Over the past two weeks we have seen a significant uptick in ransomware attacks across all industries involving the Ryuk ransomware. The initial foothold is typically flagged as Emotet malware, and is usually delivered through a phishing email. The Emotet attacker then sells its deployment/footholds to a group using the Trickbot banking trojan. The “trick” refers to the various modules the malware can dynamically load to augment its abilities. It uses common vulnerabilities, such as EternalBlue, to spread rapidly throughout the victim’s environment. The Trickbot group then sells its wide access to a ransomware group, currently Ryuk (we have also observed Trickbot working with Bitpaymer). Once the Ryuk group gains access, they interactively move through the environment, spreading ransomware to encrypt files. They typically also go after backups in order to block recovery efforts, forcing the victim to pay the often sizeable ransom in order to restore mission-critical files and systems.
Mitigating Business Interruption
Clients should pay close attention to any anti-virus alerts from their endpoints, with particular sensitivity to alerts for Emotet/Trickbot since Ryuk or a similar ransomware is typically a fast follow to these. In order to minimize the business impact of a ransomware infection, we recommend the following preventative measures:
- Notify employees to be aware of suspicious emails.
- Secure email platform account access – MFA, continual log review, etc.
- Activate malware detection capabilities within mail gateways.
- Remove the users’ ability to enable document macros.
- Ensure AV is deployed to every machine and all alerts are being collected.
- Follow-up on AV alerts.
- Verify that network logs are being aggregated and reviewed for suspicious connections; Trickbot downloads its payload as a “.png” file.
- Limit access and closely monitor admin and domain admin account usage.
- Do not use shared local admin accounts and passwords across machines — this is an easy way for Trickbot to spread.
- Have a robust backup process for business critical servers and files such that back-ups occur regularly, are tested for efficacy, and are stored offline.
Getting Back to Business: Response and Recovery
- Do not power down or reimage infected systems.
- DO disconnect them from the network.
- Preserve machines/logs and contact an IR provider.
- Ensure the AV solution does not delete the accompanying “ransom notes” (usually .txt or .hta files) as these are typically used to store a unique code that is necessary to decrypt the files if payment is made.
- Be on the lookout for other malicious software and persistence mechanisms as the Ryuk group may install their own malicious backdoors into the environment as their approach evolves.
- Make a copy of online backups and store offline. Alternatively, segregate online backups to prevent them from becoming encrypted or
deleted by the attacker.
- Do not discuss the ability or appetite to pay the ransom via email.