Rewterz Threat Alert – RYUK Ransomware Network Compromise Using BazarLoader

High

Analysis Summary

A RYUK infection is seen targeting victims with a malicious email that carried a link to download the Bazar/Kegtap loader, which injects into multiple processes, and which performs reconnaissance on the infected system, using Windows utilities like nltest and net group, as well as third-party tool AdFind. The entire infection took 29 hours from an email being sent to the target to full environment compromise and the encryption of systems. The malware remained quiet for roughly one day, after which a second reconnaissance phase was launched, using the same tools, plus Rubeus. Data was exfiltrated to a remote server and the attackers started lateral movement. To compromise additional systems on the network, the attackers used various methods, including remote WMI, remote service execution with PowerShell, and a Cobalt Strike beacon dropped over SMB. Next, the Cobalt Strike beacon was used as the main pivotal point. Additional beacons were then established across the environment and PowerShell was employed to disable Windows Defender. Ryuk was executed one minute after being transferred over SMB from the pivot and, once encryption started, the servers used to store backups were hit first. Ryuk was also transferred to the remaining hosts on the network via SMB, and an RDP connection was leveraged to execute it from the pivot domain controller.

Impact

• Information Theft
• Data Exfiltration
• Files Encryption
• Network Compromise

Indicators of Compromise

Domain Name

• x59gc[.]com
• allrulk[.]com
• martahzz[.]com
• nomadfunclub[.]com

MD5

• 3d483689f373a12f6f9607079b9cebb9
• 9ea7a28fc686c65c01c30eece8f2e903
• 52a8527e0d7cd86b1d04ccc80eb6595e
• 826519293dd705f70297185bf5947382
• 7d11779283ce65e18f30e1cf2a62d6f6
• 704dea93ef129b6c10b5b02433b51ec2
• 04cd7e91f40c045497ffcf802c43c159
• 40b17d4ca83f079cf6b2b09d7a7fd839
• 9ff18f7a19e06b602e19b9e0aca3ad84
• b94bb0ae5a8a029ba2fbb47d055e22bd

SHA-256

• cfe670624f2af7a13e05cfc0dca3700b5c5bce8e4b58a73e712a9c3fc44b79de
• 0550ae3895700c365561c345f7414e4fb292e16fb545c2e7aa3ac70ec5f27764
• 1055df2f38b4f540a99c23ecab450a4dc032c71579f41dd8314e892b3db21cfe
• 5af1fd37cb9a1afdb327e3757238203d8ee3cee0508057a46a890b7569272c62
• 45f8ed5faa1a4dcdc384516976190f836ce3e7b9a4ba3ff7dd0116a1ea8e121b
• d8576fba423360297b0661833a0e06564230c2079db214dc6830c648e5193e51
• 8c55e3b7ce984976b237f03414886e8a2df5884d6f1485716493c84b0abf073e
• 85ef348d39610c1d5f58e2524c0e929ec815a9fbe1f5924cdef7a0c05e58e5ad
• 9d8cbb2bf4801276de2143ccd64a7d0f66263809a90bea0b664282a15d121d9e
• f6a377ba145a5503b5eb942d17645502eddf3a619d26a7b60df80a345917aaa2

SHA1

• 78d216d54f4505bf9ede1bcd1688cbe13c14411d
• b7f78b436f616577a18e211cd4f7055543b9069a
• 84867acf6698d97c05dd986a73b9a8d602c627d6
• 52936b4188617cfb0aaeecff4297009ffc2deb61
• 046cfad64fc090029da71af720088485c309e6c5
• bf5320ca42de290abc7d618c32167d9f79debc97
• 982a86c4e65c7c86ba680ed4c016882d1aa6cb90
• 090e82a47b32dc94d71d4c84a3a76d2480589b00
• bcbb5bbc55b4f44397c34e9fca2017587e69219b
• 035940bd120a72e2da1b6b7bb8b4efab46232761

Source IP

• 107[.]150[.]59[.]162
• 88[.]119[.]171[.]75
• 45[.]141[.]84[.]120
• 206[.]221[.]176[.]24
• 185[.]51[.]134[.]195
• 5[.]182[.]210[.]145
• 107[.]173[.]58[.]183

URL

• https[:]//x59gc[.]com[:]443
• http[:]//x59gc[.]com
• https[:]//x59gc[.]com
• http[:]//grumhit[.]com/rest/t

Remediation

• Block the threat indicators at their respective controls.
• Do not download files attached in untrusted emails.
• Implement strong password policy and enable multi-factor authentication.
• Keep all systems and software updated to latest patched versions.