Financially motivated threat actors,referred to as TEMP.MixMaster, are infecting victims with Trickbot malware before deploying the infamous Ryuk ransomware and so far have managed to make off with a reported $3.7 million worth of Bitcoin.
The attacks are also unique as the threat actors often wait for extended periods after gaining access, often profiting from the victims in other ways, before launching ransomware attacks.
FireEye researchers noted the threat actors have been active since at least december 2017 and while it's unclear exactly who is behind the attacks numerous reports have attributed the campaign to North Korea, according to a Jan. 10 blog post.
“In multiple incidents, rather than relying solely on built-in TrickBot capabilities, TEMP.MixMaster used EMPIRE and RDP connections to enable lateral movement within victim environments,” researchers said in the post.
“Interactive deployment of ransomware, such as this, allows an attacker to perform valuable reconnaissance within the victim network and identify critical systems to maximize their disruption to business operations, ultimately increasing the likelihood an organization will pay the demanded ransom.”
The campaign was primarily distributed to organizations in the U.S. affecting victims in the government, financial services, manufacturing, service providers, and even high end tech industries.
While it's not entirely clear exactly how infections are spread, researchers have witnessed an incident in which the threat group used a payroll-themed phishing attack with an XLS attachment to deliver TrickBot malware that once opened, enabled macros and downloaded Trickbot from a remote server.
The malware then would move laterally within an organization establishing a foothold along the way before a period of inactivity followed by distribution of the Ryuk.
In one case, threat actors waited a year before launching the ransomware suggesting the threat actors were monetizing access to the infecting systems in other ways before launching the relatively new ransomware.
Threat actors in other campaigns such as the SamSam ransomware attack, also used the tactics of deploying ransomware after gaining access to a victim’s organization via other methods.
“Following indiscriminate campaigns, threat actors can profile victims to identify systems and users of interest and subsequently determine potential monetization strategies to maximize their revenue,” researchers said in the report.
“Various malware families have incorporated capabilities that can aid in the discovery of high-value targets underscoring the necessity for organizations to prioritize proper remediation of all threats, not only those that initially appear to be targeted.”