{ "id": "60d96c42-7551-4192-8219-2815588abaad", "created_at": "2026-04-06T00:15:32.444587Z", "updated_at": "2026-04-10T03:36:11.260541Z", "deleted_at": null, "sha1_hash": "9415ef0578a832c08b56d78e367d8c85bfdcb33a", "title": "TrickBot Malware Infection Leads to Ryuk Ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 75027, "plain_text": "TrickBot Malware Infection Leads to Ryuk Ransomware\r\nBy Mandiant\r\nPublished: 2019-01-10 · Archived: 2026-04-05 16:12:05 UTC\r\nWritten by: Kimberly Goody, Jeremy Kennelly, Jaideep Natu, Christopher Glyer\r\nFireEye is tracking a set of financially-motivated activity referred to as TEMP.MixMaster that involves the\r\ninteractive deployment of Ryuk ransomware following TrickBot malware infections. These operations have been\r\nactive since at least December 2017, with a notable uptick in the latter half of 2018, and have proven to be highly\r\nsuccessful at soliciting large ransom payments from victim organizations. In multiple incidents, rather than relying\r\nsolely on built-in TrickBot capabilities, TEMP.MixMaster used EMPIRE and RDP connections to enable lateral\r\nmovement within victim environments. Interactive deployment of ransomware, such as this, allows an attacker to\r\nperform valuable reconnaissance within the victim network and identify critical systems to maximize their\r\ndisruption to business operations, ultimately increasing the likelihood an organization will pay the demanded\r\nransom. These operations have reportedly netted about $3.7 million in current BTC value.\r\nNotably, while there have been numerous reports attributing Ryuk malware to North Korea, FireEye has not found\r\nevidence of this during our investigations. This narrative appears to be driven by code similarities between Ryuk\r\nand Hermes, a ransomware that has been used by APT38. However, these code similarities are insufficient to\r\nconclude North Korea is behind Ryuk attacks, as the Hermes ransomware kit was also advertised for sale in the\r\nunderground community at one time.\r\nIt is important to note that TEMP.MixMaster is solely a reference to incidents where we have seen Ryuk deployed\r\nfollowing TrickBot infections and that not all TrickBot infections will lead to the deployment of Ryuk\r\nransomware. The TrickBot administrator group, which is suspected to be based in Eastern Europe, most likely\r\nprovide the malware to a limited number of cyber criminal actors to use in operations. This is partially evident\r\nthrough its use of “gtags” that appear to be unique campaign identifiers used to identify specific TrickBot users. In\r\nrecent incidents investigated by our Mandiant incident response teams, there has been consistency across the gtags\r\nappearing in the configuration files of TrickBot samples collected from different victim networks where Ryuk was\r\nalso deployed. The uniformity of the gtags observed across these incidents appears to be due to instances of\r\nTrickBot being propagated via the malware’s worming module configured to use these gtag values.\r\nCurrently, we do not have definitive evidence that the entirety of TEMP.MixMaster activity, from TrickBot\r\ndistribution and operation to Ryuk deployment, is being conducted by a common operator or group. It is also\r\nplausible that Ryuk malware is available to multiple eCrime actors who are also using TrickBot malware, or that at\r\nleast one TrickBot user is selling access to environments they have compromised to a third party. The intrusion\r\noperations deploying Ryuk have also been called GRIM SPIDER.\r\nTrickBot Infection Leading to Ryuk Deployment\r\nhttps://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html\r\nPage 1 of 6\n\nThe following are a summary of tactics observed across incident response investigations where the use of\r\nTrickBot preceded distribution of Ryuk ransomware. Of note, due to the interactive nature of Ryuk deployment,\r\nthe TTPs leading to its execution can vary across incidents. Furthermore, in at least one case, artifacts related to\r\nthe execution of TrickBot were collected but there was insufficient evidence to clearly tie observed Ryuk activity\r\nto the use of TrickBot.\r\nInitial Infection\r\nThe initial infection vector was not confirmed in all incidents; in one case, Mandiant identified that the attackers\r\nleveraged a payroll-themed phishing email with an XLS attachment to deliver TrickBot malware (Figure 1). Data\r\nfrom FireEye technologies shows that this campaign was widely distributed primarily to organizations in the\r\nUnited States, and across diverse industries including government, financial services, manufacturing, service\r\nproviders, and high-tech.\r\nOnce a victim opened the attachment and enabled macros, it downloaded and executed an instance of the TrickBot\r\nmalware from a remote server. Data obtained from FireEye technologies suggests that although different\r\ndocuments may have been distributed by this particular malicious spam run, the URLs from which the documents\r\nattempted to retrieve a secondary payload did not vary across attachments or recipients, despite the campaign’s\r\nbroad distribution both geographically and across industry verticals.\r\nSubject: FW: Payroll schedule\r\nAttachment: Payrollschedule.xls\r\nPay run summary report and individual payslips.\r\nKind Regards,\r\nAdam Bush\r\nCONFIDENTIALITY NOTICE:\r\nThe contents of this email message and any attachments are intended solely for the addressee(s) and may contain\r\nFigure 1: Email from a phishing campaign that downloaded TrickBot, which eventually led to Ryuk\r\nPersistence and Lateral Movement\r\nWhen executed, TrickBot created scheduled tasks on compromised systems to execute itself and ensure\r\npersistence following system reboot. These instances of TrickBot were configured to use their network\r\npropagation modules (sharedll and tabdll) that rely on SMB and harvested credentials to propagate to additional\r\nsystems in the network. The number of systems to which TrickBot was propagated varied across intrusions from\r\nfewer than ten to many hundreds.\r\nDwell Time and Post-Exploitation Activity\r\nAfter a foothold was established by the actors controlling TrickBot, a period of inactivity sometimes followed.\r\nDwell time between TrickBot installation and Ryuk distribution varied across intrusions, but in at least one case\r\nmay have been as long as a full year. Despite this long dwell time, the earliest reports of Ryuk malware only date\r\nhttps://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html\r\nPage 2 of 6\n\nback to August 2018. It is likely that actors controlling Trickbot instances used to maintain access to victim\r\nenvironments prior to the known availability of Ryuk were monetizing this access in different ways. Further, due\r\nto the suspected human-driven component to these intrusion operations, we would expect to commonly see a\r\ndelay between initial infection and Ryuk deployment or other post-exploitation activity, particularly in cases\r\nwhere the same initial infection vector was used to compromise multiple organizations simultaneously.\r\nOnce activity restarted, the actors moved to interactive intrusion by deploying Empire and/or leveraging RDP\r\nconnections tunneled through reverse-shells instead of relying on the built-in capabilities of TrickBot to interact\r\nwith the victim network. In multiple intrusions TrickBot's reverse-shell module (NewBCtestDll) was used to\r\nexecute obfuscated PowerShell scripts which ultimately downloaded and launched an Empire backdoor.\r\nVariations in Ryuk Deployment Across Engagements\r\nPost exploitation activity associated with each Ryuk incident has varied in historical and ongoing Mandiant\r\nincident response engagements. Given that collected evidence suggests Ryuk deployment is managed via human-interactive post-exploitation, variation and evolution in methodology, tools, and approach over time and across\r\nintrusions is expected.\r\nThe following high-level steps appear common across most incidents into which we have insight:\r\nActors produce a list of targets systems and save it to one or multiple .txt files.\r\nActors move a copy of PsExec, an instance of Ryuk, and one or more batch scripts to one or more domain\r\ncontrollers or other high privilege systems within the victim environment.\r\nActors run batch scripts to copy a Ryuk sample to each host contained in .txt files and ultimately execute\r\nthem.\r\nSome of the notable ways Ryuk deployment has varied include:\r\nIn one case, there was evidence suggesting that actors enumerated hosts on the victim network to identify\r\ntargets for encryption with Ryuk, but in multiple other cases these lists were manually copied to the server\r\nthat was then used for Ryuk distribution without clear evidence available for how they were produced.\r\nThere have been multiple cases where TrickBot was deployed broadly across victim environments rather\r\nthan being used to maintain a foothold on a small number of hosts.\r\nWe have not identified evidence that Empire was used by the attackers in all cases and sometimes Empire\r\nwas used to access the victim environment only after Ryuk encryption had started.\r\nIn one case, the attackers used a variant of Ryuk with slightly different capabilities accompanied by a\r\nstandalone .bat script containing most of the same taskkill, net, and sc commands normally used by Ryuk\r\nto terminate processes and stop services related to anti-virus, backup, and database software.\r\nExample of Ryuk Deployment – Q3 2018\r\nUsing previously stolen credentials the attacker logged into a domain controller and copied tools into the\r\n%TEMP% directory. Copied tools included AdFind.exe (Active Directory enumeration utility), a batch\r\nscript (Figure 2), and a copy of the 7-Zip archive utility.\r\nDownloaded utilities were copied to C:\\Windows\\SysWOW64\\.\r\nhttps://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html\r\nPage 3 of 6\n\nThe attacker performed host and network reconnaissance using built-in Windows commands.\r\nAdFind.exe was executed using the previously noted batch script, which was crafted to pass the utility a\r\nseries of commands that were used to collect information about Active Directory users, systems, OUs,\r\nsubnets, groups, and trust objects. The output from each command was saved to an individual text file\r\nalongside the AdFind.exe utility (Figure 2).\r\nThis process was performed twice on the same domain controller, 10 hours apart. Between executions of\r\nAdfind the attacker tested access to multiple domain controllers in the victim environment, including the\r\none later used to deploy Ryuk.\r\nThe attacker logged into a domain controller and copied instances of PSExec.exe, a batch script used to kill\r\nprocesses and stop services, and an instance of Ryuk onto the system.\r\nUsing PsExec the attacker copied the process/service killing batch script to the %TEMP% folder on\r\nhundreds of computers across the victim environment, from which it was then executed.\r\nThe attacker then used PsExec to copy the Ryuk binary to the %SystemRoot% directories of these same\r\ncomputers. A new service configured to launch the Ryuk binary was then created and started.\r\nRyuk execution proceeded as normal, encrypting files on impacted systems.\r\nadfind.exe -f (objectcategory=person) \u003e .txt\r\nadfind.exe -f objectcategory=computer \u003e .txt\r\nadfind.exe -f (objectcategory=organizationalUnit) \u003e .txt\r\nadfind.exe -subnets -f (objectCategory=subnet) \u003e .txt\r\nadfind.exe -f \"(objectcategory=group)\" \u003e .txt\r\nadfind.exe -gcb -sc trustdmp \u003e .txt\r\nFigure 2: Batch script that uses adfind.exe tool to enumerate Active Directory objects\r\nExample of Ryuk Deployment – Q4 2018\r\nAn instance of the EMPIRE backdoor launched on a system that had been infected by TrickBot. The\r\nattacker used EMPIRE’s built-in capabilities to perform network reconnaissance.\r\nAttackers connected to a domain controller in the victim network via RDP and copied several files into the\r\nhost’s C$ share. The copied files included an instance of PsExec, two batch scripts, an instance of the Ryuk\r\nmalware, and multiple .txt files containing lists of hosts within the victim environment. Many of the\r\ntargeted hosts were critical systems across the victim environment including domain controllers and other\r\nhosts providing key management and authentication services.\r\nThe attackers then executed the first of these two batch scripts. The executed script used PsExec and hard-coded credentials previously stolen by the actors to copy the Ryuk binary to each host passed as input from\r\nthe noted .txt files (Figure 3).\r\nhttps://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html\r\nPage 4 of 6\n\nAttackers then executed the second batch script which iterated through the same host lists and used PsExec\r\nto execute the Ryuk binaries copied by the first batch script (Figure 4).\r\nstart PsExec.exe @C:\\$\\.txt -u \\ -p cmd /c COPY \"\\\\\\\" \"C:\\windows\\temp\\\"\r\nFigure 3: Line from the batch file used to copy Ryuk executable to each system\r\nstart PsExec.exe -d @C:\\$\\.txt -u \\ -p cmd /c \"C:\\windows\\temp\\\"\r\nFigure 4: Line from the batch file used to execute Ryuk on each system\r\nConsistency in TrickBot Group Tags\r\nEach individual TrickBot sample beacons to its Command \u0026 Control (C2) infrastructure with a statically defined\r\n“gtag” that is believed to act as an identifier for distinct TrickBot customers. There has been significant uniformity\r\nin the gtags associated with TrickBot samples collected from the networks of victim organizations.\r\nThe instance of TrickBot identified as the likely initial infection vector for one intrusion was configured to\r\nuse the gtag ‘ser0918us’.\r\nAt the time of distribution, the C2 servers responding to TrickBot samples using the gtag\r\n‘ser0918us’ were sending commands to request that the malware scan victim networks, and then\r\npropagate across hosts via the TrickBot worming module.\r\nIt is possible that in some or all cases instances of TrickBot propagated via the malware’s worming\r\nmodule are configured to use different gtag values, specific to the same TrickBot client, designed to\r\nsimplify management of implants post-exploitation.\r\nA significant proportion of TrickBot samples obtained from the victim environments, including in the case\r\nwhere the infection vector was identified as a sample using gtag ‘ser0918us’, had gtags in the below\r\nformats. This may suggest that these gtags are used to manage post-exploitation instances of TrickBot for\r\ncampaigns distributed via gtag ‘ser0918us’ and other related gtags.\r\nlibxxx (ex: lib373, lib369, etc)\r\ntotxxx (ex: tot373, tot369, etc)\r\njimxxx (ex jim373, jim369, etc)\r\nThe numbers appended to the end of each gtag appear to increment over time, and in some cases multiple\r\nsamples sharing the same compile time but using different gtags were observed in the same victim\r\nenvironment, though in each of these cases the numbers appended to the end of the gtag matched (e.g. two\r\ndistinct samples sharing the compile time 2018-12-07 11:28:23 were configured to use the gtags ‘jim371’\r\nand ‘tot371’).\r\nThe C2 infrastructure hard-coded into these samples overlaps significantly across samples sharing similar\r\ngtag values. However, there is also C2 infrastructure overlap between these samples and ones with\r\ndissimilar gtag values. These patterns may suggest the use of proxy infrastructure shared across multiple\r\nclients of the TrickBot administrator group.\r\nImplications\r\nhttps://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html\r\nPage 5 of 6\n\nThroughout 2018, FireEye observed an increasing number of cases where ransomware was deployed after the\r\nattackers gained access to the victim organization through other methods, allowing them to traverse the network to\r\nidentify critical systems and inflict maximum damage. SamSam operations, which date back to late 2015, were\r\narguably the first to popularize this methodology and TEMP.MixMaster’s is an example of its growing popularity\r\nwith threat actors. FireEye Intelligence expects that these operations will continue to gain traction throughout\r\n2019 due the success these intrusion operators have had in extorting large sums from victim organizations.\r\nIt is also worth highlighting TEMP.MixMaster’s reliance on TrickBot malware, which is more widely distributed,\r\nto gain access to victim organizations. Following indiscriminate campaigns, threat actors can profile victims to\r\nidentify systems and users of interest and subsequently determine potential monetization strategies to maximize\r\ntheir revenue. Various malware families have incorporated capabilities that can aid in the discovery of high-value\r\ntargets underscoring the necessity for organizations to prioritize proper remediation of all threats, not only those\r\nthat initially appear to be targeted.\r\nAcknowledgements\r\nThe authors would like to thank Brice Daniels, Edward Li, Eric Montellese, Sandor Nemes, Eric Scales, Brandan\r\nSchondorfer, Martin Tremblay, Isif Ibrahima, Phillip Kealy and Steve Rasch for their contributions to this blog\r\npost.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html\r\nhttps://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "MITRE", "Malpedia", "ETDA" ], "references": [ "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html" ], "report_names": [ "a-nasty-trick-from-credential-theft-malware-to-business-disruption.html" ], "threat_actors": [ { "id": "12211366-1f14-4eed-9d91-46b6a2ede618", "created_at": "2025-08-07T02:03:25.014713Z", "updated_at": "2026-04-10T02:00:03.624097Z", "deleted_at": null, "main_name": "GOLD ULRICK", "aliases": [ "Grim Spider ", "UNC1878 " ], "source_name": "Secureworks:GOLD ULRICK", "tools": [ "Bloodhound", "Buer Loader", "Cobalt Strike", "Conti", "Diavol", "PowerShell Empire", "Ryuk", "SystemBC", "Team9 (aka BazarLoader)", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "8492b1a0-126f-4113-b8f7-101d28559629", "created_at": "2023-01-06T13:46:38.864213Z", "updated_at": "2026-04-10T02:00:03.126178Z", "deleted_at": null, "main_name": "GRIM SPIDER", "aliases": [ "GOLD ULRICK" ], "source_name": "MISPGALAXY:GRIM SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434532, "ts_updated_at": 1775792171, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9415ef0578a832c08b56d78e367d8c85bfdcb33a.pdf", "text": "https://archive.orkl.eu/9415ef0578a832c08b56d78e367d8c85bfdcb33a.txt", "img": "https://archive.orkl.eu/9415ef0578a832c08b56d78e367d8c85bfdcb33a.jpg" } }