CIS Logo
tagline: Confidence in the Connected World

Fall 2019 Threat of the Quarter: Ryuk Ransomware

Throughout 2019, state, local, tribal, and territorial (SLTT) government entities increasingly encounter ransomware attacks resulting in significant network downtime, delayed services to constituents, and costly remediation efforts. Currently, Ryuk ransomware is one of the most prevalent variants in the SLTT threat landscape, with infections doubling from the second to the third quarter of the year. The increase in Ryuk infections was so great that the MS-ISAC saw twice as many infections in July compared to the first half of the year. In the third quarter alone, the MS-ISAC observed Ryuk activity across 14 states.

What it is

Ryuk is a type of crypto-ransomware that uses encryption to block access to a system, device, or file until a ransom is paid. Ryuk is often dropped on a system by other malware, most notably TrickBot, (featured in last quarter’s Threat of the Quarter) or gains access to a system via Remote Desktop Services. Ryuk demands payment via Bitcoin cryptocurrency and directs victims to deposit the ransom in a specific Bitcoin wallet. The ransom demand is typically between 15-50 Bitcoins, which is roughly $100,000-$500,000 depending on the price conversion. Once on a system, Ryuk will spread through the network using PsExec or Group Policy trying to infect as many endpoints and servers as possible. Then the malware will begin the encryption process, specifically targeting backups, and successfully encrypting them in most cases.

Ryuk is often the last piece of malware dropped in an infection cycle that starts with either Emotet or TrickBot. Multiple malware infections may greatly complicate the process of remediation. The MS-ISAC observed an increase in cases where Emotet or TrickBot are the initial infections and multiple malware variants are dropped onto the system with the end result being a Ryuk infection. For example, the MS-ISAC recently assisted in an incident where TrickBot successfully disabled the organization's endpoint antivirus application, spread throughout their network, and ended up infecting hundreds of endpoints and multiple servers. Since TrickBot is a banking trojan, it likely harvested and exfiltrated financial account information on the infected systems prior to dropping the Ryuk ransomware infection. Ryuk was dropped throughout the network, encrypting the organization’s data and backups, leaving ransom notes on the machines.

How it Works

Ryuk is primarily spread via other malware dropping it onto an existing infected system. Finding the dropper on a system for analysis is difficult due to the fact that the main payload deletes it after the initial execution. The dropper creates a file for the payload to be saved to; however, if the file creation fails, the dropper will then try to write it into its own directory. The dropper contains 32 and 64 bit modules of the ransomware. Once the file is created the dropper then checks what process is currently running and writes in the appropriate module (32 or 64 bit).

Following the execution of the main payload and the deletion of the dropper, the malware attempts to stop antivirus and antimalware related processes and services. It uses a preconfigured list which can kill more than 40 processes and 180 services through taskkill and netstop commands. This preconfigured list is made up of antivirus processes, backups, databases, and document editing software.

Additionally, the main payload is responsible for increasing persistence in the registry and injecting malicious payloads into several processes, such as the remote process. The process injection allows the malware to gain access to the volume shadow service and delete all shadow copies, including those used by third-party applications. Most ransomware uses the same, or similar, techniques to delete shadow copies, but does not delete ones from third-party applications. Ryuk achieves this by resizing the volume shadow service storage. Once resized, the malware can force the deletion of third party application shadow copies. These techniques greatly complicate the mitigation process, as it hinders an organization's ability to restore systems to a pre-infection state.  Furthermore, it will go after and delete multiple files that have backup related extensions and any backups that are currently connected to the infected machine or network. These anti-recovery tools used are quite extensive and more sophisticated than most types of ransomware, making recovery nearly impossible unless external backups are saved and stored offline.

For encryption, Ryuk uses the RSA and AES encryption algorithms with three keys. The cyber threat actors (CTAs) use a private global RSA key as the base of their model. The second RSA key is delivered to the system via the main payload. This RSA key is already encrypted with the CTA’s private global RSA key. Once the malware is ready for encryption, an AES key is created for the victim’s files and this key is encrypted with the second RSA key. Ryuk then begins scanning and encrypting every drive and network share on the system. Finally, it will create the ransom note, "RyukReadMe.txt" and place it in every folder on the system. 

Recommendations

SLTT governments should adhere to best practices, such as those described in the CIS Controls, which are part of CIS SecureSuite Membership. The MS-ISAC recommends organizations adhere to the full list of recommendations in the MS-ISAC Ransomware Security Primer, to limit the effect and risk of Ryuk ransomware to your organization