware using Emotet for the initial stage of infection and check the victim’s machine, whether it vulnerable to infection or not.
Post exploitation modules are used for credential harvesting, remotely monitoring of the victim’s workstation to infect a further system in the same network.
Machines infected with Emotet periodically check for modules from a command and control server (C2). These modules are typically DLLs or EXEs which are loaded on an infected system for extending capabilities.
All the non-executable file will be encrypted at the end of the infection process and displaying the ransomware notes with the demand of ransom amount in bitcoin.
“Ryuk is a persistent infection. The malware’s installer will attempt to stop certain antimalware software and install the appropriate version of Ryuk depending on a system’s architecture.”
According to NCSC, The Ryuk ransomware itself does not contain the ability to move laterally within a network, hence the reliance on access via a primary infection, but it does, however, have the ability to enumerate network shares and encrypt those it can access. This, coupled with the ransomware’s use of anti-forensic recovery, a technique to make recovering from backups difficult.
You can read more about the indicators of compromise and NCSC advisory Notes Here.