Trickbot, BazaLoader, or BuerLoader have been commonly preceding Ryuk to create backdoors or initiate the encryption chain. Once detected, the time frame for remediation closes quickly as ransomware attack timelines have shorted from months to days. In some cases, when domain controllers have unpatched critical vulnerabilities, attackers may only require a few hours between initial compromise from a malicious email attachment to a complete domain takeover. With the announcement of ransomware occurring in mid-November for K12, the loaders’ likely infection occurred anytime from August to early November. Binary Defense has covered other reports discussing these very problems. One of the best ways to detect these loaders is through continual monitoring. Trickbot is currently injecting itself into wermgr.exe and terminating the original Trickbot process. This kind of action by Trickbot presents a detection opportunity as wermgr.exe should always have a parent process and should not be running independently. BuerLoader will write the location of the initiating executable into the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce registry key. Finally, a Red Canary report linked below, which covers the many ways BazaLoader can be detected, is a helpful resource for defenders to create custom detection alerts.
References:
https://www.bleepingcomputer.com/news/security/k12-online-schooling-giant-pays-ryuk-ransomware-to-stop-data-leak/
https://www.bleepingcomputer.com/news/security/trickbot-turns-100-latest-malware-released-with-new-features/
https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/