Rewterz Threat Alert – RYUK Ransomware – IoCs

Severity

High

Analysis Summary

A string of high profile attacks has been detected that have been crippling companies. The current waves of attacks have been known to use a combination of Emotet, Trickbot, and Ryuk. In recent weeks, the actors behind Ryuk have even been observed using ZeroLogon to extend their reach and broaden the delivery of their ransomware payloads. While the Ryuk payloads do not specifically contain the ZeroLogon functionality, the flaw is being leveraged at earlier stages in the attack chain. Attackers are able to use existing capabilities in Cobalt Strike and similar frameworks to achieve the privilege escalation. Several domains have been detected that are most likely linked to Ryuk based on consistencies with infrastructure like naming similarities, registration through NameCheap, SSL subject string consistencies, and reuse of the same CIDR blocks for hosting.

Impact

• Privilege Escalation
• Information Theft
• Data Exfiltration
• Files Encryption
• Network Compromise

Indicators of Compromise

Domain Name

• servicehel[.]com
• backups1helper[.]com
• service-hel[.]com
• driver-boosters[.]com
• top3servicebooster[.]com
• service1update[.]com

MD5

• ed0f520d410a684c6d0548dbf4caea98
• 6c4dacbefca90dad7ef318604e635e89

SHA-256

• 093ac1213b112c7eb7c46000f04160af37339ce0d6fff514f0941f2b5ab48829
• 1c05380af47696f7d7ef84b452fa4f662158d9f1caf7ad01a455061081d13653

SHA1

• 6381fc7e6d39549e0f7e65ac8151eeb6d70ecef9
• 5810d3a052d459760defbf479be15df1eebff48f

Source IP

• 45[.]153[.]241[.]134
• 45[.]153[.]241[.]158

Remediation

• Block the threat indicators at their respective controls.
• Do not download files attached in untrusted emails. 
• Maintain a strong password policy and implement multifactor authentication where possible.
• Keep all systems and software updated to latest patched versions against all known vulnerabilities. 
• Only download software from official and authentic sources.