A recently discovered ransomware group has netted almost $4 million since August, in large part by following a path that’s uncommon in its industry—selectively installing the malicious encryption software on previously infected targets with deep pockets. The method differs from the usual one of indiscriminately infecting all possible victims. That’s the take of two analyses published Thursday, one by security firm CrowdStrike and the other by competitor FireEye.

Both reports say that Ryuk, as the ransomware is known, infects large enterprises days, weeks, or as much as a year after they were initially infected by separate malware, which in most cases is an increasingly powerful trojan known as Trickbot. Smaller organizations infected by Trickbot, by contrast, don’t suffer the follow-on attack by Ryuk. CrowdStrike called the approach “big-game hunting” and said it allowed its operators to generate $3.7 million worth of Bitcoin across 52 transactions since August.

Besides pinpointing targets with the resources to pay hefty ransoms, the modus operandi has another key benefit: the “dwell time”—that is, the period between the initial infection and the installation of the ransomware—gives the attackers time to perform valuable reconnaissance inside the infected network. The reconnaissance lets attackers CrowdStrike dubs Grim Spider maximize the damage it causes by unleashing the ransomware only after it has identified the most critical systems of the network and obtained the passwords necessary to infect them.

CrowdStrike researcher Alexander Hanel wrote:

Some of TrickBot’s modules (such as pwgrab) could aid in recovering the credentials needed to compromise environments—the SOCKS module in particular has been observed tunneling PowerShell Empire traffic to perform reconnaissance and lateral movement. Through CrowdStrike IR engagements, GRIM SPIDER has been observed performing the following events on the victim’s network, with the end goal of pushing out the Ryuk binary: An obfuscated PowerShell script is executed and connects to a remote IP address.

A reverse shell is downloaded and executed on the compromised host.

PowerShell anti-logging scripts are executed on the host.

Reconnaissance of the network is conducted using standard Windows command-line tools along with external uploaded tools.

Lateral movement throughout the network is enabled using Remote Desktop Protocol (RDP).

Service User Accounts are created.

PowerShell Empire is downloaded and installed as a service.

Lateral movement is continued until privileges are recovered to obtain access to a domain controller.

PSEXEC is used to push out the Ryuk binary to individual hosts.

Batch scripts are executed to terminate processes/services and remove backups, followed by the Ryuk binary.

Remember Samsam?

While uncommon, the reconnaissance isn’t unique to Ryuk. SamSam—an unrelated ransomware that’s caused millions of dollars of damage infecting networks belonging to the City of Atlanta, Baltimore’s 911 system, and Boeing, to name just a few—follows a similar path. There’s no doubt, however, the technique is effective. According to federal prosecutors, SamSam operators recovered more than $6 million in ransom payments and caused more than $30 million in damage.

Both FireEye and CrowdStrike downplayed reports Ryuk is the product of North Korean actors. That attribution was largely based on an incomplete reading of this report from CheckPoint Software, which found code similarities between Ryuk, and Hermes. CrowdStrike went on to say it has medium-high confidence that the attackers behind Ryuk operate out of Russia. The company cited a variety of evidence that led to that assessment, including a Russian IP address being used to to upload files used by Ryuk to a scanning service and the malware leaving traces on an infected network that were written in the Russian language.

Thursday’s reports leave little doubt that this approach is likely to grow more common.

“Throughout 2018, FireEye observed an increasing number of cases where ransomware was deployed after the attackers gained access to the victim organization through other methods, allowing them to traverse the network to identify critical systems and inflict maximum damage,” the FireEye researchers wrote. “SamSam operations, which date back to late 2015, were arguably the first to popularize this methodology, and [Ryuk] is an example of its growing popularity with threat actors. FireEye Intelligence expects that these operations will continue to gain traction throughout 2019 due the success these intrusion operators have had in extorting large sums from victim organizations.”