Trickbot and Ryuk Ransomware – Timing the payload

July 4, 2020
trickbot ryuk ransomware malware payload timing

The timing of the payload

Having the right timing results in a high success rate for any plan. Information Security experts from a private security firm, they were able to observe the ingenuity of using Ryuk ransomware with perfectly timing the payload. Based on the statistics, the patience of time given by the attacker with their target organization has come up with a fruitful result.

According to their analysis, an average of two weeks is allotted by the hacker for the incubation period before they deploy the Ryuk ransomware application onto the network of the victim organization. The given time is not wasted by the attackers as they basically for the first phase of the attack. They use it as a reconnaissance period to obtain and observe the network and infrastructure of the business. As profiled, the attack initially starts with infecting a single system. By then, they can perform host and open ports scanning, exfiltrate sensitive data, and view installed applications. Any data that can be exhausted that is useful within the infected system, such as different services like SMB, SSH, FTP, and alike including VNC and remote desktop, are gathered and studied by the perpetrators.


Dissecting the malware and the attack

With the aid of Cobalt strike malware – a well known paid hacking tester toolkit, they work onto the next phase, which includes gathering usernames and password of employees logged onto the infected system. Data collected will be filtered out to get a credential with elevated access. Once thriving, their next step of the infiltration happens onto the victim network organization by which infecting other systems. The Cobalt strike powerful feature can easily penetrate the whole organization as this toolkit comes with code customization to counterattack any installed security program of the targeted organization. Once are all sets and the entire system in the organization have been in the perpetrator’s command and control, they will now execute the Ryuk Ransomware to encrypt the whole system. They can now ask for blood money for the decryption. Some resources stolen by the ransomware are also sold by the actors off in the dark web for additional profit.



We conclude that most attacks that used Ryuk ransomware start from a trick bot infection, in which the Cobalt Strike application has become famous in the hacking community. For the ransomware to work correctly, having a well-lengthened investigation and analyzation of gathered information is a must to know its worth. As the saying goes, Timing is Everything.

About the author

Leave a Reply