Recent attacks from Ryuk ransomware operators show that the actors have a new preference when it comes to gaining initial access to the victim network.
The trend observed in attacks this year reveals a predilection towards targeting hosts with remote desktop connections exposed on the public internet.
Furthermore, using targeted phishing emails to deliver the malware continues to be a favored initial infection vector for the threat actor.
New trend for initial infection
Security researchers from the threat intelligence boutique Advanced Intelligence (AdvIntel) observed that Ryuk ransomware attacks this year relied more often on compromising exposed RDP connections to gain an initial foothold on a target network.
The actors have been running “large-scale brute force and password spraying attacks against exposed RDP hosts” to compromise user credentials.
Another vector for initial compromise was spear phishing and the use of the BazaCall campaign to distribute malware through malicious call centers that targeted corporate users and directed them to weaponized Excel documents.
AdvIntel researchers say that the Ryuk attackers ran reconnaissance on the victim in two stages. Once, to determine the valuable resources on the compromised domain (network shares, users, Active Directory Organization Units).
The second time, the objective is to find information on the company’s revenue to set a ransom amount that the victim can afford to pay to recover systems.
To enumerate the active directory information, Ryuk ransomware operators rely on the tried and tested AdFind (AD query tool) and the post-exploitation tool Bloodhound that explores relationships in an Active Directory (AD) domain to find attack paths.
Getting financial details about the victim relies on open-source data. AdvIntel says that the actors search on services like ZoomInfo for information about the company’s recent mergers and acquisitions and other details that can increase the profitability of the attack.
Additional reconnaissance is carried out using the Cobalt Strike post-exploitation tool that’s become a standard in most ransomware operations and scans that reveal the security products like antivirus…