Ryuk Ransomware Takes a Single Victim for $34 Million in Ransom

Ryuk Ransomware $34 Million in RansomA new report from Security Researcher Vitali Kremez puts the spotlight on exactly how the group behind Ryuk ransomware is successful in infecting and obtaining payment from its victims.

Who wouldn’t like an 8-figure payday?

It’s the dream of most ransomware gangs. I thought it was mind-bending when I wrote about both Maze and Mount ransomware demanding single-digit million-dollar ransoms. But the report from Kremez pointing out the largest ransom paid was 2200 BTC (just under $34 Million USD) is unbelievable.

Kremez’s report breaks down Ryuk’s standard attack on Tech, Healthcare, Financial Services and Government into just 15 steps:

  1. Examine domain admin via "Invoke-DACheck" script
  2. Collect host passwords via Mimikatz "mimikatz's sekurlsa::logonpasswords"
  3. Revert token and create a token for the administrative comment from the Mimikatz command output
  4. Review the network of the host via "net view"
  5. Portscan for FTP, SSH, SMB, RDP, VNC protocols
  6. List accesses on the available hosts
  7. Upload active directory finder "AdFind" kit with the batch script "adf.bat" from the "net view" and portscanned hosts
  8. Display the antivirus name on the host via "WMIC" command
  9. Upload multi-purpose password recovery tool "LaZagne" to scan the host
  10. Remove the password recovery tool
  11. Run ADFind and save outputs
  12. Delete AdFind tool artifacts and download outputs
  13. Grant net share full access to all for Ryuk ransomware
  14. Upload remote execution software "PSExec" and prepared network hosts and uninstall the anti-virus product
  15. Upload execution batch scripts and the parsed network hosts and run Ryuk ransomware as via PsExec under different compromised users

While perhaps not completely in your wheelhouse, the steps above are simple enough that anyone with a bit of tech savvy could perform them manually and achieve the same outcome with easily-obtained Ransomware-as-a-Service variants, such as GandCrab.

Free Ransomware Simulator Tool

Threat actors are constantly coming out with new strains to evade detection. Is your network effective in blocking all of them when employees fall for social engineering attacks?

KnowBe4’s "RanSim" gives you a quick look at the effectiveness of your existing network protection. RanSim will simulate 24 ransomware infection scenarios and 1 cryptomining infection scenario and show you if a workstation is vulnerable.

RansIm-Monitor3Here's how it works:

  • 100% harmless simulation of real ransomware and cryptomining infections
  • Does not use any of your own files
  • Tests 25 types of infection scenarios
  • Just download the install and run it 
  • Results in a few minutes!

Get RanSim!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:


Topics: Ransomware

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews