Activity logs on a server used by the TrickBot trojan in post-compromise stages of an attack show that the actor takes an average of two weeks pivoting to valuable hosts on the network before deploying Ryuk ransomware.
After compromising the network, the attacker starts scanning for live systems that have specific ports open and stealing password hashes from the Domain Admin group.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.