Infocyte Finds New Malware Variant Masked Behind Ryuk Ransomware

ryuk ransomware threat hunting

U.S. Biotech Company Taps Top-tier Cybersecurity Firm for Post-breach Incident Response; Discovers Trickbot Backdoor Behind Ransomware

AUSTIN, TX – September 10, 2018

In August, a US-based biotech firm with closely guarded IP contacted law enforcement officials, including the FBI, for assistance responding to a Ryuk ransomware attack. They recruited a top-tier cybersecurity team to help with response and to conduct a full Compromise Assessment of the biotech firm’s network, hunting for other evidence of the attack, the entry vector, and any remaining backdoors. The Incident Response team deployed an automated threat hunting platform, Infocyte HUNT, to inspect all the systems within the targeted subnet. Within fifteen minutes, HUNT flagged 20 systems with active memory-injected Trickbot trojans, a Mimikatz credential dumper, and over 70 related execution artifacts.

”[…] We immediately identified a wicked Trickbot infection – and more…” commented the Lead Incident Responder. ”HUNT proved to be an amazing threat hunting tool, saving us a ton of time and exposing hidden threats injected on several systems.”

Although the investigation has not concluded, the Trickbot trojan appears to have been used as the initial entry vector for the attack and possibly serves as a ”leave-behind” after the ransom is paid to give the attackers long term access to the network. The backdoor access could also have been leveraged to facilitate a larger-scale attack across all critical services/data or repeating the ransom in the future.

Ransomware, as a means of infecting systems and extracting data and/or money, is nothing new and continues to rise. According to Dimension Data, worldwide ransomware attacks rose 350% in 2017. But, this targeted ”pseudo ransomware” tactic of including additional access vectors like Trickbot and Mimikatz, first employed by the Lazarus Group with their Hermes malware, presents a new challenge for threat hunters and security teams responding to ransomware.

”Targeted attacks of this complexity demonstrate the need to implement proactive threat hunting,” commented Chris Gerritz, co-founder of Infocyte. ”Historically, the defense against ransomware was frontline prevention. Today’s evolving tactics require a more proactive stance.”

Our recommendation is for threat hunters and ransomware responders to continuously check for these additional access vectors and other backdoors – especially following a breach. In the case of recent Ryuk-related ransomware attacks, Trickbot will likely be memory-resident within svchost.exe processes on windows systems, which will require volatile memory inspection tooling (like Infocyte HUNT) and you may find execution artifacts from the other components of Ryuk in places like Shimcache.

About Infocyte, Inc.

Developed by U.S. Air Force cybersecurity officers, Infocyte’s forensics-based threat hunting platform, Infocyte HUNT, is an automated, intelligent threat hunting software used to hunt for hidden malware and advanced persistent threats (APTs) capable of evading even the best cybersecurity defenses. HUNT significantly reduces attacker dwell time – the period between infection and discovery – to deny attackers the ability to persist undetected, significantly reduce business impact, and restore network confidence. Infocyte was recently honored among the Best Threat Hunting Tools of 2018 by the Cybersecurity Excellence Awards. For more information, or to request a free Compromise Assessment, please visit


Related Resource
Download the Infocyte HUNT Biotech Case Study.

See Infocyte HUNT in Action. Request a Live Demo.

Request a Live Demo of Our Award-winning Threat Hunting and Incident Response Platform.

More from our blog

cybersecurity siem alert validation fatigue

Security Brief: SIEM Alert Validation and the Dangers of Alert Fatigue

March 27, 2019

Despite the rich data provided by SIEMs, organizations find themselves drowning in false positives, making it difficult to focus on high-priority events. This problem of alert fatigue prevents cyber security teams from identifying and addressing real threats – impacting small teams with no SOC, large enterprise teams with a SOC, and MSSPs overseeing the security for many SOCs/customers.

Read More »
2018 healthcare data breaches report

5 Takeaways From Reviewing 2018’s Healthcare Data Breaches

March 19, 2019

In 2018, the U.S. Healthcare Industry Remained a Hot Target for Data Breaches. Last year alone, over 15 million patient records were affected with an average of one data breach occurring every 24 hours in the healthcare industry. It goes without saying that hackers and cyber attackers are finding ways around/through/past security defenses—exploiting vulnerabilities and…

Read More »
hidden cyber attacks

Hunting, Detecting, and Responding to Hidden Threats Using FSA

March 12, 2019

A Brief History of Forensic State Analysis Prior to starting Infocyte, our co-founders, Chris Gerritz and Russ Morris, created the first enterprise-scoped threat hunting team for the entire U.S. Department of Defense. Their teams were responsible for hunting, detecting, and responding to highly sophisticated attacks across an 800,000-node network. With virtually unlimited resources and access…

Read More »