Fri, Mar 1, 2019
The article below was extracted from The Monitor newsletter, a monthly digest of Kroll’s global cyber risk case intake. The Monitor also includes an analysis of the month’s most popular threat types investigated by our cyber experts. Subscription is available below:
Kroll identified 15 ransomware cases via its cyber intake process during the month of February 2019. In particular, we noted the highly opportunistic Ryuk variant seizing on vulnerable networks, with attacks across industry sectors, including manufacturing, government, education, professional services and healthcare.
Kroll reviewed Ryuk ransom notes that directed victims to contact a Swiss-based ProtonMail email address. Then the attackers followed up with varying demands for payment in bitcoin. Based on our experience and other reports, most Ryuk ransomware attacks follow this pattern.
However, Ryuk mainly differs from other ransomware families based on its delivery mechanism. Most types of ransomware rely on phishing attacks or open Remote Desktop Protocol (RDP) connections. Ryuk most often leverages established command and control servers associated with Trickbot and Emotet banking trojans. This allows the Ryuk attackers to access a large swath of victims and “cash in” on high-value Trickbot and Emotet victims; they then tailor ransom demands to each organization. (See the Technically Speaking section in this newsletter for a representative attack sequence.)
While Ryuk attackers profit from their ties with these trojans, the connection also provides a tripwire that can alert victims to a potential ransomware attack following a trojan infection. “Ransomware in 2019 is significantly different than ransomware in 2017, with attackers leveraging the access gained with Trickbot and Emotet, which usually includes domain administrator access. Attackers now spend far more time performing reconnaissance on an impacted network, which allows them to have a high level of confidence that an organization will have to pay the ransom. We have identified attackers deleting backups to make recovery increasingly difficult,” says Associate Managing Director Pierson Clair.
Pierson continues, “Most trojans are introduced via methods such as social engineering attacks, specifically infected email attachments. Emotet and Trickbot are families of polymorphic malware, which makes them very difficult for anti-virus to identify. However, we know these attack vectors can be addressed effectively with several other proven measures. These range from human-focused efforts, such as educating employees and making social engineering exercises part of broader technical penetration testing programs, to implementing layers of technological solutions, including threat intelligence and endpoint detection and response applications. So, organizations can virtually head off Ryuk at the pass by implementing best practices that prevent Trickbot/Emotet from getting a foothold in the first place.”
Following is a typical sequence of events that Kroll’s investigations have identified in the evolution of Emotet/Trickbot/Ryuk attack.
According to an FBI Flash, the Ryuk ransomware variant is marked by these characteristics:
Watch Associate Managing Director Thomas Brittain go into further detail about the Ryuk ransomware timeline.
Following are some insights from Kroll experts on how to prevent or mitigate the harms from a ransomware attack, including the Ryuk variant.
The article above was extracted from The Monitor newsletter, a monthly digest of Kroll’s global cyber risk case intake. The Monitor also includes an analysis of the month’s most popular threat types investigated by our cyber experts. Subscription is available below.
Email Address
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.
Proactively monitor, detect and respond to threats virtually anywhere – on endpoints and throughout the surface, deep and dark web.