Threat Intelligence Report: Ryuk Ransomware

Date: 13/05/2019

Summary: Hermes ransomware, Ryuk’s predecessor, was first distributed in February 2017. Ryuk is a modified version of Hermes and it started to appear in a public malware repository in midAugust 2018. Ryuk will encrypt files on network shares and an infected computer’s file system. Malicious actors then encrypt all the network’s files and demand large sums, up to $5 million worth of Bitcoin (BTC) in exchange for a program to decrypt the files. Ryuk’s targets can be varied and indiscriminate, but attacks tend to focus on extorting high ransoms from organisations with high annual revenues.

Ryuk has been gathering momentum since its release and during Q4 of 2018, the average Bitcoin payment was listed at $6,733. For Q1 of 2019 the average payment rose to $12,762. Ryuk’s attacks are becoming more sophisticated and targeted, it is used in conjunction with some known and some undisclosed remote desktop protocol vulnerabilities. It will prevent users from restoring data in a convenient manner.

Conclusions: Ransomware represents one of the most devastating attacks for victims and it offers an easy pay-day for criminals with a low chance of getting caught. Victims could lose everything from personal data to the very infrastructure that their business relies on. Due to Ryuk’s advanced capabilities and spreading ability, it increases the damage and likelihood that the victim will be willing to pay the ransom. This can cause a great deal of damage to an organisation, from loss of money to brand degradation.

Tactics, Techniques and Procedures: Ryuk targeted attacks through an unknown infection method, but by January 2019, the ransomware was discovered targeting victims who were previously attacked by the TrickBot malware. Large organisations would be targeted by spam emails that would deliver the Emotet trojan in order to distribute the TrickBot malware (Emotet is used as a dropper for TrickBot). When a machine is infected with TrickBot, it begins to steal sensitive information and if the company is an industry target, the Ryuk payload is delivered. This is distributed via huge spam campaigns and exploit kits. For example, the spreader.dll module of TrickBot exploits Eternal Blue (CVE-2017-0143) to further propagate and to increase privileges to system level.

Phase One: Infection: Emotet Trojan:

Emotet’s main distribution method is phishing emails, these utilise various social engineering techniques to trick a user into clicking a malicious link or downloading a malicious Microsoft Office file. Phase One starts with the attacker crafting a weaponised Microsoft Office document that is attached to a phishing email. The malicious file will contain macro-based code and once the victim opens the document, the file will run cmd (windows command prompt) and execute a PowerShell command. This command attempts to download the Emotet payload from different malicious domains.

After the payload has executed, it looks to continue its activity by infecting more devices and gathering information on the affected machine. A download of the TrickBot trojan is then initiated by communicating with and downloading from a remote malicious host.

Phase Two: Lateral Movement: TrickBot Trojan

TrickBot is often called a banking trojan, however over the years it has been modified to include advanced capabilities like password collecting and detection evasion. This modular trojan will unpack itself in memory. When TrickBot has executed, an installation folder is created which will contain a copy of the malware, a settings.ini file and a Data folder. The data folder contains malicious modules with their configuration files. To evade detection, the malicious modules are injected into legitimate processes, such as svchost. TrickBot will also try to disable and delete windows defender in order to avoid detection.

Overall the modules will perform reconnaissance on the infected network, attempt to communicate with the TrickBot C2 server, steal data from the browser, including cookies, URL hits, browsing history and HTML5 local storage. The modules will help the attacker determine if the affected machine meets the criteria for infection with the Ryuk ransomware. If it meets the criteria, an additional payload is downloaded using the credentials that were stolen by TrickBot, to perform lateral movement and reach the assets they wish to infect.

Phase Three: Delete & Encrypt: Ryuk Ransomware

The attacker will gather a list of domain controllers and targeted servers in the environment. Once they have a connection, they start to spread the Ryuk payload through the network via Windows administrative shares. These are hidden shares such as Admin$, IPC$, Share$ and C$ that are enabled by default for Windows admin purposes. A few files are dropped in the hidden shares, this includes a .bat script (COPY.bat). The script lists the targeted machines that were located, a copy of psexec.exe and the dropper Ryuk.exe. The payload is then executed by PsExec.

The Ryuk dropper stops multiple services related to antimalware products. It then kills multiple processes related to the antimalware product. The main payload injects itself into other processes and achieves persistence using the registry. The injected processes run a .bat file dropped by the malware. Ryuk will use vssadmin.exe to delete shadow copies and other backups of files before encrypting them. This forces the victim to make a payment in order to decrypt the files. Ryuk encrypts files and changes the extension to .RYK. A ransom note is then left on the victim’s machine (RyukReadMe.txt).

Advice :

  • It is imperative that there is a backup strategy in place that is tested and that it also covers worst-case scenarios. Ryuk will search for backups and delete them so it can force victims to pay a ransom.
  • Backups must be kept offline; this is the only way to protect against a determined threat actor.
  • Regularly test backups for their integrity and if they can be recovered. Scan backups for registry persistence and other malware infections (Emotet and/or TrickBot).
  • Ensure network segmentation.
  • Disable all macros, except those that are digitally signed.
  • Implement filters at the email gateway. Filter out emails with known malspam indicators and block suspicious IP addresses at the firewall.
  • Educate and train employees on social engineering and phishing. (i.e. Don’t open suspicious emails or click on the links provided in such emails).
  • Adhere to the Principle of Least Privilege (PLP), ensure that users have the minimum level of access required to accomplish their duties. Limit administrative credentials to designated admins.
  • Use antivirus programs on clients and servers, with automatic updates of signatures and software.
  • If there is not a policy regarding suspicious emails, consider creating one and specify that all suspicious emails should be reported to the security and/or IT departments.

If a machine is infected or believed to be infected:

  • Take the infected machines off the network
  • Do not log in to infected systems using a domain or shared local admin accounts.
  • Issue password resets for both domain and local credentials, also consider password resets for other applications that may have had stored credentials on the compromised machine(s).

Leave a Reply