Ryuk Ransomware Gang Uses Zerologon Exploit to Achieve Domain-Wide Encryption in Just 5 Hours

The threat actors behind Ryuk ransomware have started using an exploit for the Zerologon privilege escalation flaw, CVE-2020-1472, which has allowed them to perform ransomware attacks at breakneck speed. The Zerologon vulnerability allows them to compromise a domain controller and all Active Directory identity services.

In one successful attack, it took the attackers just two hours from an initial phish to exploit the vulnerability, and just 5 hours from the phish to domain-wide encryption.

The initial phishing attack involved tricking a user into installing the Bazar loader, according to researchers at the DFIR Report who investigated the attack. The attackers then mapped the domain using Ntest and the Zerologon vulnerability was then exploited to elevate privileges to administrator. They then reset the machine password of the primary domain controller, moved laterally to the secondary domain controller, and used Net and the PowerShell Active Directory module for further domain discovery.

“After moving laterally to the secondary domain controller, the threat actor started on more domain discovery via Net and the PowerShell Active Directory module,” explained the researchers. “From there, the threat actors appeared to use the default named pipe privilege escalation module on the server. At this point, the threat actors used RDP to connect from the secondary domain controller, to the first domain controller, using the built in Administrator account.”

They then dropped and executed a Cobalt Strike beacon, used AdFind to perform more domain reconnaissance, and were ready to deploy their ransomware payload after just 4 hours. They first targeted backup servers, then servers, followed by workstations. Finally, they executed the ransomware on the primary domain controller.

Previous attacks have involved targeting high-privileged users; however, by using the Zerologon vulnerability that was not necessary. In the latest attack, the initial phish was performed on a domain user with no other privileges.

While previous attacks have taken up to two days from the initial compromise to file encryption, their new approach is far faster, giving victims much less time to identify the attack in progress and take action.

“You need to be ready to act in less than an hour, to make sure you can effectively disrupt the threat actor,” said the researchers.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news