Mitre Att&ck Mapping & Hardening Guidelines
USE CASE: RYUK RANSOMWARE
Ryuk is a ransomware designed to target enterprise environments that has been used in attacks since at least 2018. Ryuk shares code similarities with Hermes ransomware. Typically Ryuk has been deployed as a payload from banking Trojans such as TrickBot.2 Ryuk first appeared in August 2018 as a derivative of Hermes 2.1 ransomware, which first emerged in late 2017 and was available for sale on the open market as of August 2018. Ryuk still retains some aspects of the Hermes code.
Ryuk Attack Chain
Ryuk has been known to be a part of a bigger “Triple Threat” attack that involves Emotet and TrickBot.
The first stage of this attack is the delivery of Emotet through phishing emails that contain a weaponized word document, this document contains a macro code that downloads Emotet.
Once Emotet executes, it downloads another malware (usually TrickBot) which can collect system information, steal credentials, disable AV, and do lateral movement.
The third stage of the attack is to connect to the C&C server to download Ryuk which makes use of the lateral movement done by TrickBot to infect and encrypt as many systems on the network as possible.