Recent attacks by Ryuk ransomware operators show that the actors are increasingly targeting hosts with remote desktop connections exposed on the public internet, a cybersecurity firm AdvIntel reports.
Security researchers from Advanced Intelligence noticed that to establish an initial foothold on targeted networks, Ryuk ransomware is increasingly more often try to compromise exposed remote desktop protocol (RDP) connections.
Attackers attempt to steal user credentials by launching large brute force and password spraying attacks against vulnerable RDP hosts.
For initial compromise attackers also distributed malware in spear-phishing attacks and by using BazarCall targeting corporate employees and directing them to infected Excel documents.
Ryuk attackers recon on the victim’s machines in two stages. In the first stage, they determine what valuable resources are there on the compromised domain. And then, they gather information on the company’s revenue to determine the optimal ransom amount on open services like ZoomInfo. Ryuk operators used popular with ransomware hackers AdFind AD query tool, Bloodhound post-exploitation tool, and Cobalt Strike for additional reconnaissance.
Among the new techniques, researchers note Ryuk ransomware operators’ use of KeeThief, used for stealing credentials from KeePass, a password manager.
Vitali Kremez, the CEO of AdvIntel, reported that the attackers used KeeThief to bypass EDR and other defenses with the help of stolen credentials of a local IT administrator.
In another tactic, attackers deployed a portable version of Notepad++ that ran PowerShell scripts on systems with PowerShell execution restriction.
Finally, AdvIntel researchers observed in one recent Ryuk ransomware attack, its operators used CrackMapExec, an open-source penetration tool, to extract admin credentials and spread laterally within the compromised network.
“Once actors have successfully compromised a local or domain admin account, they distribute the Ryuk payload through Group Policy Objects, PsExec sessions from a domain controller, or by utilizing a startup item in the SYSVOL share,” the researchers further explained.