The Assassin Squad: Zbot and RYUK


During recent months, there have been large outbreaks of the Ryuk ransomware. Armed with upgrades and modifications in comparison to previous versions, it is now capable of taking over a network even more quickly. Unfortunately, many targeted organizations come from the healthcare sector.

Heavy Increase Of Ryuk Ransomware In The Healthcare Sector

By way of background, the Ryuk ransomware has been attributed to a group called Wizard Spider. It is strictly a financially motivated group closely focused on large organizations able to afford a high ransom. The group started conducting its campaigns in 2018 and often uses malware like Emotet or Trickbot in the first stages of its attack. Wizard Spider gained public attention in 2018 when a new threat attributed to this group emerged – the Ryuk ransomware.

In several recent investigations, LIFARS came across a new RYUK ransomware strain focused on several healthcare providers.  Using malware to infect the network – specifically a Zbot/Zloader embedded in an Excel macro, the threat actor in one case encrypted more than half of the machines in the infrastructure within a relatively short period of time.

During LIFARS’s investigation, the following chain of infection was observed:

  • A phishing email with an infected attachment was sent.
  • One of the company’s users opened the attachment – an Excel spreadsheet of an older version. The user was prompted to enable content – by doing so, a malicious macro was executed and the Zloader deployment began.
  • After this initial foothold was achieved, the threat actor initiated a recon of the infrastructure, moved laterally, eventually reaching domain controllers.
  • Ryuk ransomware propagation started: threat actor compromised Group Policies in a way that the Ryuk sample was copied to the machine after Group Policy update and scheduled tasks to execute the ransomware were registered.
  • In the end, approximately 70% of network hosts were encrypted. The total time elapsed since opening the malicious attachment was less than 8 hours.

This paper provides an overview of the means which were leveraged by the threat actor to gain access and spread through the network…

Download The Assassin Squad: Zbot and RYUK Technical Guide to learn more.