• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Cross-Platform Spyware Called GravityRAT
October 26, 2020
Rewterz Threat Alert – APT28 (FancyBear) Attacks on NATO and Central Asian Targets
October 27, 2020

Rewterz Threat Alert – RYUK Ransomware – IoCs

October 27, 2020

Severity

High

Analysis Summary

A string of high profile attacks has been detected that have been crippling companies. The current waves of attacks have been known to use a combination of Emotet, Trickbot, and Ryuk. In recent weeks, the actors behind Ryuk have even been observed using ZeroLogon to extend their reach and broaden the delivery of their ransomware payloads. While the Ryuk payloads do not specifically contain the ZeroLogon functionality, the flaw is being leveraged at earlier stages in the attack chain. Attackers are able to use existing capabilities in Cobalt Strike and similar frameworks to achieve the privilege escalation. Several domains have been detected that are most likely linked to Ryuk based on consistencies with infrastructure like naming similarities, registration through NameCheap, SSL subject string consistencies, and reuse of the same CIDR blocks for hosting.

Impact

  • Privilege Escalation
  • Information Theft
  • Data Exfiltration
  • Files Encryption
  • Network Compromise

Indicators of Compromise

Domain Name

  • servicehel[.]com
  • backups1helper[.]com
  • service-hel[.]com
  • driver-boosters[.]com
  • top3servicebooster[.]com
  • service1update[.]com

MD5

  • ed0f520d410a684c6d0548dbf4caea98
  • 6c4dacbefca90dad7ef318604e635e89

SHA-256

  • 093ac1213b112c7eb7c46000f04160af37339ce0d6fff514f0941f2b5ab48829
  • 1c05380af47696f7d7ef84b452fa4f662158d9f1caf7ad01a455061081d13653

SHA1

  • 6381fc7e6d39549e0f7e65ac8151eeb6d70ecef9
  • 5810d3a052d459760defbf479be15df1eebff48f

Source IP

  • 45[.]153[.]241[.]134
  • 45[.]153[.]241[.]158

Remediation

  • Block the threat indicators at their respective controls.
  • Do not download files attached in untrusted emails. 
  • Maintain a strong password policy and implement multifactor authentication where possible.
  • Keep all systems and software updated to latest patched versions against all known vulnerabilities. 
  • Only download software from official and authentic sources.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.