Ryuk Ransomware Attacks Continue Following TrickBot Takedown Attempt

The threat actor behind the Ryuk ransomware continues to conduct attacks following the recent attempts to disrupt the TrickBot botnet, CrowdStrike reports.


Referred to as WIZARD SPIDER, the adversary has been widely using TrickBot for the distribution of ransomware, and the recent attempts by the U.S. Cyber Command and Microsoft to disrupt the botnet were expected to put an end to such operations.


However, the efforts had little effect on the botnet, and the threat actor is apparently able to continue operations at the same pace as before. With over one million infected machines, TrickBot represents a serious threat.


According to CrowdStrike, an initial swing at the botnet was observed on September 21, when a non-standard configuration file was being delivered to some of the infected machines, to instruct them to connect to a command and control (C&C) server address at 0.0.0.1 on TCP port 1.


As a result of this move, an unknown number of bots remained isolated from the network and became unreachable through the normal C&C channel. The non-standard config file was downloaded approximately 10,000 times, which translates into roughly one percent of systems infected with TrickBot being separated from the botnet.


“The operation against the TrickBot network was orchestrated to take down the botnet, thus reducing BGH infections by WIZARD SPIDER’s Ryuk and Conti ransomware families, with an ultimate goal of protecting the forthcoming U.S. elections from ransomware operations,” CrowdStrike notes.


TrickBot’s operators quickly switched to secondary channels to ensure their operations could continue. Emotet started deploying TrickBot last week, and WIZARD S ..

Support the originator by clicking the read the rest link below.