The past few months have seen a new ransomware variant emerge that is being distributed by the TrickBot malware. The appearance of this new ransomware, named Conti, corresponded with an observed decrease in Ryuk deployments. This suggested that Conti is the “successor” of Ryuk. Some media outlets have also reported that Conti was an evolved version of Ryuk, suggesting that it has evolved from the RYUK source code. While this may have been true for very early samples, a Red Sky analysis of recent Conti and Ryuk samples tell a different story. As we will show, they both share capabilities that are common with other ransomware, and there are significant differences in implementation at the machine code level.
Ryuk, Brief History
The RYUK ransomware was initially identified in August 2018 by Check Point Research. RYUK is operated by the WIZARD SPIDER threat group, a Russian cybercrime group that also operates the TrickBot banking trojan infrastructure. These malwares are typically targeted at large organizations with the goal of ransoming victim data for high dollar values. The first ransom notes indicated requested payments in the amounts of between 15 and 50 BTC. In January 2019, Crowdstrike analysis of Bitcoin addresses associated with RYUK showed a cumulative net value of over 705 bitcoin which at the time was equivalent to approximately $3.7 million USD. According to the FBI, RYUK operators have netted over $61 million USD over its lifetime as of February 2020.
Figure 1 RYUK Ransom note 14 OCT 2020. Source: Sophos
Ryuk Technical Analysis
From a technical perspective, RYUK evolved from the HERMES ransomware. As such, several core operational capabilities were initially shared:
- AES-256 encryption of files with a random key, random AES key encrypted with RSA-2048
- RSA keys stored inside the ransomware binary in Microsoft SIMPLEBLOB format
- Encrypts files stored on network shares and local drives
- Disables backup and OS services that could facilitate data recovery
RYUK is typically manually deployed by an attacker after gaining an initial foothold inside a victim network. It has also been observed delivered as an email attachment during spear-phishing campaigns.
Over time, RYUK has evolved significantly. Recent 2020 samples have been observed with increased encryption speed compared to prior versions. This is achieved by dropping additional copies of the ransomware encrypter to disk and running them in parallel at the operating system process level. RYUK also tries to inject itself into other processes.
RYUK takes extensive measures to disable enterprise backup services and OS services that could facilitate data recovery without paying the ransom. Examples of this are deleting filesystem shadow copies and disabling Microsoft Windows’s Automatic Startup Repair feature. This is a common feature of ransomware, but RYUK’s capability covers a larger array of backup and recovery software than other ransomware.
Conti, Brief History
A suspected dev build of CONTI (2f334c0802147aa0eee90ff0a2b0e1022325b5cba5cb5236ed3717a2b0582a9c ) was first reported by Twitter user @rbaby_mr in Feb 2020. Conti was first reported in the wild by Carbon Black in July of 2020. In September of 2020, the US Fourth District Court of Louisiana was reported to have been a victim of CONTI ransomware. No ransom amount was reported.
Figure 2 CONTI ransom note
Conti Technical Analysis
The source code origin for CONTI is unknown. While it does share some common capabilities with RYUK and other ransomware strains, Red Sky Alliance was unable to find any significant overlap in the code segments of RYUK and CONTI samples obtained from VirusTotal. SSDEEP hash comparison showed no overlap. Additionally, there were enough significant differences in the operational and implementation details to indicate they are not related at the source code level.
Just like RYUK, CONTI can be manually deployed. This is evidenced by the fact that it can receive configuration parameters on the command line from the operator when launching the malware. This configuration capability is not shared with RYUK. CONTI can be configured from the command line in several ways:
- Infect local disks and mounted network shares
- ONLY infect network shares
- ONLY infect local disks
- ONLY infect network shares that are shared from a specific IP addresses
CONTI has also been seen in the wild attached to emails related to spear phishing campaigns.
CONTI achieves fast encryption by encrypting files in parallel using the Windows CreateThread API. This differs from RYUK’s technique.
At launch, CONTI checks for a run time marker to see if another instance of the encrypter is already running and if so, it terminates. This marker is the named mutex “_CONTI_”. Red Sky Alliance was able to prevent CONTI from encrypting a test victim VM by creating a software program that created an identical mutex. When launched, all the tested CONTI samples immediately exited without executing the encrypter payload. Incidentally, the ransomware appears to have received its name based on this mutex.
Figure 3 _CONTI_ mutex creation
RYUK and CONTI share similar capabilities at only the most basic level. These features are also common to other ransomware strains:
- AES-256 file encryption with RSA encryption of AES keys
- Encrypts files stored on network shares and local drives
- Disables backup and OS services that could facilitate data recovery
CONTI differs from RYUK in several fundamental ways:
- RSA keys are stored inside the ransomware binary in Microsoft RSAPUBKEY struct format
- Parallel encryption achieved using CreateThread API
- Runtime marker mutex _CONTI_ is created which, if present, causes samples to terminate without executing payload. RYUK contains no infection marker.
- Ransom notes are very different. Although, they can be easily customized by the attacker.
- Windows DLL imports are obfuscated and manually resolved at runtime using LoadLibrary and GetProcAddress. All RYUK DLL imports are plainly visible in the binary’s Import Address Table.
Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Comments