2018 – Ryuk ransomware

The Ryuk ransomware took Big Game Hunting to new heights. Associated with the Trickbot group, also known as Wizard Spider, this ransomware strain is still active today.

Throughout its history, the group has attacked various organizations and made at least $150 million, according to AdvIntel (source: https://www.advanced-intel.com/post/crime-laundering-primer-inside-ryuk-crime-crypto-ledger-risky-asian-crypto-traders).

For quite some time, it was called triple threat, as typically such infections started from the Emotet trojan, which loaded Trickbot, which was used for downloading post-exploitation tools and final ransomware deployment. Usually, Trickbot was used to download a PowerShell Empire agent or a Cobalt Strike Beacon – another extremely popular post-exploitation framework.

Recently, the group changed the toolset and started to use a new trojan called Bazar. Interestingly enough, they started to use vishing (voice phishing) in their distribution scheme. The phishing emails don't contain any malicious files or links, just some information about a fake paid subscription and a phone number to call to cancel it. If a victim calls the number, the operator guides him or her to download a weaponized Microsoft Office file, open it, and enable the macros, so the computer is infected with Bazar. Just like with Trickbot, the trojan is used to download and execute a post-exploitation framework – most commonly, Cobalt Strike.

To deploy Ryuk, the threat actors leveraged multiple techniques, including the previously mentioned PsExec and Group Policy modification.

First, they provided emails to allow the victims to contact them, but soon started to use Tor onion services:

Figure 1.5 – Instructions embedded into the ransom note

Ryuk ransomware operators are still active, and, according to AdvIntel and HYAS, have earned more than $150 million (source: https://www.advanced-intel.com/post/crime-laundering-primer-inside-ryuk-crime-crypto-ledger-risky-asian-crypto-traders).

Who was behind the Ryuk ransomware?

On June 4, 2021, the FBI released an indictment charging Alla Witte, aka Max, for being involved in a transnational organization responsible for creating and deploying the Trickbot trojan and ransomware.

Some other Ryuk-related threat actors were the Emotet botnet operators. They were arrested in January 2021 as the result of a collaborative operation between law enforcement in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada, and Ukraine. As a result, the authorities took full control of the botnet's infrastructure.

One of the most notable things was what exactly the Emotet operators' workplace looked like:

Figure 1.6 – Emotet operators' workplace

More insights are available in the following video: https://www.youtube.com/watch?v=_BLOmClsSpc.

Despite the fact that threat actors are being arrested, more and more cybercriminals want to join the big game. So, another phenomenon has emerged – ransomware-as-a-service.