Latest Ryuk Ransomware Attacks on Oil and Gas Companies Includes Compromising Active Directory

AdobeStock_53420150Ransomware has definitely grown up from its infant stages where it simply infected one computer. From spreading through lateral movement, to the use of a victim's email to spread the infection, to extorting the ransom by also exfiltrating data, to infecting literally thousands of endpoints in a single attack, ransomware is no longer the same minor inconvenience it once was.

But a new attack tactic caught my attention – the hacking of Active Directory to increase the number of infected machines. Last week, Clint Bodungen, founder and CEO of incident response vendor ThreatGen spoke at the S4x20 conference in Miami. There he outlined an incident involving Ryuk ransomware and some of ThreatGen’s old and gas customers where AD was leveraged as part of the attack.

According to Bodungen, the attackers:

  • Sat dormant within the victim networks for months before launching the ransomware
  • Used RDP to move laterally within the network (which implies compromised credentials)
  • Gained elevated access to AD
  • Edited a logon script for roaming users to include installing Ryuk

This is the definition of seeing traditionally data theft-related attack tactics merge with a ransomware attack.

According to Bodungen, the initial attack vectors were spear phishing and water hole attacks. Both of these attack types require the interaction of a user. Users that undergo continual Security Awareness Training are taught to be leery of any suspicious email or web content. Given that these Ryuk attacks were successful, it stands to reason that protective security solutions alone didn’t do the trick. By including users as part of the security strategy, organizations have a better chance of avoiding a successful attack.

Free Ransomware Simulator Tool

Threat actors are constantly coming out with new strains to evade detection. Is your network effective in blocking all of them when employees fall for social engineering attacks?

KnowBe4’s "RanSim" gives you a quick look at the effectiveness of your existing network protection. RanSim will simulate 24 ransomware infection scenarios and 1 cryptomining infection scenario and show you if a workstation is vulnerable.

RansIm-Monitor3Here's how it works:

  • 100% harmless simulation of real ransomware and cryptomining infections
  • Does not use any of your own files
  • Tests 25 types of infection scenarios
  • Just download the install and run it 
  • Results in a few minutes!

Get RanSim!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews