Blog

DEMO THE CYBEREASON DEFENSE PLATFORM

Future-Ready Cybersecurity Protection

See how Cybereason allows defenders to detect earlier and remediate faster with one lightweight agent and an array of deployment options.
Back to Newsroom

Cybereason Researchers Discover a ‘Triple Threat’ Attack Utilizing Emotet to Deploy TrickBot Which Steals Data and Spreads Ryuk Ransomware

Apr 2, 2019

Cybereason, creators of the leading Cyber Defense Platform, today announced that researchers discovered a ‘triple threat campaign’ that adapts the popular Emotet and TrickBot banking trojans with Ryuk ransomware to steal sensitive information, encrypt computers and ransom victim’s data. This costs the victim and business money and the loss of sensitive or valuable information if it isn’t recovered. The campaign is targeting businesses in the United States and Europe.

This particular attack begins with a phishing email. The file contains a malicious, macro-based code that runs and executes a PowerShell command. Once Emotet has been executed, it continues its malicious activity by further infecting and gathering information on the affected machine. It then initiates the download and execution of the TrickBot and begins stealing sensitive information. Meanwhile, the attackers check to see if the target machine is part of an industry they are looking to target. If it is, they download the Ryuk ransomware payload and use the admin credentials stolen using TrickBot to perform lateral movement and reach the assets they wish to infect.

Triple threat mitigation recommendations include:

Education on how to correctly handle suspicious emails to prevent initial downloading or dropping of malware.

In order to protect against lateral movement, do not use privileged accounts, avoid RDPs without properly terminating the session, do not store passwords in plain text, deploy good authentication practices, disable unnecessary share folders, and change the names of the default share folders used in your organization.

Make sure you systems are patched, especially CVE-2017-0144.

Disable macros across the environment.

Follow Microsoft’s security advisory update on improving credentials protection and management in your organization.

Approach security proactively, perform hunts and search for suspicious behavior before an incident starts.

About Cybereason
Cybereason, creators of the leading Cyber Defense Platform, gives the advantage back to the defender through a completely new approach to cybersecurity. Cybereason offers endpoint detection and response (EDR), next-generation antivirus (NGAV), and active monitoring services, powered by its cross-machine correlation engine. The Cybereason suite of products provides unmatched visibility, increases analyst efficiency and effectiveness, and reduces security risk. Cybereason is privately held, has raised $189 million from top-tier VCs, and is headquartered in Boston, with offices in London, Tel Aviv, and Tokyo.

Learn more: https://www.cybereason.com/

Media Contact:
Bill Keeler
Director, Public Relations
Cybereason
bill.keeler@cybereason.com
(929) 259-3261