The gang behind the Ryuk ransomware has added a new tool to their arsenal, which allowed them to significantly decrease the time needed to fully encrypt the target system. In fact, according to researchers at DFIR Project, they observed a Ryuk ransomware attack that took only five hours to complete from initial phishing message to complete encryption across the victim’s network.
This lightning speed is achieved thanks to the ZeroLogon privilege-escalation bug (CVE-2020-1472), which the group is now incorporating in their attacks.
The ZeroLogon vulnerability allows an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory services. Although the flaw was patched in August, many organizations still remain vulnerable to this threat.
In the observed attack the hackers escalated privileges using ZeroLogon less than 2 hours after the initial phish. They then used tools such as Cobalt Strike, AdFind, WMI, and PowerShell to accomplish their objective.
The initial stage of the attack involved a phishing email containing a version of the Bazar loader. After initial compromise the hackers performed basic mapping of the domain, using built-in Windows utilities such as Nltest. They then exploited the ZeroLogon vulnerability to reset the machine password of the primary domain controller.
Next, the attackers moved laterally via SMB file transfers and WMI executions of Cobalt Strike Beacons to the secondary domain controller, carrying out more domain discovery via Net and the PowerShell Active Directory module.
“From there, the threat actors appeared to use the default named pipe privilege escalation module on the server,” researchers said. “At this point, the threat actors used RDP to connect from the secondary domain controller to the first domain controller, using the built-in administrator account.”
Once on the main domain controller, another Cobalt Strike beacon was dropped and executed. Then more domain reconnaissance was performed using the AdFind tool.
“Four hours and 10 minutes in, the threat actors used the pivot from the primary domain controller to RDP into the Backup server. Backup servers were again targeted first for deployment of the ransomware executable, followed by servers and then workstations. The threat actors finished their objective by executing the ransomware on the primary domain controller, and at the 5 hour mark, the attack completed,” the researchers said.