New and Improved Version of Ryuk Ransomware

8643112062?profile=RESIZE_400xA new version of the Ryuk ransomware is capable of worm-like self-propagation within a local network, researchers have recently found.  The variant first emerged in Windows-focused campaigns earlier in 2021, according to the French National Agency for the Security of Information Systems (ANSSI). The agency said that it achieves self-replication by scanning for network shares, and then copying a unique version of the ransomware executable (with the file name rep.exe or lan.exe) to each of them as they’re found. “Ryuk looks for network shares on the victim IT infrastructure. To do so, some private IP ranges are scanned: 10.0.0.0/8; 172.16.0.0/16; and 192.168.0.0/16,” according to a recent ANSSI report. “Once launched, it will thus spread itself on every reachable machine on which Windows Remote Procedure Call accesses are possible.”

The “new and improved” version of Ryuk also reads through infected devices’ Address Resolution Protocol (ARP) tables, which store the IP addresses and MAC addresses of any network devices that the machines communicate with. Then, according to ANSSI, it sends a “Wake-On-LAN” packet to each host, in order to wake up powered-off computers. “It generates every possible IP address on local networks and sends an ICMP ping to each of them,” according to ANSSI. “It lists the IP addresses of the local ARP cache and sends them a [wake-up] packet.”  Ryuk’s targets tend to be high-profile organizations where the attackers know they are likely to get paid their steep ransom demands.

For each identified host, Ryuk will then attempt to mount possible network shares using SMB, or Server Message Block, according to the report. SMB is a Windows function that allows the sharing, opening or editing files with/on remote computers and servers.  Once all of the available network shares have been identified or created, the payload is then installed on the new targets and is self-executed using a scheduled task, allowing Ryuk to encrypt the targets’ content and delete any Volume Shadow Copies to prevent file recovery. “The scheduled task is created through a call to the schtasks.exe system tool, a native-Windows tool,” ANSSI explained.

The files are encrypted using Microsoft CryptoAPI with the AES256 algorithm, using a unique AES key which is generated for each file. The AES key is also wrapped with an RSA public key stored in the binary code, according to the analysis. The malware also interrupts multiple programs based on hardcoded lists, including a list of 41 processes to be killed (task kill) and a list of 64 services to stop, ANSSI found.

As for avoiding infection, Ryuk ransomware is usually loaded by an initial “dropper” malware that acts as the tip of the spear in any attack; these include Emotet, TrickBot, Qakbot and Zloader, among others. From there, the attackers look to escalate privileges in order to set up for lateral movement. An effective defense thus should involve developing countermeasures that will prevent that initial foothold.

Once infected, things become more complicated. In the 2021 campaign observed by ANSSI researchers, the initial infection point is a privileged domain account. And the analysis shows that the worm-like spread of this version of Ryuk can bot be thwarted by choking off this initial infection point. “A privileged account of the domain is used for malware propagation,” according to the report. “If this user’s password is changed, the replication will continue as long as the Kerberos tickets [authentication keys] are not expired. If the user account is disabled, the issue will remain the same.”  In addition to the self-propagation functions, this version of Ryuk also lacks any exclusion mechanisms, meaning that there’s nothing preventing infections of the same machine over and over again, which makes fumigation more difficult.

Previous versions of the malware used Mutual Exclusion Objects (MUTEX) to make sure that any given host had access to only one Ryuk process at a time. “As the malware does not check if a machine has already been infected, no simple system object creation that could prevent infection,” according to the ANSSI report.

One way to tackle an active infection, ANSSI recommended, would be to change the password or disable the account for the privileged user, and then proceed to force a domain password change through KRBTGT. The KRBTGT is a local default account found in Active Directory that acts as a service account for the Key Distribution Center (KDC) service for Kerberos authentication.  “This would induce many disturbances on the domain – and most likely require many reboots – but would also immediately contain the propagation,” according to ANSSI.

The Ryuk ransomware was first observed in 2018, as a variant of the Hermes 2.1 ransomware. But unlike Hermes, it is not sold on underground markets like the Exploit forum.  “A doubt…remains as to the origins of Ryuk,” according to ANSSI’s report. “The appearance of Ryuk could…be a result of the acquisition of the Hermes 2.1 source code by another attacker group, which may have developed Ryuk from this starting point.”  It is suspected that a group named CryptoTech could have been the developer of Hermes and then named Ryuk.  The name Ryuk is a fictional character in a popular Japanese comic book and cartoon series.

Deloitte researchers have theorized that Ryuk is sold as a toolkit to attacker groups, which use it to develop their own “flavors” of the ransomware. There could therefore be as many variants as there are attacker groups that buy the code.  In early 2021, it was estimated that Ryuk operators have raked in at least $150 million, according to an examination of the malware’s money-laundering operations.

Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge.

What can you do to better protect your organization today?

  • All data in transmission and at rest should be encrypted.
  • Proper data back-up and off-site storage policies should be adopted and followed.
  • Implement 2-Factor authentication-company wide.
  • For USA readers, join and become active in your local Infragard chapter, there is no charge for membership. infragard.org
  • Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
  • Institute cyber threat and phishing training for all employees, with testing and updating.
  • Recommend/require cyber security software, services and devices to be used by all at home working employees and consultants.
  • Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
  • Ensure that all software updates and patches are installed immediately.
  • Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network.
  • Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.

 

Red Sky Alliance is   a   Cyber   Threat   Analysis   and   Intelligence Service organization.  For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com.

 

Reporting:  https://www.redskyalliance.org/

Website:     https://www.wapacklabs.com/

LinkedIn:   https://www.linkedin.com/company/wapacklabs/

Twitter:      https://twitter.com/wapacklabs?lang=en

Weekly Cyber Intelligence Briefings: 

https://attendee.gotowebinar.com/register/8782169210544615949

 

 TR-21-062-001_New_Ryuk_Ransomware.pdf

 

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!