EARLY-STAGE INDICATORS OF RYUK AND CONTI RANSOMWARE ATTACKS
THESECMASTER
Investigations by Symantec into Ryuk and Conti ransomware attacks found significant overlap in tools used to deliver both, supporting reports that there is likely some affiliation between the two. Recent attacks have involved extensive use of variants of Cobalt Strike.
* Cobalt Strike executed with this command:
* Use of WMIC to execute Cobalt Strike on other computers in the network: CSIDL_SYSTEMcmd.exe /C wmic /node:[REDACTED] /user:<?,?> /password:<?,?> process call create ‘cmd.exe /c regsvr32.exe CSIDL_COMMON_APPDATA
tstdll.dll 11985756’
* Cobalt Strike executed with this command: RunDll32 CSIDL_PROFILEdocumentswerfault.dll,tstsec 11985756
* Presence of credential stealer LaZagne in this path: csidl_windowstempgtt654f
* Presence of Adfind in this path: csidl_windowstempadf
Activity To Note Is:
* IcedID
* Longlist
* Cobalt Strike
* LaZagne
* Adfind
* Ryuk
* Conti
Tools Used In Ryuk And Conti Ransomware Attacks
Tumblr
Telegram
Medium
Twitter
LinkedIn
Facebook
FOLLOW US:
THESECMASTER