Experts On Ryuk Ransomware Deployed Two Weeks After Trickbot Infection

Activity logs on a server used by the TrickBot trojan in post-compromise stages of an attack show that the actor takes an average of two weeks pivoting to valuable hosts on the network before deploying Ryuk ransomware.

After compromising the network, the attacker starts scanning for live systems that have specific ports open and stealing password hashes from the Domain Admin group.


EXPERTS COMMENTS
Niamh Muldoon, Senior Director of Trust and Security, EMEA,  OneLogin
June 24, 2020
Having logging in place and understanding logged events would support with the associated monitoring and alerting events.
Targeted attacks follow this chain of firstly getting access to vulnerable network/system and working way through the network trying to find next weak access point while gathering data and understanding of how the organization operates along the way. In this instance understanding the information assets, applying not only MFA but enhanced multi-factor authentication would have reduced the risk of ....
[Read More >>]

If you are an expert on this topic:

Submit Your Expert Comments


In this article