20 October 2020

Ryuk ransomware deployed in 5 hours using ZeroLogon flaw


Ryuk ransomware deployed in 5 hours using ZeroLogon flaw

The gang behind the Ryuk ransomware has added a new tool to their arsenal, which allowed them to significantly decrease the time needed to fully encrypt the target system. In fact, according to researchers at DFIR Project, they observed a Ryuk ransomware attack that took only five hours to complete from initial phishing message to complete encryption across the victim’s network.

This lightning speed is achieved thanks to the ZeroLogon privilege-escalation bug (CVE-2020-1472), which the group is now incorporating in their attacks.

The ZeroLogon vulnerability allows an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory services. Although the flaw was patched in August, many organizations still remain vulnerable to this threat.

In the observed attack the hackers escalated privileges using ZeroLogon less than 2 hours after the initial phish. They then used tools such as Cobalt Strike, AdFind, WMI, and PowerShell to accomplish their objective.

The initial stage of the attack involved a phishing email containing a version of the Bazar loader. After initial compromise the hackers performed basic mapping of the domain, using built-in Windows utilities such as Nltest. They then exploited the ZeroLogon vulnerability to reset the machine password of the primary domain controller.

Next, the attackers moved laterally via SMB file transfers and WMI executions of Cobalt Strike Beacons to the secondary domain controller, carrying out more domain discovery via Net and the PowerShell Active Directory module.

“From there, the threat actors appeared to use the default named pipe privilege escalation module on the server,” researchers said. “At this point, the threat actors used RDP to connect from the secondary domain controller to the first domain controller, using the built-in administrator account.”

Once on the main domain controller, another Cobalt Strike beacon was dropped and executed. Then more domain reconnaissance was performed using the AdFind tool.

“Four hours and 10 minutes in, the threat actors used the pivot from the primary domain controller to RDP into the Backup server. Backup servers were again targeted first for deployment of the ransomware executable, followed by servers and then workstations. The threat actors finished their objective by executing the ransomware on the primary domain controller, and at the 5 hour mark, the attack completed,” the researchers said.

Back to the list

Latest Posts

3 Nigerian BEC scammers arrested for targeting thousands of companies across the globe

3 Nigerian BEC scammers arrested for targeting thousands of companies across the globe

The gang is believed to have compromised more than 500,000 government and private sector companies in more than 150 countries since 2017.
26 November 2020
Belden reveals data breach affecting current and former employees, business partners

Belden reveals data breach affecting current and former employees, business partners

The stolen information may have included names, birthdates, government-issued identification numbers, and bank account information.
26 November 2020
Hacker leaks usernames and passwords for nearly 50K vulnerable Fortinet VPN devices

Hacker leaks usernames and passwords for nearly 50K vulnerable Fortinet VPN devices

The data dump contains usernames, passwords, access levels, and the original unmasked IP addresses of users connected to the VPNs.
26 November 2020