H‐ISAC TIC Threat Bulletin
Note: This is a TLP WHITE intelligence update from the H-ISAC Threat Intelligence Committee (TIC), comprised of high end analysts from member organizations who meet together during times of crisis and share standard operating procedures (SOP) on how to respond. More detailed TLP AMBER information is available for members on the secure Member Portal.
Date: June 21, 2019
TLP – WHITE
Event: Ryuk Ransomware Infection Chain
Summary:
Multiple cases of Ryuk ransomware infections have been reported in the media recently.
Security researchers have discovered an infection chain that uses the Emotet trojan and the TrickBot
trojan to deliver the Ryuk ransomware. The Trickbot trojan is used to exfiltrate various sensitive
information from the target network and then is used to install the Ryuk ransomware.
According to FireEye, the threat actors have been observed using EMPIRE and RDP connections to enable
lateral movement within victim environments. Interactive deployment of ransomware, such as this,
allows an attacker to perform valuable reconnaissance within the victim network and identify critical
systems to maximize their disruption to business operations, ultimately increasing the likelihood an
organization will pay the demanded ransom. The Ryuk ransomware is specifically used to target
enterprise environments, which generally results in a higher payout for the attackers.
Attackers have also been observed using previously stolen credentials to log into a victim’s domain
controller and perform host and network reconnaissance using built‐in Windows commands. Batch
scripts were then used to spread the Ryuk infection through the victim network. Ryuk remains under
active development, with new features being reported as recently as this week. The developers of Ryuk
have recently added IP address and computer name backlisting to the malware’s feature set.
Researchers indicate that this appears to have been implemented to help avoid infecting machines
located in Russia.
Potential Actions:
Scan your environment for any activity associated with IOCs related to Emotet and/or Trickbot,
as part of an active infection chain. Research indicates that machines infected with Trickbot
lead to Ryuk infection.
Maintain vigilance on operational security posture.
Ensure available patches are being applied in a timely manner across your infrastructure.
Enable multi‐factor authentication, where possible.
References:
1. hxxps://www.cybereason[.]com/blog/triple‐threat‐emotet‐deploys‐trickbot‐to‐steal‐data‐
spread‐ryuk‐ransomware
2. hxxps://www.ncsc[.]gov[.]uk/news/ryuk‐advisory
3. hxxps://www.crowdstrike[.]com/blog/big‐game‐hunting‐with‐ryuk‐another‐lucrative‐targeted‐
ransomware/
4. hxxps://www.bleepingcomputer[.]com/news/security/ryuk‐ransomware‐adds‐ip‐and‐computer‐
name‐blacklisting/
5. hxxps://securityintelligence[.]com/news/more‐than‐100‐us‐businesses‐affected‐by‐ryuk‐
ransomware‐since‐august‐2018‐finds‐fbi/
6. hxxps://content.govdelivery[.]com/attachments/USDHSFACIR/2019/05/08/file_attachments/12
07473/FLASH‐MC‐000103‐MW‐Ryuk.pdf
7. hxxps://www.fireeye[.]com/blog/threat‐research/2019/01/a‐nasty‐trick‐from‐credential‐theft‐
malware‐to‐business‐disruption.html: