By Keren Pollack, on December 10th, 2019

A new trend of a combo triple threat attacks is becoming more and more prevalent in recent days. The triple attack combines Emotet, TrickBot – relatively old attacks that are leveraged to initiate relatively new ransomware, the third party of this combo- Ryuk.
Ryuk ransomware is considered extremely painful because recovering from it is almost impossible. Emotet and TrickBot, in this case, are used as the intruder and dropper of Ryuk, creating their damage on the way by stealing data and spreading in the system. Once the victim is identified as ‘worth attacking’ by the attackers, they use Ryuk to make the attacked organization to have no other choice but to pay the demanded ransom.
Once the organization is attacked it is almost impossible to recover and prevent the ransom, but there are actions you can take to prevent this situation. This article will cover CalCom’s technical team’s hardening recommendations for Emotet, TrichBot & Ryuk prevention, both separated or as a combined campaign.


Ryuk’s attack on nursing homes threatens people’s health


Emotet is a banking Trojan, first discovered by researchers in 2014. The malware’s main target was stilling banking credentials. Typically, Emotet is spread via spam email campaigns, using social engineering to trick the user to click a link or download the malware. It can also hijack already compromised email accounts. After infecting one machine the malware then uses worm-like capabilities and sends spam emails to other addresses found on the infected machine’s contact list.

This spreading ability is what led the Department of Homeland Security to conclude that Emotet is one of the most costly and destructive malware affecting sectors such as government, organizations and even individuals, costing up to 1M$ per incident to recover.
If Emotet identifies the machine is connected to the network, it will use a brute force attack to try and connect to servers in the network. Machines protected by weak passwords will probably get infected. After spreading in the network and infecting the system, Emotet uses functionality that helps it evade detection by anti-malware tools.
The recent attack uses Emotet not only for stealing banking credentials but also for deploying ransomware, creating a combo attack that uses Emotet for the initial infection.

The triple attack combines Emotet, TrickBot &Ryuk


TrickBot is a banking Trojan that can act as a dropper for other malware. It uses a man-in-the-browser attack to steal financial information. A man-in-the-browser attack is a proxy Trojan that infects a web browser, by leveraging the browser’s vulnerabilities. It modifies web pages, transaction content or inserts additional transactions, all invisible to the user and the host. Some of TrickBot’s modules abuse the SMB protocol to spread the carried malware laterally across the network. If this is the case, the malware can easily spread in the organization, since hardware and software configurations in a system tend to be homogeneous.

Systems usually get infected by TrickBot via spam mail campaigns. One of its common disseminators is Emotet. The malspam campaigns that deliver TrickBot uses third party branding familiar to the target, such as Microsoft documents. The opened attachment allows executing a VBScript to run a PowerShell script and download the malware. TrickBot can check it doesn’t run in a sandbox environment and to disable antivirus programs, such as Microsoft’s Windows Defender. Once executed, TrickBot redeploys itself in the “%AppData%” folder and create a scheduled task to provide persistence.
TrickBot determines the infected host’s public IP address and starts receiving instructions from the command-and-control (C2) server. The TrickBot is then ready to download modules that are sent with a configuration file. The C2 servers constantly change and the TrickBot infection is updated with the new information, continuing to download modules. Those modules perform tasks for stealing banking information, system/network reconnaissance, credential harvesting, and network propagation.



Ryuk ransomware was first detected in August 2018. Ryuk is a crypto-ransomware that blocks access to a system, device of a file by encrypting the information and its backups, including ones existing at third parties’ applications. Ryuk only decrypts the data once a ransom is paid according to what is written in the ransom note- a ‘RyukReadMe.txt’ place in every folder on the system.
Ryuk is usually dropped on the system by other malware. TrickBot is often used as Ryuk’s dropper. Ryuk can sometimes gain access to the system via Remote Desktop Services.

Ryuk’s dropper contains both 32 and 64 bites modules of the ransomware. The dropper chooses the right module according to the process that’s currently running.
Detecting the dropper in the system is difficult since the main payload deletes it after the execution (as explained above). After deleting the dropper, the malware tries to atop any antivirus and anti-malware processes and services. It uses a configuration list which can kill 40 processes and 180 services through taskkil and netstop commands. This configuration list contains antivirus processes, backups, databases, and document editing software. The main payload also injects malicious payloads into processes, such as a remote process. This allows the malware to access the volume shadow service and delete all shadow copies, including ones used by third-party applications. Besides, it will delete files that have backup related extensions and any backup that is connected to the infected machine or network, making recovery nearly impossible for the attacked organization.


Ryuk attack- protect your organization


The Emotet, TrickBor & Ryuk combo:

This triple threat campaign initiates with a weaponized Microsoft Office document attached to a phishing campaign. The malicious code attached to the document executes a PowerShell command that attempts to download the Emotet payload. Once it succeeded, Emotet infects and gathers information on the affected machine.
It also initiates the download and execution of TrickBot Trojan from a remote C2 server that it communicates with.
When TrickBot executes, it creates an installation folder containing a copy of Ryuk malware, encrypted malicious modules, and their configuration files. TrickBot also creates a scheduled task and a service to ensure persistence.
In addition to stealing information using TrickBot, the attackers check if the target machine is a qualified target. If so, they download the Ryuk ransomware payload and use admin credentials stolen by TrickBot to move laterally in the network and search for assets worth to infect. Once they are found, the main Ryuk payload injects itself into multiple processes and achieves persistence by using the registry.

CalCom’s hardening recommendations for protecting your system from the combined attack:

1. Restrict the use of system administration tools such as PsExec. Only use tools that admins need.
2. Disable unnecessary services, i.e., RDP/terminal services.
3. Ensure logging is enabled wherever possible- Reviewing logs to search for errors, anomalies or suspicious activity that deviates from the norm.
4. Ensure PowerShell logging and security by limiting and hardening PowerShell usage, logging trusted PowerShell processes and remove remote invoke.
5. Activate Software Restriction Policy (SRP) in a pinpoint:
SRPs identifies software programs running on computers in a domain. SRFs controls the ability of those programs to run, including specific file path locations, e.g., %APPDATA% directory in the user profile. Software restriction policies are part of the Microsoft security and management strategy and CIS recommendations.
6. Disable and remove SMB v1 and SMB v2 in your environment.
7. Disable and remove old authentication protocols such as LM & NTLM 1.
8. Restrict RDP/terminal services on all levels. Enforce best practice secure configuration:
*limit connections.
*limit devises redirection.
*use network-level authentication and limit authentication types.
*limit RDP groups and RDP user’s rights assignment authorizations.
9. configure Tunneling Remote Desktop connections through IPSec or SSH.
10. Restrict privileged and service account on an OS per server per role bases.
11. Disable local hash saving and control the server’s credential manager.
12. Harden your servers based on CIS benchmarks and CIS controls.
13. Configure and harden your Active Directory/Domain Controllers more securely.


Restrict NTLM: Audit Incoming NTLM Traffic- The Policy Expert

How CHS automates your hardening process and protects your organization:

Recovering from having your entire data encrypted, including your backups sounds almost impossible, but a lot can be done to prevent this situation from happening. Although some of the actions, such as disabling SMB, sounds straight forward, implementing them consumes time and effort and often don’t prevent the unwanted outcome of production damage.
CHS can save you all this headache. CHS learns your environment and maps it. It is then implementing your desired policy, defined by either your organization or based on best practices such as the CIS benchmarks without the risk of server outages. The entire control is centralized, allowing you to minimize access to those critical assets. After implementing your desired policy, CHS continues to monitor your environment, alerting you on any undesired configuration drift.








Security Primer – TrickBot

Fall 2019 Threat of the Quarter: Ryuk Ransomware