Advintel has released a report detailing the Tactics, Techniques, and Procedures (TTPs) behind the Ryuk ransomware, including some new observations made by their team throughout 2021 so far. Remote Desktop Protocol (RDP) brute forcing saw an increase with the group, as did phishing emails known as “BazaCall” that directed recipients to call a phone number in the email. These lures had victims speaking with someone over the phone that would direct them to download malicious payloads. Similar to many other groups, the group behind Ryuk is also using Cobalt Strike post-compromise to conduct reconnaissance.
One of the more recent tools being used by Ryuk is a PowerShell script known as “KeeThief” which can find an open KeePass database’s password in memory. With this password, a threat actor could steal the database file to look for administrative or other system credentials for further use. Advintel also notes a portable version of the popular Notepad++ text editor being used to run an included version of PowerShell to bypass script execution restrictions.
Two new privilege escalations have been added to the Ryuk gang’s arsenal as well. CVE-2018-8453 allows an attacker to run code at the kernel level, while CVE-2019-1069 exploits the Task Scheduler to run a task at the highest level of privilege on the system.
Advintel also lists several recommendations to prevent Ryuk’s operation:
- Detections for use of Mimikatz and PsExec execution within the network.
- Detections and alerts for the presence of AdFind, Bloodhound, and LaZagne within the network.
- Ensure all operating systems and software are up to date with the latest updates and security patches.
- Implement multi-factor authentication for RDP access.
- Implement network segmentation and controls to scrutinize SMB and NTLM traffic within the network.
- Routinely review account permissions to prevent privilege creep and maintain principle of least privilege.
- Routinely review Group Policy Objects and logon scripts.
- Update systems to prevent exploitation of CVE-2018-8453 and CVE-2019-1069.
In addition to the advice from the Advintel report, Binary Defense highly recommends reading and implementing steps from the CISA (Cybersecurity & Infrastructure Agency) and NCSC (National Cyber Security Centre) ransomware guides. These guides contain detailed information for small and large businesses alike, describing in detail how to backup and protect data, creating incident response plans, and more.