Ryuk ransomware deployed in 5 hours using ZeroLogon flaw

Ryuk ransomware deployed in 5 hours using ZeroLogon flaw

The gang behind the Ryuk ransomware has added a new tool to their arsenal, which allowed them to significantly decrease the time needed to fully encrypt the target system. In fact, according to researchers at DFIR Project, they observed a Ryuk ransomware attack that took only five hours to complete from initial phishing message to complete encryption across the victim’s network.

This lightning speed is achieved thanks to the ZeroLogon privilege-escalation bug (CVE-2020-1472), which the group is now incorporating in their attacks.

The ZeroLogon vulnerability allows an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory services. Although the flaw was patched in August, many organizations still remain vulnerable to this threat.

In the observed attack the hackers escalated privileges using ZeroLogon less than 2 hours after the initial phish. They then used tools such as Cobalt Strike, AdFind, WMI, and PowerShell to accomplish their objective.

The initial stage of the attack involved a phishing email containing a version of the Bazar loader. After initial compromise the hackers performed basic mapping of the domain, using built-in Windows utilities such as Nltest. They then exploited the ZeroLogon vulnerability to reset the machine password of the primary domain controller.

Next, the attackers moved laterally via SMB file transfers and WMI executions of Cobalt Strike Beacons to the secondary domain controller, carrying out more domain discovery via Net and the PowerShell Active Directory module.

“From there, the threat actors appeared to use the default named pipe privilege escalation module on the server,” researchers said. “At this point, the threat actors used RDP to connect from the secondary domain controller to the first domain controller, using the built-in administrator account.”

Once on the main domain controller, another Cobalt Strike beacon was dropped and executed. Then more domain reconnaissance was performed using the AdFind tool.

“Four hours and 10 minutes in, the threat actors used the pivot from the primary domain controller to RDP into the Backup server. Backup servers were again targeted first for deployment of the ransomware executable, followed by servers and then workstations. The threat actors finished their objective by executing the ransomware on the primary domain controller, and at the 5 hour mark, the attack completed,” the researchers said.

Back to the list

Latest Posts

AI chatbots fall for phishing scams

AI chatbots fall for phishing scams

The models provided the correct URL only 66% of the time; nearly 30% of responses pointed users to dead or suspended domains.
3 July 2025
Chinese hackers exploited Ivanti flaws in attacks against French government

Chinese hackers exploited Ivanti flaws in attacks against French government

ANSSI believes that the Houken campaign is operated by ‘UNC5174’, an entity believed to act as an initial access broker for China’s Ministry of State Security.
2 July 2025
Threat actors exploit Vercel's AI tool v0 to build sophisticated phishing pages

Threat actors exploit Vercel's AI tool v0 to build sophisticated phishing pages

The malicious actors used v0.dev to create fake login pages mimicking legitimate brands.
2 July 2025