Ryuk Ransomware Attacks Continue Following TrickBot Takedown Attempt

19 October 2020

Ryuk Ransomware Attacks Continue Following TrickBot Takedown Attempt

The threat actor behind the Ryuk ransomware continues to conduct attacks following the recent attempts to disrupt the TrickBot botnet, CrowdStrike reports.

Referred to as WIZARD SPIDER, the adversary has been widely using TrickBot for the distribution of ransomware, and the recent attempts by the U.S. Cyber Command and Microsoft to disrupt the botnet were expected to put an end to such operations.

However, the efforts had little effect on the botnet, and the threat actor is apparently able to continue operations at the same pace as before. With over one million infected machines, TrickBot represents a serious threat.

According to CrowdStrike, an initial swing at the botnet was observed on September 21, when a non-standard configuration file was being delivered to some of the infected machines, to instruct them to connect to a command and control (C&C) server address at 0.0.0.1 on TCP port 1.

As a result of this move, an unknown number of bots remained isolated from the network and became unreachable through the normal C&C channel. The non-standard config file was downloaded approximately 10,000 times, which translates into roughly one percent of systems infected with TrickBot being separated from the botnet.

“The operation against the TrickBot network was orchestrated to take down the botnet, thus reducing BGH infections by WIZARD SPIDER’s Ryuk and Conti ransomware families, with an ultimate goal of protecting the forthcoming U.S. elections from ransomware operations,” CrowdStrike notes.

TrickBot’s operators quickly switched to secondary channels to ensure their operations could continue. Emotet started deploying TrickBot last week, and WIZARD SPIDER added BazarLoader into the mix, an initial access tool the threat actor has used before.

Distributed through spam emails leading to Google Docs, BazarLoader features a backdoor component that provides the threat actor with the ability to run payloads and arbitrary scripts.

Starting September 2018, CrowdStrike notes, the Ryuk ransomware has been the most lucrative operation run by WIZARD SPIDER, as victims are believed to have paid over $61 million in ransom to recover files encrypted by Ryuk.

For an unknown reason, in March 2020, the group moved away from Ryuk and switched to the Conti ransomware, which emerged in an attack in June 2020. Conti, which has received weekly updates and improvements, is estimated to have been used to compromise more than 120 networks to date, most of them located in North America and Europe.

“Additional features, obfuscation techniques and code changes are integrated on an almost weekly basis. In August 2020, Conti’s technique shifted from fully encrypting files with AES-256 to a more strategic and efficient approach of selectively encrypting files with the ChaCha stream cipher. Conti’s host discovery and network share targeting functionality has also continued to evolve and is now comparable to that of Ryuk’s,” the security firm notes.

In September 2020, however, WIZARD SPIDER resumed Ryuk deployments and little code changes were observed between the ransomware’s April 2020 and September 2020 variants. The most notable of these modifications is the introduction of code obfuscation, although these are not as advanced as those used in Conti and BazarLoader.

“The ultimate goal of the disruption operation against the TrickBot network was to impact and prevent ransomware infections […]. While the valiant efforts of the cybersecurity teams involved in this complex operation undoubtedly had a short-term impact on WIZARD SPIDER’s TrickBot network, the response by the criminal actors has been swift, effective and efficient,” Crowdstrike concludes.