A new report from Security Researcher Vitali Kremez puts the spotlight on exactly how the group behind Ryuk ransomware is successful in infecting and obtaining payment from its victims.
Who wouldn’t like an 8-figure payday?
It’s the dream of most ransomware gangs. I thought it was mind-bending when I wrote about both Maze and Mount ransomware demanding single-digit million-dollar ransoms. But the report from Kremez pointing out the largest ransom paid was 2200 BTC (just under $34 Million USD) is unbelievable.
Kremez’s report breaks down Ryuk’s standard attack on Tech, Healthcare, Financial Services and Government into just 15 steps:
- Examine domain admin via "Invoke-DACheck" script
- Collect host passwords via Mimikatz "mimikatz's sekurlsa::logonpasswords"
- Revert token and create a token for the administrative comment from the Mimikatz command output
- Review the network of the host via "net view"
- Portscan for FTP, SSH, SMB, RDP, VNC protocols
- List accesses on the available hosts
- Upload active directory finder "AdFind" kit with the batch script "adf.bat" from the "net view" and portscanned hosts
- Display the antivirus name on the host via "WMIC" command
- Upload multi-purpose password recovery tool "LaZagne" to scan the host
- Remove the password recovery tool
- Run ADFind and save outputs
- Delete AdFind tool artifacts and download outputs
- Grant net share full access to all for Ryuk ransomware
- Upload remote execution software "PSExec" and prepared network hosts and uninstall the anti-virus product
- Upload execution batch scripts and the parsed network hosts and run Ryuk ransomware as via PsExec under different compromised users
While perhaps not completely in your wheelhouse, the steps above are simple enough that anyone with a bit of tech savvy could perform them manually and achieve the same outcome with easily-obtained Ransomware-as-a-Service variants, such as GandCrab.