{
	"id": "74e605ca-fdf1-4ac3-b7de-d6c1705ffe38",
	"created_at": "2026-04-06T00:07:22.424269Z",
	"updated_at": "2026-04-10T03:24:23.508105Z",
	"deleted_at": null,
	"sha1_hash": "65f26fa8973a3a140c509b0c261ff8e80da9480d",
	"title": "Ryuk ransomware deployed two weeks after Trickbot infection",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 907300,
	"plain_text": "Ryuk ransomware deployed two weeks after Trickbot infection\r\nBy Ionut Ilascu\r\nPublished: 2020-06-23 · Archived: 2026-04-05 16:15:58 UTC\r\nActivity logs on a server used by the TrickBot trojan in post-compromise stages of an attack show that the actor takes an\r\naverage of two weeks pivoting to valuable hosts on the network before deploying Ryuk ransomware.\r\nAfter compromising the network, the attacker starts scanning for live systems that have specific ports open and stealing\r\npassword hashes from the Domain Admin group.\r\nManual hacking\r\nResearchers at SentinelOne have detailed the activity observed from logs on a Cobalt Strike server that TrickBot used to\r\nprofile networks and systems.\r\nhttps://www.bleepingcomputer.com/news/security/ryuk-ransomware-deployed-two-weeks-after-trickbot-infection/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/ryuk-ransomware-deployed-two-weeks-after-trickbot-infection/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nOnce the actor took interest in a compromised network, they used modules from Cobalt Strike threat emulation software for\r\nred teams and penetration testers.\r\nOne component is the DACheck script to check if the current user has Domain Admin privileges and check the members of\r\nthis group. They also used Mimikatz to extract passwords that would help with lateral movement.\r\nThe researchers found that discovering computers of interest on the network is done by scanning for live hosts that have\r\nspecific ports open.\r\nServices like FTP, SSH, SMB, SQL server, remote desktop, and VNC are targeted because they help move to other\r\ncomputers on the network or indicate a valuable target.\r\nDropping Ryuk\r\nAccording to SentinelOne’s examination, the threat actor profiles each machine to extract as much useful information as\r\npossible. This allows them to take complete control of the network and get access to as many hosts as possible.\r\nReconnaissance and pivoting stages are followed by planting Ryuk ransomware and deploying it to all accessible machines\r\nusing Microsoft’s PsExec tool for executing processes remotely.\r\nBased on the timestamps, SentinelOne researchers estimate that it took two weeks for the attacker to gain access to machines\r\non the network and profile them before executing Ryuk.\r\nVitali Kremez of Advanced Intelligence (AdvIntel) security boutique told BleepingComputer that this average for the\r\n“incubation” period is accurate, although it varies from one victim to another.\r\nIn some cases, Ryuk was deployed after just one day, while in other instances the file-encrypted malware was executed after\r\nthe attacker had spent months on the network.\r\nKremez told us that Ryuk infections have slowed down lately, as the threat actor is likely in a vacation kind of state.\r\nIt is important to note that not all TrickBot infections are followed by Ryuk ransomware, probably because the actors take\r\nthe time to analyze the data collected and determine if the victim is worth encrypting or not.\r\nhttps://www.bleepingcomputer.com/news/security/ryuk-ransomware-deployed-two-weeks-after-trickbot-infection/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/ryuk-ransomware-deployed-two-weeks-after-trickbot-infection/\r\nhttps://www.bleepingcomputer.com/news/security/ryuk-ransomware-deployed-two-weeks-after-trickbot-infection/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/ryuk-ransomware-deployed-two-weeks-after-trickbot-infection/"
	],
	"report_names": [
		"ryuk-ransomware-deployed-two-weeks-after-trickbot-infection"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434042,
	"ts_updated_at": 1775791463,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/65f26fa8973a3a140c509b0c261ff8e80da9480d.pdf",
		"text": "https://archive.orkl.eu/65f26fa8973a3a140c509b0c261ff8e80da9480d.txt",
		"img": "https://archive.orkl.eu/65f26fa8973a3a140c509b0c261ff8e80da9480d.jpg"
	}
}