Executive Summary:

This writeup reflects Pondurance’s intelligence surrounding the October 28, 2020, joint cybersecurity advisory that was coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Department of Health and Human Services (HHS). The advisory stems from Ryuk ransomware, which Pondurance has encountered through multiple digital forensics and incident response (DFIR) cases throughout 2020 and dating back to February 2019.

The current campaign by Ryuk actors includes a motivated focus against the healthcare sector. This campaign is already underway and is continuously evolving. Ryuk actors frequently enter through email distributions, which have included the malware families known as BazarLoader or Kegtap, Buer, and TrickBot. These distributions have been sent as attachments and links to victim users. This threat actor performs reconnaissance, lateral movements, privilege escalation or theft, backup deletion, and ransomware execution. In some scenarios, this threat actor may exfiltrate data. The phases of this attack life cycle are carried out through a diverse toolset that is described below in greater detail. 

Technical Summary:

Email distribution for this threat actor appears to rely on various spoofing and masquerading techniques. Similar threat actors have also compromised legitimate email accounts and sent their malicious attachment or a link as a reply to an existing email thread. These emails have been customized for targeted users, including names and/or employer names. The most frequent, active distribution for Ryuk ransomware is related to the BazarLoader malware family. Intelligence also points to active usage of the Buer loader. Historical intelligence about this threat actor includes Emotet and TrickBot for initial footholds as well as lateral movements. The email distribution for these threats typically relies on links within the email body.

The initial foothold backdoor performs reconnaissance and exfiltration of data about the victim operating system, user, and organization to the threat actor. Secondary payloads are installed on the victim machine including Cobalt Strike Beacon. This threat actor continues to push Cobalt Strike SMB Beacon and TCP Beacon to additional hosts within the network. These lateral movements include both persistent and nonpersistent versions of Cobalt Strike. These Cobalt Strike persistence mechanisms vary between services, scheduled tasks, and Windows Management Instrumentation event subscriptions. The Cobalt Strike PowerShell commands or codes often utilize the default XOR35 as observed in a variety of previous ransomware infections stemming from TrickBot, including 777 ransomware. This actor frequently updates command and control infrastructure to utilize new domains and IP addresses on nearly a daily basis for new targets.

The threat actor leverages reconnaissance tools including Bloodhound and AdFind, which reveal critical information about available routes to obtain privileged credentials within an enterprise network. The combination of Bloodhound, AdFind, Cobalt Strike, and Mimikatz typically leads to the threat actor obtaining domain administrator or enterprise administrator privileges. Additionally, the threat actor uses these credentials for lateral remote desktop protocol movements inside the target environment.

Additional observations by our team have included access to files and passwords related to backups and infrastructure in target environments. This threat actor typically deletes all available backups within the environment prior to the deployment of widespread ransomware encryption. Encryption typically occurs through the usage of PsExec, which is a Microsoft Sysinternals tool that performs remote process execution on target machines. The executed payload may be replicated onto target systems or staged on a file share.

Pondurance will remain diligent in monitoring and hunting for suspicious Tactics, Techniques, and Procedures (TTPs) and associated indicators across our client base.