• Home
  • |
  • Blog
  • |
  • Early-Stage Indicators Of Ryuk And Conti Ransomware Attacks
Threat Advisory Early-stage indicators of Ryuk and Conti Ransomware attacks

Investigations by Symantec into Ryuk and Conti ransomware attacks found significant overlap in tools used to deliver both, supporting reports that there is likely some affiliation between the two. Recent attacks have involved extensive use of variants of Cobalt Strike. In some cases, the infection vector appears to be via IcedID malware, which delivers malware known as Longlist, which in turn is used to install Cobalt Strike.

Activity To Note Is:

  •  Cobalt Strike executed with this command:
  •  Use of WMIC to execute Cobalt Strike on other computers in the network: CSIDL_SYSTEM\cmd.exe /C wmic /node:[REDACTED] /user:<?,?> /password:<?,?> process call create ‘cmd.exe /c regsvr32.exe CSIDL_COMMON_APPDATA\tstdll.dll 11985756’
  •  Cobalt Strike executed with this command: RunDll32 CSIDL_PROFILE\documents\werfault.dll,tstsec 11985756
  •  Presence of credential stealer LaZagne in this path: csidl_windows\temp\gtt654f
  •  Presence of Adfind in this path: csidl_windows\temp\adf

Targets Of Ryuk And Conti Ransomware Attacks

These tools have been used in targeted ransomware attacks, which tend to be concentrated against medium-to-large-sized organizations in:

  •  North America
  •  Europe

Tools Used In Ryuk And Conti Ransomware Attacks

The attackers have used a combination of custom malware, off-the-shelf tools, and living off the land tactics.

  •  IcedID
  •  Longlist
  •  Cobalt Strike
  •  LaZagne
  •  Adfind
  •  Ryuk
  •  Conti

Recommendations

Organizations should review this alert and scan their network for associated indicators of compromise (IOCs). Their presence may indicate a ransomware attack in preparation.

Indicators Of Compromise (IOCs) Of Ryuk And Conti Ransomware Attacks:

TOOL/MALWARE:

File Fingerprints:

477b49df42b2cd2805fcffa8de2dd14d732628e1e1c2132cb22b8687ee9312d3 Cobalt Strike
e49ff404012f54f6fdafd8dc301b0c03722e17a8b394f8187946c7d2b4dd7110 Cobalt Strike
34591bb2484145360ec3af5c0fc5e364304f0c252890ac6fafad76ac3155185a Cobalt Strike
a16189ede9b4b2240654e38ccc5c4d386c37b4375f1c7ad752a5c8ba0f770232 Cobalt Strike
0f9e1390cb0b51a68e2c60b7dd7fcd79d3344db680721b2bbde0865e60269e28 host.exe (unknown tool)
b3ae259df698576d682af6d00ba89a2182f00c02406589fe4dda5f4d8f621e03 run.exe (unknown tool)
95548e4075dda4b11bbe5be359d5612f3e61e1b71c717ddb18225737bcada8dd Unknown tool
b4188e7c2c16141198628680f8c8d7b3cb0c631114433a390c3c45724dc675fe LaZagne
297297004feba40bf8a664b84eaaff07b0d054b3255611b76a418dc23b89138c Adfind
f6a377ba145a5503b5eb942d17645502eddf3a619d26a7b60df80a345917aaa2 Adfind
0ff4c58ce45f906bc1aa8fc2e303e3ff0ad46f728c681b52d1c01b2bdf64e727 Longlist

Domain Names:

updaternetworkmanagerr[.]com
remakeflowersimple[.]com
greattxmsng-imgx[.]com
fastpighostmerch[.]com

IP Address:

45.61.137[.]172
195.123.232[.]21
139.28.235[.]96
213.252.247[.]132

Thanks for visiting our site. Please share this advisory to others to protect them from being the victim of this attack.

About the author

Arun KL

To know more about me. Follow me on LinkedIn Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.