In the seemingly never-ending barrage of cyber crime, Spain is now in the limelight. CBROnline.com reports that at least two businesses were hit with cyber attacks in the latest wave of attacks against Spain. The ransomware variant used has yet to be identified but is suspected of being Bitpaymer or Ryuk. There have also been surges in BlueKeep detections, so it is thought that this paved the way.
CrowdStrike has reported Bitpaymer being used in conjunction with Dridex, a banking trojan. Worse yet is the ability to laterally move within a victim network using the publicly available Empire post-exploitation framework. Empire further allows for Dridex to make its way into the network, this gives way to the dreaded Mimikatz for gaining domain administrator access. If you’re a reader of our quarterly Internet Security Report, you’re familiar with just how prominent Mimikatz has been. Once admin access has been obtained, Bitpaymer makes its way into the network and deploys via Group Policy Objects.
Ryuk is ransomware based off its predecessor, Hermes. Hermes is available on forums and used by many threat actors. Ryuk, however, is used only by the threat group GRIM SPIDER and targets only enterprise networks. Crowdstrike believes Ryuk is delivered by way of TrickBot. It, too, incorporates Empire for nefarious PowerShell usage and has logic to prevent PowerShell logging.
In summary, older malware source code is constantly being revamped and modified for modern day usage. Threat actors are creating numerous variants of malware targeting specific subsets of groups such as how Ryuk is used only in enterprise environments. The bottom line though is that malware is most often sent in the form of spam email. This brings back the imperative need for proper user training.