{"id":17180,"date":"2019-12-12T15:10:02","date_gmt":"2019-12-12T23:10:02","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2019\/12\/12\/news-10916\/"},"modified":"2019-12-12T15:10:02","modified_gmt":"2019-12-12T23:10:02","slug":"news-10916","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/12\/12\/news-10916\/","title":{"rendered":"Threat spotlight: The curious case of Ryuk ransomware"},"content":{"rendered":"

Credit to Author: Jovi Umawing| Date: Thu, 12 Dec 2019 22:33:53 +0000<\/strong><\/p>\n

Ryuk<\/em>. A name once unique to a fictional character in a popular Japanese comic book and cartoon series is now a name that appears in several rosters of the nastiest ransomware to ever grace the wild web. <\/p>\n

For an incredibly young strain\u2014only 15 months old\u2014Ryuk ransomware gaining such notoriety is quite a feat to achieve. Unless the threat actors behind its campaigns call it quits, too\u2014Remember GandCrab?<\/a>\u2014or law enforcement collars them for good, we can only expect the threat of Ryuk to loom large over organizations.<\/p>\n

First discovered in mid-August 2018, Ryuk immediately turned heads after disrupting operations of all Tribune Publishing newspapers<\/a> over the Christmas holiday that year. What was initially thought of as a server outage soon became clear to those affected that it was actually a malware attack. It was quarantined eventually; however, Ryuk re-infected and spread onto connected systems<\/a> in the network because the security patches failed to hold when tech teams brought the servers back.<\/p>\n

Big game hunting with Ryuk ransomware<\/h3>\n

Before the holiday attack on Tribune Publishing, Ryuk had been seen targeting various enterprise organizations worldwide, asking ransom payments ranging from 15 to 50 Bitcoins (BTC). That translates to between US$97,000 and $320,000 at time of valuation.<\/p>\n

This method of exclusively targeting large organizations with critical assets that almost always guarantees a high ROI for criminals is called “big game hunting.” It\u2019s not easy to pull off, as such targeted attacks also involve the customization of campaigns to best suit targets and, in turn, increase the likelihood of their effectiveness. This requires much more work than a simple “spray-and-pray” approach that can capture numerous targets but may not net such lucrative results.<\/p>\n

For threat actors engaged in big game hunting, malicious campaigns are launched in phases. For example, they may start with a phishing attack to gather key credentials or drop malware within an organization’s network to do extensive mapping, identifying crucial assets to target. Then they might deploy second and third phases of attacks for extended espionage, extortion, and eventual ransom.<\/p>\n

To date, Ryuk ransomware is hailed as the costliest among its peers. According to a report by Coveware, a first-of-its-kind incident response company specializing in ransomware, Ryuk\u2019s asking price is 10 times the average<\/a>, yet they also claim that ransoms are highly negotiable. The varying ways adversaries work out ransom payments suggests that there may be more than one criminal group who have access to and are operating Ryuk ransomware. <\/p>\n

The who behind Ryuk<\/h3>\n

Accurately pinpointing the origin of an attack or malware strain is crucial, as it reveals as much about the threat actors behind attack campaigns as it does the payload itself. The name \u201cRyuk,\u201d which has obvious Japanese ties, is not a factor to consider when trying to discover who developed this ransomware. After all, it’s common practice for cybercriminals to use handles based on favorite anime and manga characters. These days, a malware strain is more than its name.<\/p>\n

Instead, similarities in code base, structure, attack vectors, and languages can point to relations between criminal groups and their malware families. Security researchers from Check Point found a connection between the Ryuk and Hermes ransomware strains<\/a> early on due to similarities in their code and structure, an association that persists up to this day. Because of this, many have assumed that Ryuk may also have ties with the Lazarus Group<\/a>, the same North Korean APT<\/a> group that operated the Hermes ransomware in the past.<\/p>\n

\n

Recommended read: <\/em>Hermes ransomware distributed to South Koreans via recent Flash zero-day<\/em><\/a><\/p>\n

\n

However, code likeness alone is insufficient basis to support the Ryuk\/North Korean ties narrative. Hermes is a ransomware kit that is frequently peddled on the underground market, making it available for other cybercriminals to use in their attack campaigns. Furthermore, separate research from cybersecurity experts at CrowdStrike<\/a>, FireEye<\/a>, Kryptos Logic<\/a>, and McAfee<\/a> has indicated that the gang behind Ryuk may actually be of Russian origin\u2014and not necessarily nation-state sponsored.<\/p>\n

As of this writing, the origins of Ryuk ransomware can be attributed (with high confidence, per some of our cybersecurity peers) to two criminal entities: Wizard Spider<\/a> and CryptoTech<\/a>. <\/p>\n

The former is the well-known Russian cybercriminal group and operator of TrickBot<\/a>; the latter is a Russian-speaking organization found selling Hermes 2.1<\/a> two months before the $58.5 million cyber heist<\/a> that victimized the Far Eastern International Bank (FEIB) in Taiwan. According to reports, this version of Hermes was used as a decoy or “pseudo-ransomware,”<\/a> a mere distraction from the real goal of the attack.<\/p>\n

Wizard Spider <\/h4>\n

Recent findings have revealed that Wizard Spider upgraded Ryuk to include a Wake-on-LAN (WoL) utility and an ARP ping scanner in its arsenal. WoL is a network standard that allows computing devices connected to a network\u2014regardless of which operating system they run\u2014to be turned on remotely whenever they’re turned off, in sleep mode, or hibernating. <\/p>\n

ARP pinging, on the other hand, is a way of discovering endpoints in a LAN<\/a> network that are online. According to CrowdStrike, these new additions reveal Wizard Spider’s attempts to reach and infect as many of their target’s endpoints as they can, demonstrating a persistent focus and motivation to increasingly monetize their victims\u2019 encrypted data.<\/p>\n

CryptoTech<\/h4>\n

Two months ago, Gabriela Nicolao (@rove4ever<\/a>) and Luciano Martins (@clucianomartins<\/a>), both researchers at Deloitte Argentina, attributed Ryuk ransomware to CryptoTech, a little-known cybercriminal group that was observed touting Hermes 2.1 in an underground forum back in August 2017. Hermes 2.1, the researchers say, is Ryuk ransomware.<\/p>\n

\n
\"\"
The CryptoTech post about Hermes version 2.1 on the dark web in August 2017 (Courtesy of McAfee)<\/figcaption><\/figure>\n<\/div>\n

In a Virus Bulletin conference paper<\/a> and presentation<\/a> entitled Shinigami\u2019s revenge: the long tail of the Ryuk ransomware<\/em>, Nicolao and Martins presented evidence to this claim: In June 2018, a couple of months before Ryuk made its first public appearance, an underground forum poster expressed doubt on CryptoTech being the author of Hermes 2.1, the ransomware toolkit they were peddling almost a year ago that time. CryptoTech\u2019s response was interesting, which Nicolao and Martins captured and annotated in the screenshot below.<\/p>\n

\n
\"\"
CryptoTech: Yes, we developed Hermes from scratch.<\/figcaption><\/figure>\n<\/div>\n

The Deloitte researchers also noted that after Ryuk emerged, CryptoTech went quiet.<\/p>\n

CrowdStrike has estimated that from the time Ryuk was deployed until January of this year, their operators have netted a total of 705.80 BTC, which is equivalent to US$5 million as of press time.<\/p>\n

Ryuk ransomware infection vectors<\/h3>\n

There was a time when Ryuk ransomware arrived on clean systems to wreak havoc. But new strains observed in the wild now belong to a multi-attack campaign that involves Emotet<\/a> and TrickBot<\/a>. As such, Ryuk variants arrive on systems pre-infected with other malware\u2014a “triple threat” attack methodology. <\/p>\n

\n
\"\"
How the Emotet, TrickBot, and Ryuk triple threat attack works (Courtesy of Cybereason)<\/figcaption><\/figure>\n<\/div>\n

The first stage of the attack starts with a weaponized Microsoft Office document file\u2014meaning, it contains malicious macro code\u2014attached to a phishing email<\/a>. Once the user opens it, the malicious macro will run cmd<\/code> and execute a PowerShell command. This command attempts to download Emotet<\/a>.<\/p>\n

Once Emotet executes, it retrieves and executes another malicious payload\u2014usually TrickBot<\/a>\u2014and collects information on affected systems. It initiates the download and execution of TrickBot by reaching out to and downloading from a pre-configured remote malicious host.<\/p>\n

Once infected with TrickBot, the threat actors then check if the system is part of a sector they are targeting. If so, they download an additional payload and use the admin credentials stolen using TrickBot to perform lateral movement to reach the assets they wish to infect.<\/p>\n

The threat actors then check for and establish a connection with the target\u2019s live servers via a remote desktop protocol (RDP)<\/a>. From there, they drop Ryuk.<\/p>\n

\n
\"\"<\/figure>\n<\/div>\n

Systems infected with the Ryuk ransomware displays the following symptoms:<\/p>\n

Presence of ransomware notes.<\/strong> Ryuk drops the ransom note, RyukReadMe.html <\/em>or RyukReadMe.txt<\/em>, in every folder where it has encrypted files.<\/p>\n

The HTML file, as you can see from the screenshot above, contains two private email addresses that affected parties can use to contact the threat actors, either to find out how much they need to pay to get access back to their encrypted files or to start the negotiation process.<\/p>\n

On the other hand, the TXT ransom note contains (1) explicit instructions laid out for affected parties to read and comply, (2) two private email addresses affected parties can contact, and (3) a Bitcoin wallet address. Although email addresses may vary, it was noted that they are all accounts served at Protonmail or Tutanota. It was also noted<\/a> that a day after the unsealing of the indictment of two ransomware operators<\/a>, Ryuk operators removed the Bitcoin address from their ransom notes, stating that it will be given to those affected once they are contacted via email.<\/p>\n

There are usually two versions of the text ransom note: a polite version, which past research claims is comparable to BitPaymer\u2019s due to certain similar phrasings; and a not-so-polite version.<\/p>\n

\n
\"\"
Ryuk ransom notes. Left: polite version; Right: not-so-polite version<\/figcaption><\/figure>\n<\/div>\n
\n
\"\"
BitPaymer ransom note: polite version (Courtesy of Coveware)
<\/figcaption><\/figure>\n<\/div>\n
\n
\"\"
BitPaymer ransom note: not-so-polite version (Courtesy of Symantec)<\/figcaption><\/figure>\n<\/div>\n

Encrypted files with the RYK string attached to extension names.<\/strong> Ryuk uses a combination of symmetric (via the use of AES<\/a>) and asymmetric (via the use of RSA<\/a>) encryption to encode files. A private key, which only the threat actor can supply, is needed to properly decrypt files.<\/p>\n

Encrypted files will have the .ryk file extension appended to the file names. For example, an encrypted sample.pdf<\/em> and sample.mp4<\/em> files will have the sample.pdf.ryk<\/em> and sample.mp4.ryk<\/em> file names, respectively.<\/p>\n

This scheme is effective, assuming that each Ryuk strain was tailor-made for their target organization.<\/p>\n

While Ryuk encrypts files on affected systems, it avoids files with the extension .exe, .dll, and .hrmlog (a file type associated with Hermes). Ryuk also avoids encrypting files in the following folders:<\/p>\n