Ryuk Encrypts Entire Network in a Matter of Hours
The Ryuk hackers can completely encrypt an entire network in a matter of hours. All it takes is as little as 2 hours to go from an email being sent to full encryption of systems. The speed is partially the result of the group using the Zerologon privilege-escalation bug after the initial phish. The Zerologon vulnerability allows an unauthenticated hacker with network access to a domain controller to completely compromise all Active Directory identity services, according to Microsoft. It was patched in August, but many organizations remain vulnerable.
The attack starts with a phishing email containing a version of the Bazar loader. From there, the hackers perform a basic mapping of the domain, using built-in Windows utilities. They then exploit the Zerologon vulnerability to gain elevated admin privileges. Once that is done, the hackers can reset the machine password of the primary domain controller. They continue to move to the secondary domain controller, carrying out more domain discovery via Net and the PowerShell Active Directory module. The hackers appear to use the default named pipe privilege escalation module on the server. The hackers use RDP to connect from the secondary domain controller to the first domain controller, using the built-in administrator account. Lateral movement is initiated through Server Message Block and Windows Management Instrumentation. SMB is a networking file-share protocol included in Windows 10 that gives the ability to read and write files to network devices. WMI enables management of data and operations on Windows-based operating systems.
Cobalt Strike is a dual-use tool that is used in both exploitation and post-exploitation tasks. Other examples in circulation include PowerShell Empire, Powersploit and Metasploit, according to recent findings from Cisco. From memory analysis, researchers were also able to conclude the hackers were using a trial version of Cobalt Strike with the EICAR string present in the network configuration for the beacon. Both portable executable and DLL beacons are used.
For the final phase, the hackers deployed their ransomware executable onto backup servers. After that, the malware was dropped on other servers in the environment, and then workstations. Ryuk is responsible for a string of recent attacks, including Pennsylvania-based UHS and Alabama hospital chain DCH Health System.
The attack shows that organizations need to be ready to move quicker than ever in responding to any detected malicious activity. The US Government warned that advanced persistent threat actors are now exploiting the bug to target elections support systems. Microsoft also warned that an Iranian nation-state actor was actively exploiting the flaw. Cisco Talos researchers also warned of a spike in exploitation attempts against Zerologon. The Secretary of Homeland Security issued a rare, emergency directive, ordering federal agencies to patch their Windows Servers against the flaw asap.