Researchers said the group was able to move from initial phish to full domain-wide encryption in just five hours. The attack started with a phishing email containing a version of the Bazar loader, researchers said. The attackers used a variety of commodity tools like Cobalt Strike, AdFind, WMI and PowerShell to accomplish their objective. They used the Zerologon privilege-escalation bug, which allows an unauthenticated attacker with network access to a domain controller to compromise all Active Directory identity services.
Source: https://threatpost.com/ryuk-ransomware-gang-zerologon-lightning-attack/160286/