North Korea APT(?) and recent Ryuk Ransomware attacks
Contents
Our Threat Intelligence team has been tracking the Emotet botnet throughout 2018. In our previous post we reported a large scale Emotet campaign focused on e-mail content exfiltration.
Today, we review the evidence gathered from our Telltale Threat Intelligence Service, which suggests the involvement of Emotet as the delivery mechanism for the latest wave of Ryuk ransomware attacks being dubbed as North Korean state-sponsored cyber-attacks.
The evidence from the dataset completes the missing narrative needed to show a likely and complete attack chain of compromise via organized crimeware activity. This attack chain consists of initial Emotet infections, which are then used to deliver Trickbot. Completing the attack chain, in a select subset of Trickbot infections, actors then deliver Ryuk. Our analysis shows Emotet infections were lingering for weeks in advance before any Ryuk ransom attacks were deployed. This lends a new piece of intelligence to an ongoing attribution debate over whether or …
Today, we review the evidence gathered from our Telltale Threat Intelligence Service, which suggests the involvement of Emotet as the delivery mechanism for the latest wave of Ryuk ransomware attacks being dubbed as North Korean state-sponsored cyber-attacks.
The evidence from the dataset completes the missing narrative needed to show a likely and complete attack chain of compromise via organized crimeware activity. This attack chain consists of initial Emotet infections, which are then used to deliver Trickbot. Completing the attack chain, in a select subset of Trickbot infections, actors then deliver Ryuk. Our analysis shows Emotet infections were lingering for weeks in advance before any Ryuk ransom attacks were deployed. This lends a new piece of intelligence to an ongoing attribution debate over whether or …