ryuk ransomware threat hunting

Infocyte Detects New Malware Variant Masked Behind Ryuk Ransomware

This post was last updated on October 1st, 2019 at 03:37 pm

U.S. Biotech Company Taps Top-tier Cybersecurity Firm for Post-breach Incident Response; Discovers Trickbot Backdoor Behind Ryuk Ransomware

AUSTIN, TX – September 10, 2018

In August, a US-based biotech firm with closely guarded IP contacted law enforcement officials, including the FBI, for assistance responding to a Ryuk ransomware attack. They recruited a top-tier cybersecurity team to help with response and to conduct a full Compromise Assessment of the biotech firm’s network, hunting for other evidence of the attack, the entry vector, and any remaining backdoors. The Incident Response team deployed an automated threat hunting platform, Infocyte HUNT, to inspect all the systems within the targeted subnet. Within fifteen minutes, HUNT flagged 20 systems with active memory-injected Trickbot trojans, a Mimikatz credential dumper, and over 70 related execution artifacts.

”[…] We immediately identified a wicked Trickbot infection – and more…” commented the Lead Incident Responder. ”HUNT proved to be an amazing threat hunting tool, saving us a ton of time and exposing hidden threats injected on several systems.”

Although the investigation has not concluded, the Trickbot trojan appears to have been used as the initial entry vector for the attack and possibly serves as a ”leave-behind” after the ransom is paid to give the attackers long term access to the network. The backdoor access could also have been leveraged to facilitate a larger-scale attack across all critical services/data or repeating the ransom in the future.

Ransomware, as a means of infecting systems and extracting data and/or money, is nothing new and continues to rise. According to Dimension Data, worldwide ransomware attacks rose 350% in 2017. But, this targeted ”pseudo ransomware” tactic of including additional access vectors like Trickbot and Mimikatz, first employed by the Lazarus Group with their Hermes malware, presents a new challenge for threat hunters and security teams responding to ransomware.

”Targeted attacks of this complexity demonstrate the need to implement proactive threat hunting,” commented Chris Gerritz, co-founder of Infocyte. ”Historically, the defense against ransomware was frontline prevention. Today’s evolving tactics require a more proactive stance.”

Our recommendation is for threat hunters and ransomware responders to continuously check for these additional access vectors and other backdoors – especially following a breach. In the case of recent Ryuk-related ransomware attacks, Trickbot will likely be memory-resident within svchost.exe processes on windows systems, which will require volatile memory inspection tooling (like Infocyte HUNT) and you may find execution artifacts from the other components of Ryuk in places like Shimcache.

About Infocyte, Inc.

Developed by U.S. Air Force cybersecurity officers, Infocyte’s forensics-based threat hunting platform, Infocyte HUNT, is an automated, intelligent threat hunting software used to hunt for hidden malware and advanced persistent threats (APTs) capable of evading even the best cybersecurity defenses. HUNT significantly reduces attacker dwell time – the period between infection and discovery – to deny attackers the ability to persist undetected, significantly reduce business impact, and restore network confidence. Infocyte was recently honored among the Best Threat Hunting Tools of 2018 by the Cybersecurity Excellence Awards. For more information, or to request a free Compromise Assessment, please visit www.infocyte.com.


Related Resource
Download the Infocyte HUNT Biotech Case Study.

Posted in