Jump to content

New ransomware rakes in $4 million by adopting a “big game hunting” strategy


steven36

Recommended Posts

Ryuk lies in wait for as long as a year, then pounces on only the biggest prey.

 

money world 360 x 240

 

 

A recently discovered ransomware group has netted almost $4 million since August, in large part by following a path that’s uncommon in its industry—selectively installing the malicious encryption software on previously infected targets with deep pockets. The method differs from the usual one of indiscriminately infecting all possible victims. That’s the take of two analyses published Thursday, one by security firm CrowdStrike and the other by competitor FireEye.

 

Both reports say that Ryuk, as the ransomware is known, infects large enterprises days, weeks, or as much as a year after they were initially infected by separate malware, which in most cases is an increasingly powerful trojan known as Trickbot. Smaller organizations infected by Trickbot, by contrast, don’t suffer the follow-on attack by Ryuk. CrowdStrike called the approach “big-game hunting” and said it allowed its operators to generate $3.7 million worth of Bitcoin across 52 transactions since August.

 

Besides pinpointing targets with the resources to pay hefty ransoms, the modus operandi has another key benefit: the “dwell time”—that is, the period between the initial infection and the installation of the ransomware—gives the attackers time to perform valuable reconnaissance inside the infected network. The reconnaissance lets attackers CrowdStrike dubs Grim Spider maximize the damage it causes by unleashing the ransomware only after it has identified the most critical systems of the network and obtained the passwords necessary to infect them.

 

CrowdStrike researcher Alexander Hanel wrote:

Some of TrickBot’s modules (such as pwgrab) could aid in recovering the credentials needed to compromise environments—the SOCKS module in particular has been observed tunneling PowerShell Empire traffic to perform reconnaissance and lateral movement. Through CrowdStrike IR engagements, GRIM SPIDER has been observed performing the following events on the victim’s network, with the end goal of pushing out the Ryuk binary:

  • An obfuscated PowerShell script is executed and connects to a remote IP address.
  • A reverse shell is downloaded and executed on the compromised host.
  • PowerShell anti-logging scripts are executed on the host.
  • Reconnaissance of the network is conducted using standard Windows command-line tools along with external uploaded tools.
  • Lateral movement throughout the network is enabled using Remote Desktop Protocol (RDP).
  • Service User Accounts are created.
  • PowerShell Empire is downloaded and installed as a service.
  • Lateral movement is continued until privileges are recovered to obtain access to a domain controller.
  • PSEXEC is used to push out the Ryuk binary to individual hosts.
  • Batch scripts are executed to terminate processes/services and remove backups, followed by the Ryuk binary.

Remember Samsam?

While uncommon, the reconnaissance isn’t unique to Ryuk. SamSam—an unrelated ransomware that’s caused millions of dollars of damage infecting networks belonging to the City of Atlanta, Baltimore’s 911 system, and Boeing, to name just a few—follows a similar path. There’s no doubt, however, the technique is effective. According to federal prosecutors, SamSam operators recovered more than $6 million in ransom payments and caused more than $30 million in damage.

 

Both FireEye and CrowdStrike downplayed reports Ryuk is the product of North Korean actors. That attribution was largely based on an incomplete reading of this report from CheckPoint Software, which found code similarities between Ryuk, and Hermes. CrowdStrike went on to say it has medium-high confidence that the attackers behind Ryuk operate out of Russia. The company cited a variety of evidence that led to that assessment, including a Russian IP address being used to to upload files used by Ryuk to a scanning service and the malware leaving traces on an infected network that were written in the Russian language.

Thursday’s reports leave little doubt that this approach is likely to grow more common.

 

“Throughout 2018, FireEye observed an increasing number of cases where ransomware was deployed after the attackers gained access to the victim organization through other methods, allowing them to traverse the network to identify critical systems and inflict maximum damage,” the FireEye researchers wrote. “SamSam operations, which date back to late 2015, were arguably the first to popularize this methodology, and [Ryuk] is an example of its growing popularity with threat actors. FireEye Intelligence expects that these operations will continue to gain traction throughout 2019 due the success these intrusion operators have had in extorting large sums from victim organizations.”

 

Source

Link to comment
Share on other sites


  • Replies 5
  • Views 697
  • Created
  • Last Reply

Wishful thinking.  I'd like them to infect Microsoft's network and servers.  Should be able to get $4 Billion or more then. Now that is going after deep pockets.

Link to comment
Share on other sites


"I'd like them to infect Microsoft's network and servers."

 

...and delete all traces of Windows 10 source code. I'd like that very much too!

Link to comment
Share on other sites


“Do unto others as you would have them do unto you.”

 

Or

 

“Whatever is hurtful to you, do not do to any other person.”

 

The ramsoware is really bad as per experience.

Link to comment
Share on other sites


5 hours ago, vitorio said:

“Do unto others as you would have them do unto you.”

 

Or

 

“Whatever is hurtful to you, do not do to any other person.”

 

The ramsoware is really bad as per experience.

Sad to say your comment is the only one that makes any sense  , If they infected Microsoft servers than it would infect billions of people  ..  I'm not fan of Microsoft but i dont want see nothing bad happen to them ,Just like I dont want see nothing bad happen to Google or Apple. I just wish they would respect peoples privacy more and test there updates better.

 

Before with Windows vista  Virus has prevented access to windows update and large array of Anti-virus update servers.

https://social.technet.microsoft.com/Forums/ie/en-US/0fda58bc-fdca-4408-968d-34b0cfa15476/virus-has-prevented-access-to-windows-update-and-large-array-of-antivirus-update-servers?forum=itprovistasecurity

 

I keep updaters  to Windows  and other  3rd party Software updaters blocked in windows  because any software you could be infected

Microsoft's Windows warning: Hackers hijacked software updater with in-memory malware

https://www.zdnet.com/article/microsofts-windows-warning-hackers-hijacked-software-updater-with-in-memory-malware/

 

Reality  is none of these people got infected because they used Windows ,Most get infected from ransomware because they clicked on a infected link in a spam email.

 

@straycat19

is always talking off the wall stuff that is off topic  that have nothing to do with the topic in this case he spreading his hate for Windows . he claims hes a system admin and if there is any truth to what he says if there was no Microsoft he would not have a job  in for computers  for longer than i been alive .He needs to stop biting the hand that he claims feed him. :lmao:

 

 

 

 

Link to comment
Share on other sites


1 hour ago, steven36 said:

Most get infected from ransomware because they clicked on a infected link in a spam email.

In my case trying to download a torrent file from a not trusted site. My fault.

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...