New ransomware earns $ 4 million by adopting "big game hunting" strategy

A newly discovered ransomware group has raised nearly $ 4 million since August, largely by taking an unusual route in its sector: the selective installation of malicious encryption software on already infected and highly resource-laden targets . The method differs from the usual method of infecting all possible victims without distinction. This is the conclusion of two analyzes published Thursday, one by the security company CrowdStrike and the other by the competitor FireEye.

Both reports indicate that Ryuk, like the ransomware software, infects large companies several days, weeks or even a year after being infected with another malware, which is in most cases a Trojan horse increasingly powerful called Trickbot. In contrast, small businesses infected with Trickbot do not suffer the Ryuk attack. CrowdStrike called the approach to "big game hunting" and said that this allowed its operators to generate $ 3.7 million worth of Bitcoin on 52 deals since the month of August.

In addition to targeting targets with the resources to pay heavy ransoms, there is another key benefit to the operating mode: "stop time", ie the period between Initial infection and installation of the ransomware software, gives the attackers time to make an interesting recognition on the inside. the infected network. The recognition allows CrowdStrike attackers to name Grim Spider to optimize the damage they cause by launching the ransomware software only after identifying the most critical systems on the network and obtaining passwords to infect them.

Alexander Hanel, researcher at CrowdStrike, wrote:

Some TrickBot modules (such as pwgrab) could help retrieve the identity information needed to compromise environments – the particular SOCKS module was observed tunneling Empire PowerShell traffic for recognition and sideways movement. Thanks to CrowdStrike's IR commitments, GRIM SPIDER performs the following events on the victim's network, with the ultimate goal of distributing Ryuk's binary file:

  • A hidden PowerShell script is executed and connects to a remote IP address.
  • An inverted shell is downloaded and executed on the compromised host.
  • PowerShell anti-logging scripts run on the host.
  • Network recognition is done using standard Windows command line tools as well as downloaded external tools.
  • Lateral movement on the network is enabled using Remote Desktop Protocol (RDP).
  • The service user accounts are created.
  • PowerShell Empire is downloaded and installed as a service.
  • Lateral movement is continued until privileges are retrieved to gain access to a domain controller.
  • PSEXEC is used to transmit the Ryuk binary to individual hosts.
  • Batch scripts are executed to terminate the processes / services and delete the backups, followed by the Ryuk binary.
  • Do you remember Samsam?

    Although unusual, recognition is not unique to Ryuk. SamSam – an unrelated ransomware that has caused millions of dollars of damage to Atlanta-owned networks, the Baltimore 911 system, and Boeing, to name a few – is following a similar path. The technique is definitely effective. According to federal prosecutors, SamSam operators have recovered more than $ 6 million in ransom and caused more than $ 30 million in damages.

    According to the infrequent reports of FireEye and CrowdStrike, Ryuk is the product of North Korean actors. This attribution was largely based on an incomplete reading of this CheckPoint Software report, which revealed similarities in code between Ryuk and Hermes. CrowdStrike added that he had a moderate confidence in the fact that the attackers behind Ryuk were operating out of Russia. The company cited various evidences that led to this assessment, including a Russian IP address used to download files used by Ryuk on a scanning service and malicious programs that left traces on an infected network written in Russian.

    Thursday's reports leave little doubt that this approach will become more and more commonplace.

    "In 2018, FireEye saw an increasing number of cases of ransomware deployments after the attackers had access to the victimized organization through other methods, allowing them to cross the network to identify critical systems and inflict maximum damage, "FireEye researchers wrote. "The SamSam operations, which date back to the end of 2015, were probably the first to popularize this methodology, and [Ryuk] is an example of its growing popularity among threat actors. FireEye Intelligence expects these operations to continue gaining ground throughout 2019 due to the success of these intrusion operators in extorting large sums of money from victim organizations. "