Ryuk ransomware operators have come up with new techniques to exploit remote desktop connections more efficiently.
According to Advanced Intelligence security researchers’ trend reports, Ryuk operators started phishing emails against Remote Desktop Protocol (RDP) servers instead of brute force attacks.
The operators also reportedly used spear-phishing and a tool called KeeThief open-source software that could extract passwords and credentials from the KeePass key manager.
Aside from tools and techniques, the hackers are exploiting known vulnerabilities in the Windows OS and certain commonly used applications.
The two vulnerabilities that are exploited in Ryuk were found to be the CVE-2018-8453 and CVE-2019-1069.
Before attacking RDPs, the operators analyze the target’s network shares, users, Active Directory Organization Units, the capacity to pay a ransom.
The tools used in reconnaissance are the Cobalt Strike post-exploitation tool, the AdFind (AD query tool), and the post-exploitation tool Bloodhound.
AdvIntel advised organizations to follow risk mitigation steps in their recent advisory to prevent future attacks.
Ryuk ransomware operators have collected at least $150 million in ransoms since they started targeting organizations in August 2018.
© Fourth Estate® — All Rights Reserved.
This material may not be published, broadcast, rewritten or redistributed.