Operators of the Ryuk ransomware need only 29 hours to compromise a network and encrypt systems within it, according to a new report from The DFIR Report.

The researchers observed an attack involving the Ryuk ransomware on one of their honeypots. The intrusion started with a malicious email containing a link leading to the Bazar/Kegtap loader, which injects into multiple processes (explorer.exe, svchost.exe, cmd.exe ) and performs a reconnaissance on the compromised system using Windows utilities, such as nltest and net group, as well as third-party tool AdFind.

The malware remained relatively quiet for nearly one day, after which the second phase of exploration was launched, using the same tools with addition of the Rubeus utility. The collected data was then sent via FTP to a server hosted in Russia.

In order to compromise additional systems the threat actor used a variety of techniques, including remote WMI, remote service execution with PowerShell, and a Cobalt Strike beacon dropped over SMB. The hackers then used a Cobalt Strike beacon running on a domain controller as their main operations point.

Next, the attackers established additional beacons across the environment and used PowerShell to disable Windows Defender. The Ryuk ramsomware was executed one minute after being transferred over SMB from the attackers’ domain controller (DC).

“At this point Ryuk was transferred to the rest of the hosts in the environment via SMB and executed through an RDP connection from the pivot domain controller. In total, the campaign lasted 29 hours–from initial execution of the Bazar, to domain wide ransomware. If a defender missed the first day of recon, they would have had a little over 3 hours to respond before being ransomed. The threat actors requested 600+ bitcoins, which have a market value of around 6+ million USD,” according to the report.