Cybercrime , Cybercrime as-a-service , Fraud Management & Cybercrime

Emotet, Ryuk, TrickBot: 'Loader-Ransomware-Banker Trifecta'

More Advanced Cybercrime Services Help Hackers Boost Illicit Earnings
Emotet, Ryuk, TrickBot: 'Loader-Ransomware-Banker Trifecta'
Ryuk ransom note extract (Source: McAfee)

Rather than building their own attack tools, many criminals are continuing to use cybercrime platforms and services to make it easier to earn an illicit paycheck. Some gangs are also combining tools in an attempt to earn even more.

See Also: Check Kiting In The Digital Age

For example, a large number of attacks today combine Emotet, Ryuk and TrickBot. "This loader-ransomware-banker trifecta has wreaked havoc in the business world over the past two years, causing millions of dollars in damages and ransoms paid," says cybercrime intelligence firm Intel 471 in a new report.

TrickBot is one of many malware-as-a-service offerings that allow attackers to focus on infecting systems, while in effect outsourcing the development and maintenance of the malware they use, typically in return for a subscription fee. As with all parts of the cybercrime service economy, MaaS offerings are becoming less expensive to procure while offering increasingly powerful capabilities (see: From Cybercrime Zero to 'Hero' - Now Faster Than Ever).

"MaaS operations cannot be written off as merely 'commodity' malware, since their client pool includes very skilled groups that can and will cause serious damage if allowed to do so," Intel 471 says.

Such operations can also be extremely lucrative for everyone involved. One subset of MaaS are ransomware-as-a-service offerings, of which Sodinokibi - aka REvil - is the most popular. "Affiliates" of the program get a version of the ransomware tied to their unique affiliate ID, and keep 60 percent to 70 percent of every ransom paid, while the RaaS operators pocket the rest (see: Sodinokibi Ransomware Gang Appears to Be Making a Killing).

Cybercrime Trifecta

On their own, any of these pieces of malware can wreak plenty of havoc. By combining forces, however, they can do even more damage.

And one of the more problematic tie-ups remains the crossover between attackers who wield the sophisticated strain of malware called Emotet, which started life as a banking Trojan, together with TrickBot and Ryuk ransomware. While TrickBot also started life as a banking Trojan, like Emotet it's been updated to also work as a downloader, meaning that once it infects a system, botnet controllers can push additional modules or functionality onto an infected - or zombie - endpoint. In some cases, TrickBot or Emotet is also being used to install Ryuk ransomware on endpoints.

Ryuk, which is based on Hermes ransomware, was first spotted in August 2018. Since then, its developers have continued to refine the code.

Last year, Emotet and TrickBot were two of the most-seen strains of malware, and their popularity hasn't waned. In January, the U.S. Cybersecurity and Infrastructure Security Agency warned that it had been seeing a fresh surge in Emotet attacks (see: Emotet Malware Alert Sounded by US Cybersecurity Agency).

Not every Emotet, TrickBot or Ryuk infection necessarily involves more than one of those pieces of malware being installed. But incident responders should assume that when they find one, more might have also been pushed into an IT environment.

"In the new age of 'ransomhack' incidents, it is imperative to treat and investigate ransomware matters as possible data breaches to mitigate and understand the scope of the intrusion," New York-based threat intelligence firm Advanced Intelligence, also known as AdvIntel, says in a recent report.

Target: Active Directory

Emotet, TrickBot and Ryuk sometimes get seen as standalone in attacks, experts say, but they also often appear together. "Many of the Ryuk incidents we’ve been privy to have involved both Emotet and TrickBot," Intel 471 says. Even so, such attacks typically unfold in very specific ways, beginning with Emotet being used as a downloader for TrickBot, which installs tools such as the Cobalt Strike penetration testing framework in an attempt to gain full access to admin panels and an organization's Domain Admin credentials to gain unrestricted access to Active Directory, at which point it's typically "game over" for defenders (see: Why Hackers Abuse Active Directory).

Such attacks do, however, appear to require some hacking skills. "The deployment of Cobalt Strike does not appear to be automated, but instead is initiated on specific bots that match a profile," Intel 471 says. With control of AD, attackers can gain easy remote access to all systems across the network and set group policy objects to disable anti-virus and other security defenses on endpoints. "Find the domain controller and you have the keys to a network," Intel 471 says.

The approach practiced by these groups "is a mix of automation," via automated malware such as Emotet and Trickbot, "but they also use some human network exploitation factor," said Vitali Kremez, in a presentation delivered at the CONFidence 2019 conference held last June in Krakow, Poland. The modus operandi is simple: Backed by automated malware, find and exploit Active Directory to gain "full god mode," referring to the video game expression that allows a user to do whatever they want, inside an environment.

To have a range of targets to choose from, TrickBot last year was notching up 500 to 5,000 new infections per day, some effected via Emotet as a loader, and others via third parties, often spread via emails with malicious, macro-enabled Office files attached, said Kremez, who leads SentinelLabs at security firm SentinelOne.

"Inside Cybercrime Groups Harvesting Active Directory for Fun," a presentation delivered by Vitali Kremez at the June 2019 CONFidence conference in Krakow, Poland.

This approach is "very clever, and it enables them to be very successful," Kremez said. "This is the current, most successful model exploiting and targeting huge corporations, banking environments, counties and governments in the U.S. and all over the world."

Final Stage: Ryuk

Such attacks may unfold over a period of days, weeks or even months (see: Ransomware Attackers May Lurk for Months, FBI Warns).

The final stage in these attacks can include installing Ryuk as a money-making coup de grâce. But attackers typically install ransomware - Ryuk or otherwise - only at the very end of a much longer attack chain, in part because unleashing crypto-locking malware is very noisy and will reveal that hackers have been camping out in an organization's network, if administrators had not yet detected their presence. Before ransomware shows up, however, attackers may have already ransacked network-connected systems for card data, financial information, customer databases and any other sensitive of confidential information that they might be able to sell via cybercrime forums to other criminals or even intelligence agencies.

For any organization that discovers Ryuk and thinks they may not have first been infected with TrickBot or Emotet, Kremez said it's much more likely that attackers instead just scrubbed their tracks. "It's never just Ryuk," he said.

Distribution: Spam, Emotet, Other Malware

While it's not clear who's behind any of the different pieces of malware, "TrickBot likely is operated by a single group as a malware-as-a-service platform that caters to a relatively small number of top-tier criminals," Intel 471 says.

Based on studying 37,000 TrickBot samples over an 18-month period, Intel 471 says it's identified 59 unique IDs, which get used together with a numeric code that appears to designate a unique campaign. It says 92 percent of all TrickBot samples trace to just five IDs - jim, lib, ono, sat and tot - each of which have their own practices and procedures.

"For example, It’s suspected that jimXX, libXX and totXX are primarily delivered by malspam [spam]. We know that every morXX-related sample we observed was delivered via Emotet," the firm says. "All samples attributed to sinXX, tinXX and winXX were delivered via Bokbot, aka IcedID. Samples attributed to wmdXX seem to utilize several different loaders, such as Amadey, FastLoader and an unnamed loader. Lastly, satXX, summ1 and trg1 all utilized the Ostap JavaScript loader for delivery."

Ransomware Gangs Leak Stolen Data

But not all attackers bring multiple pieces of malware to bear in their attempt to maximize profits. In recent months, one widely practiced ransomware innovation has been to not just steal information before unleashing crypto-locking malware, but also threaten to release stolen data if a victim doesn't pay the ransom demand. Gangs are hoping these tactics will lead to more paydays, although experts say it's not clear yet if this tactic has been working.

The Maze ransomware gang last year first blazed the data-leaking trail last November, quickly followed by other groups, including DoppelPaymer, MegaCortex, Nemty, Snatch and Sodinokibi (see: More Ransomware Gangs Join Data-Leaking Cult).

Manifesto recently released by Maze (Source: AdvIntel)

"REvil, MegaCortex, Truniger (TeamSnatch), Nemty, Clop, BitPyLock - these ransomware groups are different in their origin, scale and methods; however, one thing unites them all - before encrypting the victim’s data, they steal it and then threaten the victim to publish sensitive files," according to Advanced Intelligence.

Security experts tell Information Security Media Group that so far, Ryuk doesn't appear to have been tied to any leaks. But that might because Ryuk's operators are making such a killing that they don't need to bother. In the second half of 2019, the ransom payments being sent to Ryuk by victims more than doubled, according to ransomware incident response firm Coveware.

"Exfiltration is a somewhat risky strategy," Brett Callow, a threat analyst at security firm Emsisoft, tells ISMG. "Unless data is being pulled directly from cloud backups, it’s possible the company will notice the unusual activity and lock down its network. Some groups obviously think that risk to be worthwhile, however, Ryuk is raking in so much money that they may see no reason to assume that risk."

Source: Coveware

In the meantime, other ransomware gangs continue to run with the "pay us or we'll leak your data" model, often via dedicated leak sites for naming and shaming victims as well as posting stolen data. Earlier this year, for example, the DoppelPaymer gang hit Visser Precision, which makes automobile, aerospace and manufacturing industry components for Boeing, SpaceX, Tesla, Lockheed Martin and others, and subsequently began leaking data tied to those organizations to try and force a ransom payment.

Lockheed Martin last month issued a statement saying it is aware of the attack on Visser and is "following our standard response process for potential cyber incidents related to our supply chain" (see: DoppelPaymer Ransomware Slams Supplier to Boeing and Tesla).

RagnarLocker Shakes Down EDP

More recently, the Ragnarok gang, wielding RagnarLocker, has been attempting to extort 1,580 bitcoins - worth about €10 million ($11 million) - from Energias de Portugal, a major Portuguese electric utilities company based in Lisbon.

"We had downloaded more than 10 TB of private information from EDP group servers," reads a post to the Ragnarok group's data-leaking site, Bleeping Computer reports.

RagnarLocker ransom note (Source: Vitali Kremez)

SentinelLabs' Kremez says the ransomware includes a number of features designed to make it difficult for victims to restore their systems.

As in so many ransomware infection cases, "the actors were in the victim's network for some time before running the [ransomware]," the anti-malware group MalwareHunterTeam reports. "Obviously we can't tell from when they were in EDP's network," but based on files leaked so far, the gang appears to have already begun stealing information by April 6.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.