IS specialist told how hackers earned $34 million using the Trickbot malware

A Russian-speaking cybercriminal group, which attacked high-income companies and distributed Ryuk ransomware using Trickbot malware, received $34 million from one of its victims for a key to recover encrypted files.

Designated as group “one” according to the identification obtained from the Trickbot botnet, which facilitates the deployment of Ryuk on the networks of the companies under attack, it is quite indiscriminate in its victims.

According to Vitaly Kremez, a specialist at Advanced Intelligence, the recent victims of the “one” group include technological and energy companies, financial services, healthcare organizations and government agencies.

According to the October report of the information security company Check Point, in the third quarter of 2020, the group attacked an average of 20 victims per week.

“The average ransom received by Ryuk operators is 48 bitcoins (about $750,000), and since 2018 they have managed to ‘earn’ $150 million in total. Cybercriminals negotiate with their victims in a harsh manner and almost never show leniency”, – said Vitaly Kremez.

The largest confirmed ransom that Group One managed to get is 2.2 thousand bitcoins (about $ 34 million). After analyzing this attack, the researcher determined that the attack consists of 15 steps to find available hosts on the network, steal administrator credentials, and deploy Ryuk ransomware.

The attackers use in the attack available software (mostly open source) from the arsenal of red teams of security testers: Mimikatz, PowerShell PowerSploit, LaZagne, AdFind, Bloodhound, and PsExec.

The attack consists of 15 points:

  1. Researching the domain using the “Invoke-DACheck” script;
  2. Collecting host passwords using the Mimikatz command “mimikatz’s sekurlsa :: logonpasswords”;
  3. Returning the token to its original state and creating a token for the administrative comment from the data obtained using Mimikat
  4. Browse the host network using “net view”;
  5. Scanning ports for FTP, SSH, SMB, RDP and VNC protocols;
  6. Creation of a list of accesses on available hosts;
  7. Downloading a set of tools for searching Active Directory “AdFind” with batch script “adf.bat” from “net view” and hosts with scanned ports;
  8. Displaying the name of the anti-virus solution used on the host using the “WMIC” command;
  9. Download the multifunctional password recovery tool LaZagne to scan the host;
  10. Removal of password recovery tool;
  11. Launch ADFind and save the received data;
  12. Removal of artifacts of the ADFind tool and loading the obtained data;
  13. Providing full net share access for everyone for Ryuk to use;
  14. Software download for remote execution of PSExec and prepared network hosts, removal of anti-virus solutions;
  15. Downloading batch scripts for execution and network hosts, launching Ryuk with PSExec on behalf of various compromised users.

Let me remind you that recently Tech companies and government agencies have eliminated the TrickBot malware infrastructure, although some information security experts say that Trickbot is quite tenacious and may be resurrected.

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several month after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master degree in cybersecurity, I've started working in as virus analyst in a little anti-malware vendor. In 2018, I've decided to start Virus Removal project. The main target of this site is to help people to deal with PC viruses of any kind.

Leave a Reply

Your email address will not be published. Required fields are marked *


Back to top button