What is Ryuk Ransomware?
Ryuk ransomware has been infecting victims since around 2018, and is believed to be based on the source code of Hermes ransomware, which was sold on an internet hacking forum back in 2017. Since its inception, Ryuk has been used to target large organizations to great effect, having accumulated as much as $61.26 million (as of Feb 2020) in ransom payments according to federal investigations.
One of the reasons behind Ryuk’s unfortunate success is the threat actor’s capacity to evolve their tactics, techniques and procedures (TTPs). Since early last year, the TrickBot information stealer trojan has been a more or less constant partner-in-crime, with many campaigns also including other malware, frameworks and tools. The mentioned campaign utilized the EMPIRE framework, and in later campaigns the same year Cybereason observed Emotet downloading TrickBot deploying Ryuk.
In March of 2020, the threat actors temporarily stopped deploying Ryuk, and a new ransomware called Conti was introduced. Researchers found that the code bases were similar, implying this could be the successor to Ryuk. However, in September 2020 Ryuk made a swift return, and with Conti infections still happening alongside it, the evidence pointed to Conti not being a successor so much as a new, different strain of malware.
Shortly after the start of Ryuk’s hiatus, a new malware called BazarLoader was observed being delivered by TrickBot. Currently, evidence suggests that Ryuk, Conti and BazarLoader are used by the same threat actor.
Ryuk ransomware is most often seen as the final payload in a larger targeted attack against a corporation, and since its return in September, it has been mainly via TrickBot or BazarLoader infections.
Cybereason Detects and Blocks Ryuk Ransomware
Cybereason detects the various execution phases of Ryuk in detail, including process injection, persistence creation and shadow copy deletion as detailed below in the Execution Overview section. With the proper settings applied to sensors in the customer environment, Cybereason can stop the Ryuk ransomware before it encrypts user files.
With Anti-Ransomware mode enabled, the Ryuk execution is stopped before encrypting the hard drive. A ransom note can be found in folders where the malware attempted to encrypt files, but the user’s files were saved. If Anti-Malware is enabled the sample will be removed before execution. The following video provides a quick demonstration of Cybereason’s detection and prevention capabilities against Ryuk ransomware:
Ryuk ransomware execution as detected by the Cybereason sensor
Once the Ryuk binary is executed, the sample creates a copy of itself (the randomly named child process of Ryuk in the screenshot below is a copy of Ryuk - ltbyhrc.exe) to execute with argument “8 LAN”. This function uses the device’s ARP table to find machines on the local LAN and send Wake-on-Lan packets to them, which if successful mounts the C$ share on the machine and proceeds to encrypt the remote drive.
Both the original binary and the dropped copy (ltbyhrc.exe) perform the same tasks - attempting to stop the services “audioendpointbuilder”, “samss” and “sqlwriter”, then attempting to delete shadow copies and create persistence. Before encryption, the malware also utilizes icacls.exe - a program to change Access Control Lists - to give itself full control over all files and folders on the C: and D: drives.
The original binary can also be seen injecting into other processes which Cybereason detects and tags with floating executable code suspicions.
Successful execution will encrypt the user files and append a .RYK extension to them. In order to avoid corrupting the system, certain files such as .DLL and .EXE files are not encrypted. Folders that are traversed by Ryuk contain a “RyukReadMe.html” file, which in this sample is very barebones, simply contains the name of the malware and a mail address without any further instructions. Perhaps the threat actors believe their reputation precedes them?
Left: encrypted files with .RYK name extensions. Right: Ryuk ransom note
For a more in-depth analysis of Ryuk, please refer to this Cybereason report: Triple Threat: Emotet Deploys TrickBot to Steal Data & Spread Ryuk.
MITRE ATT&CK Breakdown
INDICATORS OF COMPROMISE
Joakim Kandefelt is a Security Analyst at Cybereason and part of the Nocturnus Research Team.