Table of Contents
May 31, 2021
|2m
Early-Stage Indicators of Ryuk and Conti Ransomware Attacks
Investigations by Symantec into Ryuk and Conti ransomware attacks found significant overlap in tools used to deliver both, supporting reports that there is likely some affiliation between the two. Recent attacks have involved extensive use of variants of Cobalt Strike. In some cases, the infection vector appears to be via IcedID malware, which delivers malware known as Longlist, which in turn is used to install Cobalt Strike.
Activity to Note Is:
Cobalt Strike executed with this command:
Use of WMIC to execute Cobalt Strike on other computers in the network: CSIDL_SYSTEM\cmd.exe /C wmic /node:[REDACTED] /user:<?,?> /password:<?,?> process call create ‘cmd.exe /c regsvr32.exe CSIDL_COMMON_APPDATA\tstdll.dll 11985756’
Cobalt Strike executed with this command: RunDll32 CSIDL_PROFILE\documents\werfault.dll,tstsec 11985756
Presence of credential stealer LaZagne in this path: csidl_windows\temp\gtt654f
Presence of Adfind in this path: csidl_windows\temp\adf
Targets of Ryuk and Conti Ransomware Attacks
These tools have been used in targeted ransomware attacks, which tend to be concentrated against medium-to-large-sized organizations in:
North America
Europe
Tools Used in Ryuk and Conti Ransomware Attacks
The attackers have used a combination of custom malware, off-the-shelf tools, and living off the land tactics.
IcedID
Longlist
Cobalt Strike
LaZagne
Adfind
Ryuk
Conti
Recommendations
Organizations should review this alert and scan their network for associated indicators of compromise (IOCs). Their presence may indicate a ransomware attack in preparation.
Indicators of Compromise (IOCs) Of Ryuk and Conti Ransomware Attacks:
TOOL/MALWARE:
File Fingerprints:
477b49df42b2cd2805fcffa8de2dd14d732628e1e1c2132cb22b8687ee9312d3 Cobalt Strike
e49ff404012f54f6fdafd8dc301b0c03722e17a8b394f8187946c7d2b4dd7110 Cobalt Strike
34591bb2484145360ec3af5c0fc5e364304f0c252890ac6fafad76ac3155185a Cobalt Strike
a16189ede9b4b2240654e38ccc5c4d386c37b4375f1c7ad752a5c8ba0f770232 Cobalt Strike
0f9e1390cb0b51a68e2c60b7dd7fcd79d3344db680721b2bbde0865e60269e28 host.exe (unknown tool)
b3ae259df698576d682af6d00ba89a2182f00c02406589fe4dda5f4d8f621e03 run.exe (unknown tool)
95548e4075dda4b11bbe5be359d5612f3e61e1b71c717ddb18225737bcada8dd Unknown tool
b4188e7c2c16141198628680f8c8d7b3cb0c631114433a390c3c45724dc675fe LaZagne
297297004feba40bf8a664b84eaaff07b0d054b3255611b76a418dc23b89138c Adfind
f6a377ba145a5503b5eb942d17645502eddf3a619d26a7b60df80a345917aaa2 Adfind
0ff4c58ce45f906bc1aa8fc2e303e3ff0ad46f728c681b52d1c01b2bdf64e727 Longlist
Domain Names:
updaternetworkmanagerr[.]com
remakeflowersimple[.]com
greattxmsng-imgx[.]com
fastpighostmerch[.]com
IP Address:
45.61.137[.]172
195.123.232[.]21
139.28.235[.]96
213.252.247[.]132
Thanks for visiting our site. Please share this advisory to others to protect them from being the victim of this attack.
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- April 18, 2024
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- April 18, 2024
