{
	"id": "2245ce10-ac7e-41de-8235-e41e90c2dc2e",
	"created_at": "2026-04-06T00:22:31.466758Z",
	"updated_at": "2026-04-10T13:13:08.630052Z",
	"deleted_at": null,
	"sha1_hash": "6c32f50f4ed5c4c83dd62795568ed6c6c22f0da3",
	"title": "Quarterly report: Incident Response trends in Summer 2020",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 114783,
	"plain_text": "Quarterly report: Incident Response trends in Summer 2020\r\nBy Jonathan Munshaw\r\nPublished: 2020-06-15 · Archived: 2026-04-05 13:32:49 UTC\r\nQuarterly report: Incident Response trends in Summer 2020\r\nMonday, June 15, 2020 10:55\r\nBy David Liebenberg and Caitlin Huey.\r\nFor the fourth quarter in a row, Ryuk dominated the threat landscape in incident response. As we mentioned in last\r\nquarter’s report, Ryuk has shifted from relying on commodity trojans to using living-off-the-land tools. This has\r\nled to a decrease in observations of attacks leveraging commodity trojans. Email remained the top infection\r\nvector, though we observe increased compromises of remote desktop services (RDS) as well as Citrix devices and\r\nPulse VPN. One of the more interesting trends this quarter was the role of the COVID-19 pandemic. Interestingly,\r\nwe did not observe any engagements in which COVID-19 was used in an attack. However, CTIR has observed the\r\npandemic impacting organizations, affecting their ability to respond and contain cybersecurity incidents.\r\nFor additional information, you can also check out our full summary here.\r\nTargeting  A wide variety of verticals were once again targeted, including energy and utilities,\r\nfinancial services, government, health care, industrial distribution, manufacturing, retail,\r\ntechnology, telecommunications, and transportation. The top targeted verticals were health care\r\nand technology, a change from last quarter when the top targeted verticals were financial services\r\nand government.\r\nhttps://blog.talosintelligence.com/2020/06/CTIR-trends-q3-2020.html#more\r\nPage 1 of 3\n\nThreats  Ransomware continued to comprise the majority of threats CTIR observed. As\r\nmentioned above, contrary to previous quarters, CTIR is observing fewer engagements in which\r\nEmotet and Trickbot function as the initial dropper for Ryuk. This is one reason why we observed\r\nfar fewer attacks leveraging commodity trojans this quarter. As mentioned last quarter, Ryuk\r\nattacks evolved in other ways as well, leveraging encoded PowerShell commands to download the\r\ninitial payload, disable security/AV tools, stop backups, and scan the entire network and provide\r\nan output of online vs. offline hosts. Ryuk adversaries are using more Windows Management\r\nInstrumentation (WMI) and BitsAdmin to deploy the malware in addition to PsExec.\r\nFor example, a government organization had thousands of systems encrypted with Ryuk ransomware, affecting\r\nnearly 2,000 systems and critical services. There was no evidence of any presence of commodity trojans during\r\nthe attack. The adversaries compromised a domain administrator account by recovering the password stored in a\r\nGroup Policy. The adversaries attempted to prevent file restoration by using bcdedit to alter boot configuration\r\ndata to prevent system recovery, deleted Windows shadow copies, and used vssadmin to remove system restore\r\npoints. The adversaries then tried to expand the number of affected hosts by granting full permission for all users\r\nfor all files on all mounted disk drives with icacls.exe. They also sent Wake-On-Lan magic packets to wake shut-down hosts for encryption.\r\nThe adversaries used PowerShell to disable real-time monitoring malware protection and a PowerShell cmdlet\r\ncode “Get-DataInfo.ps1” to scan the network and provide an output of live or dead hosts in text files. The\r\nadversaries used the command-line tool BitsAdmin, as well as WMIC and PsExec with privileged account\r\ncredentials to copy Ryuk to additional hosts.\r\nIn another engagement where CTIR identified a Ryuk infection, the initial compromise was performed with a\r\nphishing email that contained an encrypted Microsoft Word document. The malicious code had been embedded in\r\na chess game written in VBA, and once the document was opened, it created a VBS file and executed it through\r\nPowerShell. The VBS file downloaded and executed the malicious payload identified as Detplock, a remote access\r\ntrojan (RAT).\r\nCTIR continued to observe ransomware actors exfiltrating sensitive data as another lever to further compel\r\nvictims to pay the ransom. This is a continuation of a trend since Winter 2019.\r\nInitial vectors  For the majority of engagements, definitively identifying an initial vector was\r\ndifficult due to shortfalls in logging. However, in engagements in which the initial vector could be\r\nidentified, or reasonably assumed, phishing remained the top infection vector. CTIR also observed\r\nseveral instances in which adversaries leveraged brute-force attacks against a victim\r\norganization’s RDS. These types of attacks may be related to the increased threat surface due to\r\nremote work stemming from COVID-19 as well as an increase in Phobos ransomware attacks,\r\nwhich typically leverage compromised RDS connections as an initial vector.  CTIR also continued\r\nto observe multiple compromises of Citrix Application Discovery Controller and Citrix Gateway\r\n(CVE-2019-19781) and Pulse Secure VPN (CVE-2019-11510).\r\nhttps://blog.talosintelligence.com/2020/06/CTIR-trends-q3-2020.html#more\r\nPage 2 of 3\n\nCOVID-19  Somewhat surprisingly, CTIR has not observed any engagements in which COVID-19\r\nwas leveraged, despite the fact that threat actors have been increasingly using COVID-19-related\r\ninformation as lures in phishing and malspam attacks. However, CTIR has observed the\r\npandemic impacting organizations, particularly in the health care industry, affecting their ability\r\nto respond and contain cybersecurity incidents since pre-COVID-19 incident response planning\r\ndid not account for a pandemic occurring along with a parallel cybersecurity incident.\r\nLimitations in travel, personnel, and budget all contributed to increased difficulty mitigating\r\nincidents, which was observed across multiple incident response engagements in Summer 2020.\r\nAdditionally, CTIR has observed organizations updating their internal IR and business continuity\r\nplanning in response to the pandemic. This illustrates the importance of developing a robust\r\nincident response plan and maintaining flexibility to make adjustments in response to major\r\nglobal events.\r\nDespite a lack of COVID-19-themed campaigns, the pandemic has still increased the threat surface, with an\r\nobvious uptick in both RDS and VPN services due to increased remote work. Beyond providing new avenues for\r\nadversaries to target, CTIR has also responded by working with victim organizations in identifying the new\r\nnetwork “baseline” caused by these changes.\r\nSource: https://blog.talosintelligence.com/2020/06/CTIR-trends-q3-2020.html#more\r\nhttps://blog.talosintelligence.com/2020/06/CTIR-trends-q3-2020.html#more\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.talosintelligence.com/2020/06/CTIR-trends-q3-2020.html#more"
	],
	"report_names": [
		"CTIR-trends-q3-2020.html#more"
	],
	"threat_actors": [],
	"ts_created_at": 1775434951,
	"ts_updated_at": 1775826788,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6c32f50f4ed5c4c83dd62795568ed6c6c22f0da3.pdf",
		"text": "https://archive.orkl.eu/6c32f50f4ed5c4c83dd62795568ed6c6c22f0da3.txt",
		"img": "https://archive.orkl.eu/6c32f50f4ed5c4c83dd62795568ed6c6c22f0da3.jpg"
	}
}