On November 30th, the online education platform K12 announced that it had been hit by ransomware in mid-November. Sources tell BleepingComputer that Ryuk ransomware was behind the attack and that K12 has also paid the ransom. The actors behind Ryuk typically steal data from victims before encrypting files—based on the report, when K12 paid the ransom they were assured that the threat actors would not release the stolen data.
Trickbot, BazaLoader, or BuerLoader have been commonly preceding Ryuk to create backdoors or initiate the encryption chain. Once detected, the time frame for remediation closes quickly as ransomware attack timelines have shorted from months to days. In some cases, when domain controllers have unpatched critical vulnerabilities, attackers may only require a few hours between initial compromise from a malicious email attachment to a complete domain takeover. With the announcement of ransomware occurring in mid-November for K12, the loaders’ likely infection occurred anytime from August to early November. Binary Defense has covered other reports discussing these very problems. One of the best ways to detect these loaders is through continual monitoring. Trickbot is currently injecting itself into wermgr.exe and terminating the original Trickbot process. This kind of action by Trickbot presents a detection opportunity as wermgr.exe should always have a parent process and should not be running independently. BuerLoader will write the location of the initiating executable into the HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce registry key. Finally, a Red Canary report linked below, which covers the many ways BazaLoader can be detected, is a helpful resource for defenders to create custom detection alerts.