Cue the Duke Ellington score and Jimmy Stewart for the defense, we now have a moment-by-moment look at how a ransomware attack on an organization unfolds. The example is from a Ryuk ransomware attack last October on an unnamed organization.
- The first step was a probe of the network via the Trickbot malware
- Hackers then explored the network to determine a valuation–to monetize data
- They then unleashed other tools in the Pivot and Profile phase–PowerTrick and Cobalt Strike–to search for open ports and other devices
- The hackers, finding what they want, deploy their Anchor backdoor and Ryuk ransomware to secure their hold on the network
- Total time from initial malware to Ryuk ransomware encryption: about two weeks
Ryuk has been a highly successful ransomware, netting its extortioners $61m in ransom between February 2018 and October 2019 according to the FBI. UK’s National Cyber Security Centre advisory indicates global attacks starting in later 2018.
The value in this study is substantial–the SentinelOne article is chock full of terminology and screenshots a programmer or white hat would love. It also reveals a multi-step process that if stopped at step 1 (the Trickbot malware) means a tougher nut to crack for the hackers, and a nearly two-week window for a response. ZDNet’s article is written for us ‘civilians’. The sidebar has links to several articles, including this horror compendium from UK victims, ‘The most stressful four hours of my career‘. Earlier: Hackermania runs wild…all the way to the bank!