Skip to content

Threat Intel Report Q4 2019

A comprehensive approach

Anticipate threats


Proactively harden your directory infrastructure

Uncover vulnerabilities and weak configurations to maintain strong security boundaries

AD admins, blue teams, and auditors

Detect attacks


Detect attacks in real time with our AD-specific threat intelligence

Make AD an integral part of your security practice with SIEM and SOAR integrations

Enable your threat hunters with AD-native investigation capabilities

SOC analysts and threat hunters

Respond to breaches


Replay attacks and hunt for patient zero

Remediate at machine-speed through our orchestration playbooks

Detect persistence mechanisms and kick them out for good

Incident responders

The features we are proud of

Cutting-edge security technology

Harden, detect, respond
All your practices extended to your most vital IT asset: Active Directory

True real-time
Live exposure visualization, immediate attack alerts

Step-by-step recommendations
A follow-the-guide approach for AD admins new to security

Intelligence-driven, AD-native
Beyond compliance, detect AD-specific attack patterns

Seamless end-to-end user experience

No agents, no privileges
An instant-on application with hardly a footprint on operations

Dashboard-oriented UX
To simplify decision-making
and prioritization

Simple, no-nonsense architecture
Using standard protocols and proven technologies

Native integrations with your other practices
Turbo-charge your SIEM, SOAR, and IAM solutions

Top 5 attack trends

Q4 2019

Supply chain attacks on the rise

After phishing, spear-phishing attacks still trendy

Specific attacks against public cloud coming

Crypto miners on the decline

Active Directory used for lateral movement and privilege escalation

Supply chain attacks on the rise

  • Supply chain attacks doubled in 2019 over 2018
  • Most software supply chain attacks are executed by installing malicious code into legitimate software
  • National cyber agencies created specific content to manage supply chain vendors: USA, France, etc.


  • ShadowHammer attack on ASUS
  • NordVPN attack
  • PrismWeb e-commerce attack

After phishing, spear-phishing attacks still trendy

  • Rise of sextortion email scam: hackers use passwords stolen from major data breaches to abuse users and make them pay Bitcoin ransom
  • Spear-phishing is more and more accurate using personal targeting
  • Increase of two bands attacks by sending emails from valid business addresses: the first victim is only used to attack the second one with a valid email address

Specific attacks against public cloud coming

  • Misconfigured cloud environments is a main cause of data breaches


  • Some unprotected Amazon servers provided Facebook users records exposition
  • A misconfiguration in the environment revealed several terabytes of sensitive data to the world

Crypto miners on the decline

  • Less attacks are directly installing crypto miners
  • Still, >70% of cryptocurrency transactions are done for illegal activity
  • Hackers are focusing on ransom attacks to get coins – not mining directly on the target network; they increase their ROI because the target network is not structured to mine

Active Directory used for lateral movement and privilege escalation

  • > 80% of the attacks are using Active Directory to perform lateral movement and privilege escalation
  • > 60% of the new malware include specific codes to target AD misconfiguration (Mimikatz, Rubeus, etc.)
  • Cheaper tools and kits to target AD: Cybercrime tools and kits can be purchased for as little as $1 on the dark web and online marketplaces
  • Main feedback from 2019: no need to be expert anymore to create a cybercrime tool targeting AD – just invest between 0.00013 and 0.00015 Bitcoins to buy a kit

market statistics

Cost of attacks

  • Cybercrime damages cost $6 trillion in 2019
  • Ransomware damages were estimated at $20 billion in 2019
  • On average, global cybercrime cost organizations $13 million in 2019

Feedback from the field

  • 49.6 days between breach discovery and reporting dates
  • >70% of cryptocurrency transactions are done for illegal activity
  • Security breaches up >11%
  • SMBs are targeted 43% of the time
  • Ransomware attacks occur every 14 seconds


  • The cybercrime economy has grown to at least $1.5 trillion in annual profits
  • The value of the cybersecurity market is anticipated to reach $300 billion by 2024, according to a 2019 press release by Global Market Insights, Inc.
  • $15 billion in cybersecurity funding
  • 9% increase in cybersecurity spending
  • Small businesses invest <$500 per year in cybersecurity products

Organizational maturity

Throughout 2019, Alsid met with organizations who invested significant resources in antivirus or EDR solutions. Still, they were hacked. The result? Discouragement.

ransomware rising

Ryuk in a nutshell

  • Huge increase of Ryuk ransomware attacks during the second half of Q4 2019
  • Ryuk is associated with WIZARD SPIDER – a Russian-based criminal organization targeting large organizations for high-ransom returns. This methodology is known as “big game hunting”
  • Ryuk includes some specific tools to use AD to perform escalation or lateral movement

Remarkable abilities:

  • Bypasses antivirus products
  • Maintains persistence on the targeted machine
  • Runs as legitimate process by injecting into Windows process
  • Terminates processes
  • Stops services

Ryuk behavior

The Ryuk binary is downloaded, and the following actions occur:

  • An obfuscated PowerShell script is executed and connects to a remote IP address
  • A reverse shell is downloaded and executed on the compromised host
  • PowerShell anti-logging scripts are executed on the host
  • Reconnaissance of the network is conducted using standard Windows command line tools
  • Lateral movement throughout the network is enabled using Remote Desktop Protocol (RDP)
  • Service User Accounts are created
  • PowerShell Empire is downloaded and installed as a service
  • Lateral movement is continued until privileges are recovered to obtain access to a domain controller
  • PSEXEC is used to push out the Ryuk binary to individual hosts
  • Batch scripts are executed to terminate processes/services and remove backups, followed by the Ryuk binary
  • Initial compromise is performed through TrickBot (not always, but often) or through Emotet which includes a download function to get Ryuk on the system
  • Pwgrab, a TrickBot module, can perform the first credentials hack

Malicious document files (droppers) distributed as attachments through phishing attacks


User is invited to open the attachment, then malicious code is run to download additional code: Trickbot or Emotet


TrojanSpy.Win32.TRICKBOT or TrojanSpy.Win32.EMOTET
Dropper downloads Trickbot or Emotet to be used for:
– Stealing credentials
– Downloading the ransomware


Performs lateral movement using Active Directory:
– MS17-010 vulnerability (SMB exploit)
– Networks shares (compromised accounts)
– PsExec


Upon execution, it performs its encryption routine


Local and shared files become encrypted
and ransom notes are activated

Ryuk ransom notes: RyukReadMe.txt

  • Various ransom notes have been observed
  • The body of the template is static with the exception of the email address and the Bitcoin (BTC) wallet address, which may change
  • Email address is using
  • The ransom demand varies significantly – we think WIZARD SPIDER calculates the ransom amount based on the size and value of the victim organization
  • To date, the lowest observed ransom was for 1.7 BTC, and the highest totaled 99 BTC
  • WIZARD SPIDER has made 705.80 BTC, which has a current value of $3.7 million (USD)

Our 2020 forecasts

  • Ransomware damages will increase
  • As malware kits become cheaper and cheaper, we will see a global movement from unknown criminal groups – in the coming months, a kid with no specific technical expertise could become a criminal from his bedroom
  • Active Directory will be the preferred target because the attacker already knows it resides in your organization
  • MacOS vulnerabilities are increasing; we will see more ransomware dedicated to MacOS; in large organizations, the MacOS is integrated in AD, presenting a new challenge for AD security professionals

Our solutions

Provide field-tested products
with a seamless end-to-end user experience

Break the dynamics of most modern threats to enterprises by preventing attacks from spreading internally

A technical expertise recognized and awarded worldwide

Comments are closed.

Download pdf

Want more insights?

Contact us