Operators of the Ryuk ransomware have started looking for new recruits. This can’t really be positive news. Ryuk operators were searching for seasoned ransomware attackers when Jake Williams, founder of security company Rendition Infosec, first spotted a work ad on the dark web. This is the first time Ryuk operators have recruited manpower, which has been interpreted as a sign that they are planning something massive.
The fact that Ryuk operators are expanding is bad news for everyone else. Ryuk is a malware that first emerged in 2018 and has since developed itself as one of cyberspace’s most dangerous threats. It is well established that the medical sector has been severely harmed. It’s still one of the “most costly malware,” with users paying an average of $100,000 in ransom. These individuals are maturing.’
Ryuk is a ransomware version of the Hermes 2.1 family. It’s typically spread through well-known loaders and botnet-like malware like TrickBot. That’s not it, however. Ryuk operators have devised or acquired a variety of penetration techniques from other attackers. He’s also skilled at disseminating intricate phishing e-mails and using a “living off the ground” technique, which involves the deceptive use of legal software.
The’man-made service’ is another characteristic of Ryuk operators. This ensures that no automation equipment is used, and the campaigns are managed manually and meticulously by the operator. Of course, this isn’t Ryuk’s only distinguishing feature. Unexpectedly, one of the first ransomware operators prefers manual labor.
Unlike other “big” ransomware, however, Ryuk’s operators do not maintain websites for knowledge disclosure. It means that it differs from the double-threat tactic, which has been the most common among ransomware attackers since last year, and that calculating the exact damage scale is difficult because Ryuk is rarely visible. Ryuk is able to continue his assault while remaining undetected as a result of this.
The following best practices are advised to successfully deter ransomware attacks.
1) Apply a patch to applications that are vulnerable.
2) Configuration of different devices and facilities in a secure manner
3) Division of networks
4) The use of unnecessarily high Windows rights is prohibited. Observing and putting all of this into practice
These steps are necessary, but not adequate. So, what do I do now? Ransomware criminals would take away what they want the most. When you have high rights, such as when a malware intruder gets domain administrator privileges, it’s cool if you can’t step sideways any longer. You can distribute ransomware to any corner of your company if you have enough power.
As a result, ransomware attackers have no alternative but to try to hack the authentication scheme as soon as possible. The defending company is much more valuable at this stage, and if you see anything unusual and respond quickly, you can avoid significant harm. The following is some additional advice in this area:
- Disable NTLM
The most critical step in improving Active Directory protection is to reduce and detach dependency on the NTLM or NT LAN Manager protocol. NTLM is a legacy Windows protocol that has been in use for more than two decades. However, since many companies do use Windows NT 4, Windows 98, Windows ME, and even older versions of Windows, NTLM is still considered involved. NTLM is not only obsolete in and of itself, but it is also problematic because it is associated with old applications.
As a result, abandoning NTLM is difficult. However, it should be. To remove NTLM credentials from memory, ransomware operators like Ryuk, Maze, RobinHood, and REvil use a method named Mimikatz. And by doing so, you will gain access to the system as well as secure high authority. This is a common tactic they use. Regardless, sticking to NTLM is a bad bet.
- Kerberos Observation
Kerberos is one of the protocols that is thought to be the heir of NTLM. Cryptographically, it is more difficult and stable. They are, however, often attacked by ransomware attackers. By its very essence, it is a decentralized protocol with the fatal flaw that not all work is completed during the authentication session. In other words, it’s likely to be used in a re-use-of-authentication-credentials attack.