Skip to content

RYUK ransomware attacks on AD

The state of malicious code is evolving. A recent article () indicates that the RYUK ransomware is far from normal ransomware.

As you can see in Figure 1, the ransomware is highly sophisticated and includes attacks on more than just a handful of computers, instead launching attacks on Active Directory itself.

Figure 1. RYUK ransomware attacks Active Directory misconfigurations.

Notice the different steps and references to Active Directory:

• “Sensitive data is funneled out of the network to the attacker’s servers”
• “Group Policy”
• “establish persistence”

What can be done to reduce the effectiveness of this attack?

• “Sensitive data is funneled out of the network to the attacker’s servers”
– Fix misconfigurations of user attributes
– Fix misconfigurations of groups
– Clean up privileged groups
– Correct AD process configurations (e.g. SDProp)
– Secure service principal names (SPNs)
– Correct and secure trust relationships
– Clean up SidHistory attribute for users
– Clean up AD delegations

• “Group Policy”
– Clean up Group Policy delegations
– Secure Group Policy structural components
– Enable security settings deployed by GPOs

• “establish persistence”
– Ensure privileged group membership is monitored
– Detect DCShadow and DCSync attacks
– Detect lateral movement attacks
– Detect dangerous SIDHistory settings

The existing AD infrastructure must be verified and cleaned up. Then real-time detection needs to be implemented. Alsid can do all of these tasks in real time, without agents or privileges.

For more information on this topic and strategies for strengthening your own security operations, visit or reach out to

Leave a Reply

Download pdf