STEALTHbits Blog: How Ransomware Criminals are Using New Extortion Schemes (Trickbot and Ryuk) to Poach Big Game

Ransomware

Article Originally Posted HERE

Cyber-crime continues to evolve – especially over recent years in terms of ransomware. Ransomware used to be largely a spray-and-pray proposition where attackers used automated tools to spread and encrypt as fast as possible, with immediate ransom demands. Those did enough damage.

However, cybersecurity researchers are reporting a new, more patient and human-driven extortion scheme where criminals infect many networks but only select larger organizations with deeper pockets. In these larger target networks, they may dwell for as long as a year while they stealthily reconnoiter and spread.
Once they identify and compromise the organization’s most critical systems, they pull the trigger, encrypt and demand ransom. The activity appears to be from Russian organized cybercrime and the attacks as a set are identified as TEMP.Mixmaster by some researchers, and is associated with a cyber-crime group identified as GRIM SPIDER by other researchers.

In these attacks, the initial compromise is via TrickBot, usually via the time-honored attached-document-bearing-macros routine. Then using a wide variety of techniques, attackers patiently spread through the network gaining credentials and access as they go – and more importantly – identifying important resources along the way.

Tools and techniques used include:
• Obfuscated PowerShell
• PowerShell Empire
• Common commands and utilities like sc, adfind, psexec
• Scheduled Tasks
• Remote Desktop

Ultimately, attackers end up using Ryuk to encrypt and demand ransom. Ryuk is very different than your average spray-and-pray automated ransomware. Ryuk is custom designed for manual control of smaller volume operations, involving the most crucial assets of the organization identified by attackers over the course of months and up to a year in some cases.

If you would like to learn more, check STEALTHbits on-demand webinar where they take apart TEMP.Mixmaster attacks, including the 2 main pieces of malware TrickBot and Ryuk.

In addition, we share many techniques for detection of this kind of attack – there are plenty of events in the Security Log, Sysmon and PowerShell logs if you know what to look for. And we’ll review what you can do to prevent and slow down attackers. Using PowerShell Security features like Constrained Language Mode and much more.

PREV

FlexPod Blog - Champion Solutions Group Drives Innovation One Question at a Time

NEXT

SKOUT Education Series: Basic Rules For Connected Kids | A Cyber 101 Resource

WRITTEN BY:

Erick Bacallao joined Champion Solutions Group in 2015 after a career of Software Development in Cuba at the National Cancer Care Institute of Cuba, followed by moving to the States with allAware.

 

Champion acquired allAware and its properties and Erick has utilized his extensive background and expertise in IT and Software Development to rise to VP of Product Development in less than 5 years. During this time, Erick has been involved with key projects that led to the launch of numerous products including CSP Boss, Inscape platform and 365 Productivity Insights.

 

Erick has a Bachelor of Science in Computer Science from the University of Havana. He won Gold Medals for Programming from the Ministry of Education in Cuba, and he is certainly still a Gold Medalist for Champion!

 

As President and CEO, Chris is responsible for the development of key strategic alliances and solution portfolio. He leads Champion’s go-to market and execution strategies for integrated offerings in the cloud, in security, and in digital infrastructure, always focusing on improving the customer experience and driving transformative business outcomes.

 

He also aligns key partner initiatives with company strategy and oversees corporate marketing and messaging to gain mindshare with customers and partners. It’s his vision and innovativeness that have catapulted Champion up the ranks to become a $100M+ organization—and one of the most respected solution providers in the industry.

 

Over the past two decades, Chris has also focused on mergers and acquisitions, as well as innovative product development. He is the original founder and an active member on the Board of Managed Maintenance, Inc., a SAAS provider and consulting firm that utilizes their award-winning One-View Portal to help the IT Channel and its customers manage their IT Maintenance.

 

Chris is also the original founder and chief strategist behind one of the original storage cloud providers, Storage Access / BluePoint. During the course of a few short years, he had raised $20M and took that company public on the Toronto Stock Exchange. It has since been acquired by Pomeroy.

 

In 2012, Chris led the acquisition of MessageOps and continued the product development and worldwide launch of its premier SAAS, 365 Command. Built on Microsoft Azure, 365 Command is currently managing over 1 million seats of Microsoft’s Office 365. After achieving this phenomenal milestone, 365 Command and other MessageOps O365 utilities were sold to Kaseya.

 

Over the past 35 years, Chris as worked tirelessly to not only advance his own career, but those of his employees. In addition to leading a $100M organization, Chris can also be found sitting with sales teams, cold calling and coaching, and validating why Champion has been listed on Best Places to Work by both South Florida Business Journal and Computerworld.

Ultimately, the success garnered by Champion Solutions Group, its associated companies, and their employees is due in large part to the leadership of its President and CEO. Perhaps the most fitting award Chris has earned is South Florida Business Journal’s 2013 Ultimate CEO Award.