By David Liebenberg and Caitlin Huey.

For the fourth quarter in a row, Ryuk dominated the threat landscape in incident response. As we mentioned in last quarter’s report, Ryuk has shifted from relying on commodity trojans to using living-off-the-land tools. This has led to a decrease in observations of attacks leveraging commodity trojans. Email remained the top infection vector, though we observe increased compromises of remote desktop services (RDS) as well as Citrix devices and Pulse VPN. One of the more interesting trends this quarter was the role of the COVID-19 pandemic. Interestingly, we did not observe any engagements in which COVID-19 was used in an attack. However, CTIR has observed the pandemic impacting organizations, affecting their ability to respond and contain cybersecurity incidents.

For additional information, you can also check out our full summary here.

Targeting  A wide variety of verticals were once again targeted, including energy and utilities, financial services, government, health care, industrial distribution, manufacturing, retail, technology, telecommunications, and transportation. The top targeted verticals were health care and technology, a change from last quarter when the top targeted verticals were financial services and government.

Threats  Ransomware continued to comprise the majority of threats CTIR observed. As mentioned above, contrary to previous quarters, CTIR is observing fewer engagements in which Emotet and Trickbot function as the initial dropper for Ryuk. This is one reason why we observed far fewer attacks leveraging commodity trojans this quarter. As mentioned last quarter, Ryuk attacks evolved in other ways as well, leveraging encoded PowerShell commands to download the initial payload, disable security/AV tools, stop backups, and scan the entire network and provide an output of online vs. offline hosts. Ryuk adversaries are using more Windows Management Instrumentation (WMI) and BitsAdmin to deploy the malware in addition to PsExec.

For example, a government organization had thousands of systems encrypted with Ryuk ransomware, affecting nearly 2,000 systems and critical services. There was no evidence of any presence of commodity trojans during the attack. The adversaries compromised a domain administrator account by recovering the password stored in a Group Policy. The adversaries attempted to prevent file restoration by using bcdedit to alter boot configuration data to prevent system recovery, deleted Windows shadow copies, and used vssadmin to remove system restore points. The adversaries then tried to expand the number of affected hosts by granting full permission for all users for all files on all mounted disk drives with icacls.exe. They also sent Wake-On-Lan magic packets to wake shut-down hosts for encryption.

The adversaries used PowerShell to disable real-time monitoring malware protection and a PowerShell cmdlet code “Get-DataInfo.ps1” to scan the network and provide an output of live or dead hosts in text files. The adversaries used the command-line tool BitsAdmin, as well as WMIC and PsExec with privileged account credentials to copy Ryuk to additional hosts.

In another engagement where CTIR identified a Ryuk infection, the initial compromise was performed with a phishing email that contained an encrypted Microsoft Word document. The malicious code had been embedded in a chess game written in VBA, and once the document was opened, it created a VBS file and executed it through PowerShell. The VBS file downloaded and executed the malicious payload identified as Detplock, a remote access trojan (RAT).

CTIR continued to observe ransomware actors exfiltrating sensitive data as another lever to further compel victims to pay the ransom. This is a continuation of a trend since Winter 2019.

Despite a lack of COVID-19-themed campaigns, the pandemic has still increased the threat surface, with an obvious uptick in both RDS and VPN services due to increased remote work. Beyond providing new avenues for adversaries to target, CTIR has also responded by working with victim organizations in identifying the new network “baseline” caused by these changes.