A string of high profile attacks has been detected that have been crippling companies. The current waves of attacks have been known to use a combination of Emotet, Trickbot, and Ryuk. In recent weeks, the actors behind Ryuk have even been observed using ZeroLogon to extend their reach and broaden the delivery of their ransomware payloads. While the Ryuk payloads do not specifically contain the ZeroLogon functionality, the flaw is being leveraged at earlier stages in the attack chain. Attackers are able to use existing capabilities in Cobalt Strike and similar frameworks to achieve the privilege escalation. Several domains have been detected that are most likely linked to Ryuk based on consistencies with infrastructure like naming similarities, registration through NameCheap, SSL subject string consistencies, and reuse of the same CIDR blocks for hosting.