By David Liebenberg.
Cisco Talos Incident Response (CTIR) engagements continue to be dominated by ransomware and commodity trojans. As alluded to in last quarter’s report, ransomware actors have begun threatening to release sensitive information from victims as a means of further compelling them to pay. Additionally, DDoS and coinminer threats reemerged in spring 2020 after absences in the previous quarter. Looking at information from November 2019 through January 2020, ransomware maintains its status as the most prevalent threat, and CTIR has observed some changes in the top ransomware offender — Ryuk.

Targeting A wide variety of verticals were once again targeted, including energy and utilities, wholesale and distribution, sports betting, transportation, healthcare, government, manufacturing, real estate, financial services, telecommunications, education, and retail. The top targeted verticals were financial services and government, a change from last quarter when the top targeted vertical was manufacturing.

For example, a company in the manufacturing industry became infected with Emotet, likely via email. The adversaries then downloaded and leveraged Trickbot to move laterally throughout the network and elevate privileges. The adversary then used the open-source tool Meterpreter to drop Ryuk onto the victim's environment. CTIR also observed adversaries pushing Ryuk throughout the AD environment as a group policy object (GPO).

Ransomware extortion Ransomware actors have begun exfiltrating sensitive data as another lever to further compel victims to pay the ransom. We observed this in two engagements involving Maze ransomware actors, in which the adversaries exfiltrated sensitive information to an FTP server and threatened to publish it if the ransom was not paid. The Maze team has continued to use this tactic, creating a public website where they release information regarding affected organizations.

We also observed another ransomware incident involving a government organization in which the adversaries published a ransom note and screenshots of compromised critical systems, including the Active Directory (AD) structure, on Twitter. The adversaries threatened to publish more sensitive information if the ransom was not paid.

Other ransomware actors have begun following suit as well, including Sodinokibi, Nemty, DoppelPaymer, Nefilim, CLOP and Sekhmet. This is a particularly dangerous trend since it further compels victims to pay and negates traditional ways of combating ransomware attacks, such as maintaining backups.

Initial vectors For the majority of engagements, definitively identifying an initial vector was difficult due to shortfalls in logging. However, in engagements in which the initial vector could be identified, or reasonably assumed, phishing remained the top infection vector. CTIR also observed continued exploitation of web applications, particularly for Citrix Application Delivery Controller (CVE-2019-19781).

Looking forward Ransomware continues to run rampant in Q3, and Ryuk remains the most common variant. CTIR noticed that Ryuk has undergone some changes this quarter. Contrary to previous quarters, there are fewer engagements where Emotet and Trickbot are the initial dropper for Ryuk. Ryuk attacks are leveraging encoded PowerShell commands to download the initial payload, distributing batch files via GPO to hidden admin shares, and leveraging PowerShell to disable security/AV tools and prevent backups. CTIR has also observed the adversaries using a common network discovery PowerShell script (“Get-DataInfo.ps1”) to scan the entire network and provide an output of online vs. offline hosts.

CTIR also observed a shift from Ryuk actors leveraging PSExec to deploy Ryuk to more use of Windows Management Instrumentation (WMI), BITSAdmin, and the red-teaming framework Cobalt Strike.