Intrigue.
Subterfuge.
Deception.
Suspense.
Is this a new James Patterson novel? No, but it could very well be…
This is the tale of a new kind of attack – an attack in the Digital Age, where one person, clicking on an expertly-executed devious email and opening an innocuous-looking Google Doc, allowed hackers in 2020 to wreak havoc on the system of a successful business.
And these Russian hackers aren’t just targeting businesses. The 2020 elections are already tenuou (to say the least) but they are breaking into local, state, and even federal municipalities to sow deeper seeds of doubt and unrest, going so far as to hack into the President’s own re-election campaign’s website!
It doesn’t appear that any information was stolen from the site, but they made sure to leave a message that anyone could see, and that remained up for about half-an-hour. And it isn’t just the election that has been Putin’s playground.
In fact, hundreds of hospitals may be impacted… During a global pandemic, no less.
I may have mentioned this before? But hackers have NO shame. The fact that there is an international pandemic crippling the world not only doesn’t deter them, but it gives them new avenues with which they are able to attack their targets.
Ryuk Backstory
This story takes place in the Autumn of 2020, but to understand it fully, we must go back a couple of years to 2018…. August, to be exact, when the world was introduced to Russia’s Ryuk ransomware, with a series of successful multi-millionaire attacks on businesses ranging from local governments to hospitals. In fact, according to the FBI, the Ryuk attackers raked in over $61 million in the US alone – and that’s only including the attacks that were actually reported. It is believed that the actual figure may well be in the hundreds-of-millions range.
Though 2019 was extremely lucrative for the cyber gang, there was a noticeable decline in Ryuk attacks in 2020, around the start of the pandemic. You might think, “Perhaps they had a change of heart? Even hackers have hearts, right?”
Wrong.
2020: Renewed Ryuk Attacks
It was widely believed that Ryuk had evolved and metamorphosed into a rebranded version of Ryuk known as “Conti.” And perhaps that’s true; but it is just as likely that they were instead lying in wait, allowing their potential victims to be lulled into a false sense of security, so that when they struck again, it would be all the more powerful.These attacks have been especially impactful because of two distinct characteristics: the virus itself, as well as the patience and persistence of the attackers.
The Virus
The speed with which the attack moves from compromise to deployment will make your head spin… It only takes about 3 ½ hours from opening a compromised attachment to attackers infiltrating and spying on the network. Then, in less than 24 hours, the hackers had access to the domain controller, where they were able to execute the ransomware. That’s not a lot of time for detection
The Hackers
In addition to being an efficient virus, the attackers themselves are very, very persistent. To them, “No” doesn’t mean “never,” it just means “not now.” It took them multiple attempts over the course of a week to get the ransomware and malware to properly take hold, involving over 90 servers, in addition to other systems, to engage in the attack. And even the, their ransomware was not fully successfully executed.
As attempts to launch the attack failed, the Ryuk actors attempted multiple times over the next week to install new malware and ransomware, including renewed phishing attempts to re-establish a foothold. Before the attack had concluded, over 90 servers and other systems were involved in the attack, though ransomware was blocked from full execution.
Wide-Spread Implications
Before we get into the nitty-gritty details of this new attack, it’s important to note that things are likely about to get real. As in, really real. Especially for the Healthcare Industry.
Just last week, FBI, DHS and HHS issued a joint warning focused on Healthcare executives about an “imminent cybercrime threat to U.S. hospitals and healthcare providers.”
This warning was issued not even 48 hours after a tip from Alex Holden, founder of the Wisconsin-based cyber intelligence agency Hold Security, contacted Krebs-on-Security, stating that he witnessed disturbing online communications between Ryuk cybercriminals, in which they discussed their nefarious plans to execute ransomware attacks on over 400 US healthcare facilities!
So far, there have been a handful of attacks that have crippled the following healthcare facilities:
- Sky Lakes Medical Center in Klamath Falls, OR was attacked.
- A Ryuk ransomware attack on St. Lawrence Health System, infected Caton-Potsdam, Messena and Gouverneur hospitals.
- Network attack caused disruption to operations at Ridgeview Medical Center in Waconia, MN, including Chaska’s Two Twelve Medical Center, three hospitals, clinics and other emergency and long-term care sites.
- The University of Vermont Health Network is dealing with a widespread network issue after a vicious cyberattack.
- Wyckoff Hospital in NY fell victim to a Ryuk ransomware attack.
A Word About Trickbot
It’s important to note that one big change in this recently dissected Ryuk attack is that it appears Ryuk is getting away from utilizing Trickbot in its campaign. Trickbot is a botnet that uses thousands of infected computers to distribute the Ryuk (along with a number of other malicious cyber activities).
This is significant because on October 12, Microsoft announced that it had taken extensive steps to shut down Trickbot, and while these actions were not expected to irreparably cripple Ryuk’s, it was expected to, at the very least, significantly delay them by forcing them to rebuild their distribution infrastructure.
Apparently, they found a work around in the form of Google Docs.
Case Study: September Ryuk Attack
Being the victim of a successful cyber attack can be embarrassing, and healthcare organizations are not always forthcoming with the details. The problem with that, however, is that it can literally cost people their lives, so kudos to the healthcare system that openly shared the details of their attack.
It is reported that four people perished needlessly because of the attacks, and hopefully by making the information readily available, nobody else will have to die.
Part 1: Human Error and the Phishing Scam
This particular attack began around lunchtime on Tuesday. September 22, when a number of . hospital employees received this sophisticated and detailed phishing email:
From: Alex Collins [spoofed external email address]
To: [targeted individual]
Subject: Re: [target surname] about debit
Please call me back till 2 PM, i will be in [company name] office till 2 PM.
[Target surname], because of [company name]head office request #96-9/23 [linked to remote file], i will process additional 3,582 from your payroll account.
[Target first name], call me back when you will be available to confirm that all is correct.
Here is a copy of your statement in PDF[linked to remote file].
Alex Collins
[Company name] outsource specialist
The link provided in the email was served via Sendgrid and redirected the user to a malicious Google Doc document. And although it was flagged, detected and blocked multiple times, one employee fell for the scam by opening and executing print_document.exe, which turned out to be a malicious executable known as Buer Loader.
Buer Loader is a modular malware-as-a-service downloader that started popping up underground in August 2019 for $350. This downloader is a web panel-managed malware distribution service that includes add-on modules as well as download address target changes.
When executed by the unsuspecting employee, Buer Loader dropped “qoipozincyusury.exe,” which is a Cobalt Strike “beacon,” which was originally designed for attacker emulation and penetration testing, but is able to perform a multitude of tasks, including the ability to provide access to operating system features and to establish a covert “command and control” channel inside the vulnerable network.
In the matter of 90 minutes, additional Cobalt Strike beacons were detected on the system but the attackers were still able to get a hold on the infected workstation, giving them the ability to do some undercover work and search for credentials.
Part 2: The Virus Spreads
Here is a timeline of events the bad actors conducted to help spread their malicious virus:
- That morning: The hackers were not only able to steal admin credentials, but they had also been successful in connecting to a domain controller and performing a data dump of Active Directory details using a tool that was written to a user directory specifically for the compromised domain administrator account that was on the domain server.
- Over the next few hours the cyber attackers successfully:
- Loaded and launched another Cobalt Strike executable.
- Installed a Cobalt Strike service on the domain controller, executed using the previously stolen domain administrator credentials, which was a Server Message Block listener, allowing Cobalt Strike commands to be passed to the server and other computers on the network.
- Remotely executed a new Cobalt Strike beacon on the same server by utilizing Windows Management Interface.
- Used Windows Management Instrumentation from the first compromised PC to create other malicious services on two other servers with the same admin credentials.
- Configured an encoded PowerShell to create another Cobalt communications connection.
- Began other reconnaissance activities from the first infected desktop.
- Executed commands to identify more lateral targets.
- Attempted to use NLTEST command to steal data from domain controllers on other domains in the same organization.
- Used other commands to ping servers and gain IP addresses
- Checked all mapped network shares connected to the workstation
- Used WMI to check for active Remote Desktop sessions on another domain controller
In other words, they truly were relentless… even though not all their attempts were successful.
Part 3: Traps are Set
Not even 24 hours after the scammed employee was successfully phished, the Ryuk hackers were preparing to launch. With the beachhead on the originally compromised PC, they used RDP to connect to the domain controller, utilizing the same admin credentials.
They used a folder to drop copy on the domain controller named: C:\Perflogs\grub.info.test2
The name of the folder is important because it is consistent with a set of tools deployed in earlier Ryuk attacks.
Not long after, the hacker executed maliciously coded PowerShell command accessed Active Directory data to file dump ALLWindows.csv. This file dump provided login information, as well as domain controller and operating system data for all Windows computers that happened to be on the network.
After the file dump, the used SystemBC malicious proxy on the domain controller, which is a SOCKS5 proxy used to hide malware traffic. It then installed itself (as itvs.exe), and used an old Windows task scheduler to schedule itself a job for the malware, named itvs.job.
Once that task was scheduled, it loaded and executed a PowerShell script into the grub.info.test folder on the domain controller. This script, Get.DataInfo.ps1, is able to scan the network and report back on active systems while also checking which AV the system runs.
The Ryuk gang was methodical in its attempts to spread its files to more and more servers, including:
- File shares
- WMI
- Remote Desktop Protocol clipboard transfer
Persistent, if Not Always Successful
By Thursday morning, the hacker decided to distribute and then launch Ryuk. It is important to note that there were no significant changes in this version of Ryuk; however, the developers were able to add more subterfuge to their coding, thus avoiding memory-based alerts.
Among the initial targets was the company’s backup server – which really is just evil. However, the backup server was able to not only detect, but also stop Ryuk… until the cyber thieves used the icacls command and modified access control, which gave them full control of all the folders.
Once control was gained, they successfully executed GMER, which is a “rootkit detector” tool frequently used by ransomware hackers to seek, find and shut down hidden processes used by antivirus software to protect the servers. The Ryuk attackers failed in their attempts, but they did not stop. In all, the Ryuk ransomware was attempted three more times in an effort to overwhelm any remaining defenses.
Much, I’m sure, to the chagrin of this malicious cyber gang, not files were encrypted, even though they did drop their ransom notes
Overall, Ryuk was launched from over 40 compromised systems. However, thanks to Sophos Intercept X, all attempts were blocked and by noon that Thursday, the ransomware attack was successfully blocked.
The story doesn’t end there, however, because the attackers were still successfully in the network.
That Friday, the good guys were in full block mode and by the next day, the attackers attempted to launch yet another SOCKS proxy on the still-compromised domain controller.
But they still weren’t ready to give up because additional Ryuk and Cobalt Strike deployments were caught the next week—along with additional phishing attempts.
That is some major determination!
Moral of the Story
This is most definitely a success story, overall. Not only was the encryption attempt thwarted, but there was also a lot of knowledge gained.
Line of Attack
This Ryuk attack was significantly different then 2019 attacks in that they moved away from using Emotet as their malware-as-a-service provider to Buer Loader. Additionally, instead of using Trickbot, they instead employed a number of more hands-on tools, including Bloodhound, Cobalt Strike and GMER.
Additionally, they utilized already built-in Windows scripting and administrative tools for lateral spread, and the attackers were far more ready to change tactics when their original ones didn’t work. In other words, they appear much more nimble.
Dedication
These attackers did not lack in persistence, dedication or patience. They did not give up if one line failed, and they stayed hard at work for HOURS. Once they were in, they did everything in their power to succeed and while they failed to encrypt any files or data, they did successfully and quickly move around lateral networks with swiftly-established backdoors.
This attack is proof that Desktop Protocol, even within the firewall, can be a vulnerability, and that strong cybersecurity is worth its weight in gold.
Could your company withstand such a violent, persistent attack? If you aren’t sure, the answer is likely “No.” Cybersecurity isn’t a luxury anymore, it’s a necessity. If you have questions or are looking for a free consultation, please feel free to give us a call at 919-422-2607 or schedule a meeting online here.