What links today's most common viruses Emotet, Trickbot and Ryuk? They like to pop up together
– and as a result, can cause considerable damage. In this blog article, me and my Cyber Security analyst team discuss what the trio are all about and how you can protect yourself from this ensemble.
Over the past few months, our cyber security analysts, forensic experts and incident responders at InfoGuard have been repeatedly confronted with these three viruses – including the Offix case, which has recently been covered in the media. Our team was always on hand to work with customers to get IT operations up and running again as quickly as possible as part of Incident Response. We also noticed that Emotet, Trickbot and Ryuk often appear together. Why is this? Each of these players has a different function in the attack, and (unfortunately) they complement each other perfectly.
When Emotet first appeared in 2014, the malware was designed as an e-banking Trojan. Emotet installed itself on the compromised computer system and attempted to access e-banking login data. Today, the speciality of Emotet is initially compromising of systems. The Trojan goes so far as to steal entire e-mail histories and latch into them in order to then spread what is called "malspam" by e-mail. (We have already reported on this topic in detail in this article.) In addition, Emotet can spread further within a company using a variety of methods. Today, Emotet is primarily used as an entry point into a corporate network. This access is then either resold on Darknet or used by attackers to upload additional viruses – usually Trickbot.
Trickbot is also an e-banking Trojan developed in 2016. It steals access data to e-banking accounts via what is known as "WebInjects". WebInjects are code locations that replace original code locations on the real e-banking portal locally in the browser. Trickbot can also steal e-mails and purloin login data from the Windows network using Mimikatz. What we have observed is that the virus has been constantly evolving since it first appeared, always focusing on stealing data. The attackers can sit in a company network and steal data without being detected. The attackers are continuously evaluating this data, which gives them a fairly clear picture of the company, the processes and the internal IT landscape. For example, the cybercriminals learn how much money a company has and the data it depends on. As you can imagine, this information will then be used for the final act of destruction – the attack by Ryuk.
Thanks to Trickbot, the attackers now know the company well enough to launch the final phase with Ryuk. This encryption Trojan specialises in highly targeted attacks. For example, it is now possible to encrypt the data that is particularly worth protecting – the company's crown jewels, as it were. Thanks to Trickbot the attackers are pretty knowledgeable about them. Of course, they also know where the backups for this data are stored and can encrypt them at the same time; and since the attackers also know about the company's financial position, of course, the ransom demands are set as high as possible...
Unfortunately, cyberattacks by the threesome are often only discovered at the final, most devastating stage. Specifically when the IT systems are at a standstill due to Ryuk's encryption – and unfortunately it is often already too late. If a company has taken inadequate precautions and, for example, has not created an offline backup, the only option is often to pay the ransom to protect the company from disaster – or even financial ruin. But it doesn't have to come to that! Based on our experience, my team and I have summarised the most important learnings for you:
It is not easy to choose the right service provider. However, the most important thing needed in such complex, targeted attacks is an experience. That is why you can rely on a partner with a proven, experienced team of specialists, such as InfoGuard. We have many years of experience and knowledge in a variety of subject areas and with countless kinds of cyberattacks. At our Cyber Defence Center (CDC) in Baar, we have over 35 employees working to ensure maximum Cyber Security for our customers, 24/7. More information about our Cyber Defence Services can be found here:
Ultimately what am I getting at? Contact us – and don't wait until it's too late!