EARLY-STAGE INDICATORS OF RYUK AND CONTI RANSOMWARE ATTACKS

THESECMASTER

Investigations by Symantec into Ryuk and Conti ransomware attacks found significant overlap in tools used to deliver both, supporting reports that there is likely some affiliation between the two. Recent attacks have involved extensive use of variants of Cobalt Strike.

* Cobalt Strike executed with this command:

* Use of WMIC to execute Cobalt Strike on other computers in the network: CSIDL_SYSTEMcmd.exe /C wmic /node:[REDACTED] /user:<?,?> /password:<?,?> process call create ‘cmd.exe /c regsvr32.exe CSIDL_COMMON_APPDATA
tstdll.dll 11985756’

* Cobalt Strike executed with this command: RunDll32 CSIDL_PROFILEdocumentswerfault.dll,tstsec 11985756

* Presence of credential stealer LaZagne in this path: csidl_windowstempgtt654f

* Presence of Adfind in this path: csidl_windowstempadf

Activity To Note Is:

* IcedID

* Longlist

* Cobalt Strike

* LaZagne

* Adfind

* Ryuk

* Conti

Tools Used In Ryuk And Conti Ransomware Attacks

Tumblr

Telegram

Medium

Twitter

LinkedIn

Facebook

FOLLOW US:

THESECMASTER