{"id":17918,"date":"2020-03-17T20:34:00","date_gmt":"2020-03-18T04:34:00","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2020\/03\/17\/news-11651\/"},"modified":"2020-03-17T20:34:00","modified_gmt":"2020-03-18T04:34:00","slug":"news-11651","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2020\/03\/17\/news-11651\/","title":{"rendered":"Ryuk Revisited &#8211; Analysis of Recent Ryuk Attack"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\"><\/div>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><b><a href=\"https:\/\/fortiguard.com\/\">FortiGuard Labs<\/a>\u00a0Threat Analysis Report<\/b><\/p>\n<h2>Introduction<\/h2>\n<p>Affected Platforms:\u00a0\u00a0\u00a0\u00a0Windows<br \/> Impacted Users:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Any organization<br \/> Threat Severity:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0High<\/p>\n<p>FortiGuard Labs, leveraging the <a href=\"https:\/\/www.fortinet.com\/products\/endpoint-security\/fortiedr.html?utm_source=blog&amp;utm_campaign=2020-q1-fortiedr\">FortiEDR<\/a> endpoint protection platform\u00a0and the FortiResponder managed detection and response service, recently detected and blocked a new variant of Ryuk ransomware. Ryuk ransomware has been targeting large organizations, and is thought to be tailored by each operator to the unique configurations and network designs of the victim organization.\u00a0<\/p>\n<p>Ryuk is a well-known ransomware variant, and different versions have been reviewed in the past. However, due to its targeted and ever-evolving nature, it is interesting to see what the latest variants hold in store.\u00a0<\/p>\n<p>In this blog post, we will\u00a0analyze the tactics, techniques, and procedures (TTPs) used by this recently discovered Ryuk variant, review similarities to past variants, and highlight the methods it uses to maximize the damage it can cause to the networks of targeted organizations. Reviewing these TTPs will allow you to test the current security controls within your network to ensure you are able to detect, and ultimately protect against them.<\/p>\n<p>We have also provided a mapping of the TTPs to the Mitre ATT&amp;CK knowledgebase.\u00a0\u00a0<\/p>\n<h2>Technical Analysis<\/h2>\n<h3>Ryuk Ransomware Execution Steps<\/h3>\n<p>The sample starts by unpacking its actual payload in-memory. Once the unpacking process is done, the sample creates a copy of itself that it names with a 7-letter random name, and then places it in the same directory from which it was executed. It then invokes the new executable using \u201c8 LAN\u201d as the command line argument.\u00a0<\/p>\n<p>The initial execution of the sample focuses on encrypting files on the local machine and mapped drives, while the second invocation focuses on the encryption of network drives. This second invocation also attempts to wake machines on the network. Both invocations carry out the same steps as part of the attack, except that the original invocation also injects itself into multiple legitimate processes to run the encryption process in order to increase the chances of a successful attack.\u00a0<\/p>\n<p>Note that all executions, including injected payloads, attempt to encrypt network drives. More on this later.\u00a0<\/p>\n<p> Here is a high-level breakdown of the steps taken by this Ryuk sample:<\/p>\n<ul>\n<li>Injection into legitimate processes (local encryption only)<\/li>\n<li>Process and service termination &#8211; Attempts to terminate processes and services that may interfere with its operation<\/li>\n<li>Deleting shadow copies and changing system configuration<\/li>\n<li>Establish persistency on the machine<\/li>\n<li>Wake-up network devices (Network encryption only)<\/li>\n<li>File encryption (Mapped drives are not encrypted by the network encryption instance)<\/li>\n<\/ul>\n<p>The last step is executed forever, as Ryuk will continuously attempts to discover new victims on the network and encrypt them.\u00a0<\/p>\n<p> We will now do deep-dive into each of these steps.<\/p>\n<h3>Injection into Legitimate Processes<\/h3>\n<p>In order to hide its malicious activity, the sample tries to inject code into any 32-bit process it can access other than itself, the previously copied file, or any of the following: \u201ccsrss.exe\u201d, \u201cexplorer.exe\u201d, \u201clsaas.exe\u201d. Note that \u201clsaas.exe\u201d contains a typo, it should be \u201clsass.exe\u201d, which may cause the ransomware to malfunction on 32-bit systems. Interestingly, some previous Ryuk samples using similar methods had a typo in the \u201ccsrss.exe\u201d string, so this may be intentional, though we do not know why.\u00a0<\/p>\n<p>The injection method used by this Ryuk sample is both simple and similar to methods used by previous variants of Ryuk:<\/p>\n<ol>\n<li>Enumerate processes.<\/li>\n<li>Get access to the target process using the OpenProcess API.<\/li>\n<li>Get the current address of the payload in memory using the GetModuleHandleA API<\/li>\n<li>Allocate a chunk of memory that fits the size of the payload using VirtualAllocEx at the same address the code is running in the injection process. This way there is no need to fix relocations when copying the payload.<\/li>\n<li>Write the payload to the target process using the WriteProcessMemory API.<\/li>\n<li>Execute the payload using the CreateRemoteThread API. (Note, that this API will fail for 64-bit processes, which is OK since the payload is 32-bit.)<\/li>\n<\/ol>\n<p>The next steps taken by the injected payload are the same steps taken by the initial Ryuk ransomware invocation.<\/p>\n<h3>Process and Service Termination<\/h3>\n<p>Prior to starting the actual encryption process, the ransomware uses a pre-defined list of strings to identify and terminate running processes and services matching any of the strings. It does this by initiating a thread that iterates over the running processes and services looking for matches. The list of strings contains 41 processes (Appendix C &#8211; Terminated Processes) and 64 services (Appendix D &#8211; Terminated Services). Some of these belong to AV products, while others might be using files which the ransomware targets \u2013 for example a Word document, which it might not be able to encrypt while it is being used by the Word process.<\/p>\n<p>Since a partial process name match is enough to terminate a target process, this action might cause unintentional behavior. For example, we can see in Figure 1 that it inadvertently stops the \u201caudioendpointbuilder\u201d service, which is clearly not targeted by the Ryuk authors since it contains the \u201cendpoint\u201d string.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/ryuk-revisited-analysis-of-recent-ryuk-attack\/_jcr_content\/root\/responsivegrid\/image.img.png\/1583363649293\/picture1.png\" alt=\"Figure 1: while searching predefined string \u201cendpoint\u201d in the services it killed audioendpointbuilder\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1: while searching predefined string \u201cendpoint\u201d in the services it killed audioendpointbuilder<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h3>Deleting Shadow Copies and Changing System Configuration<\/h3>\n<p>In the next step of its execution, the ransomware attempts to delete any shadow copies to prevent them from being restored. A shadow copy is a Microsoft service which creates backups and\/or snapshots of computer files or volumes. Shadow copy deletion is done by executing the following commands:<\/p>\n<ol>\n<li>cmd \/c &quot;WMIC.exe shadowcopy delet&quot;<\/li>\n<li>vssadmin.exe Delete Shadows \/all \/quiet<\/li>\n<\/ol><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/ryuk-revisited-analysis-of-recent-ryuk-attack\/_jcr_content\/root\/responsivegrid\/image_1744156616.img.png\/1583363664024\/picture2.png\" alt=\"Figure 2: Shadow copy commands\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 2: Shadow copy commands<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>It is interesting to see that there is yet another typo, this one is in the first command that prevents the command from running successfully (the letter \u2018e\u2019 is missing in the word \u201cdelete\u201d).<\/p>\n<p>Other commands it executes during this step include:<\/p>\n<ol>\n<li>Disable the windows automatic repair option using:<br \/> bcdedit \/set {default} recoveryenabled No &amp; bcdedit \/set {default}\u00a0<\/li>\n<li>Disable the windows error recovery screen that appears during boot in case Windows was shut down improperly using:<br \/> bootstatuspolicy ignoreallfailures<\/li>\n<\/ol>\n<h3>Persistence<\/h3>\n<p>The sample uses a known and simple persistence method. It sets the following registry key using cmd.exe, which in turn invokes reg.exe to set the registry key:<\/p>\n<p>cmd.exe \/C REG ADD \u201cHKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun\u201c \/v &quot;svchos&quot; \/t REG_SZ \/d &quot;&lt;Current Folder&gt;&lt;executable name&gt;&quot; \/f<\/p>\n<p>If executed on a 64 bit system, it will append the string by adding \u201c\/reg:64\u201d to the command. This exact persistence method was used by previous samples as well.<\/p>\n<h3>Wake-up Network Devices<\/h3>\n<p>In order to increase the opportunity to influct maximum damage to the target organization, Ryuk also tries to wake machines on the network before it starts to encrypt network drives. This step is executed by the process which is invoked with the \u201c8 LAN\u201d command line argument. Note that this step is executed in a different thread, while the calling thread sleeps for the reminder of (\u201ctime since system startup\u201d\/10000) + 25000 milliseconds, as can be seen in Figure 3:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/ryuk-revisited-analysis-of-recent-ryuk-attack\/_jcr_content\/root\/responsivegrid\/image_136903086.img.png\/1583363690582\/picture3.png\" alt=\"Figure 3: Wake on lan thread creation\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3: Wake on lan thread creation<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p> In order to remotely wake machines inside the LAN, Ryuk leverages a feature called\u00a0<a href=\"https:\/\/en.wikipedia.org\/wiki\/Wake-on-LAN\">Wake-on-LAN<\/a>. It is done by sending a \u201cmagic packet\u201d to the target host, and in-turn, the target host will awake. To get a list of target hosts, the sample reads the hosts\u2019 addresses from the ARP table entries on the local machine and then it sends these addresses the magic packet over the UDP protocol on port 7. The magic packet starts with FF FF FF FF FF FF and contains the host\u2019s MAC address. The responsible function for sending the Wake-on-LAN packets can be seen in Figure 4:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/ryuk-revisited-analysis-of-recent-ryuk-attack\/_jcr_content\/root\/responsivegrid\/image_1027185702.img.png\/1583363717916\/picture4.png\" alt=\"Figure 4: Sending a packet of length 102 bytes with the FF FF FF FF FF FF string included\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4: Sending a packet of length 102 bytes with the FF FF FF FF FF FF string included<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h3>File Encryption<\/h3>\n<p>As mentioned earlier, the malware tries to encrypt both local and network drives. The ransomware iterates over each file on the drive and checks its full path, the name of the file, and the extension of the file in order to determine if it should be encrypted.<\/p>\n<p>It first check to see if the current path includes one of the following strings:<\/p>\n<ul>\n<li>Ahnlab<\/li>\n<li>Chrome<\/li>\n<li>Mozilla<\/li>\n<li>Windows<\/li>\n<li>$Recycle.bin<\/li>\n<\/ul>\n<p>If the file path includes one of the above strings, it will skip to the next file. After validating the directory, it checks the name of the current file with a hardcoded list of strings (see Appendix B &#8211; Skipped file names). If one of those strings is contained in the file name, it will skip to the next file. The code can be seen in Figure 5. Note, that some of these files are common Linux\/Unix operating system directories. That\u2019s because it tries to encrypt any network devices that potentially run Linux\/Unix operating systems:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/ryuk-revisited-analysis-of-recent-ryuk-attack\/_jcr_content\/root\/responsivegrid\/image_1450019068.img.png\/1583363738645\/picture5.png\" alt=\"Figure 5: Partial list of skipped folders\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 5: Partial list of skipped folders<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>After the filename is validated, it checks the extension of the current file against a hardcoded list, and again, it will skip to the next file if there is a match. This is a list of the skipped extensions:<\/p>\n<ul>\n<li>dll<\/li>\n<li>hrmlog<\/li>\n<li>exe<\/li>\n<li>.ini<\/li>\n<li>.lnk<\/li>\n<li>bootmgr<\/li>\n<li>boot<\/li>\n<\/ul>\n<h3>Local and Mapped Drives Encryption<\/h3>\n<p>The encryption of local and mapped drives is done in 6 rounds. On each of these rounds, Ryuk will enumerate all the drives from A: to Z: and will then encrypt drives based on their types, which it gets using the\u00a0<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/fileapi\/nf-fileapi-getdrivetypea\">GetDriveTypeA<\/a>\u00a0API. These are the drive types which will be encrypted on each round:<\/p>\n<ol>\n<li>Regular drives (type is DRIVE_FIXED).<\/li>\n<li>Removable drives such as thumb drives (type is DRIVE_REMOVABLE).<\/li>\n<li>Mapped network drives (type is DRIVE_REMOTE).<\/li>\n<li>Drives with unknown types (type is DRIVE_UNKNOWN).<\/li>\n<li>Drives with an invalid root path (type is DRIVE_NO_ROOT_DIR).<\/li>\n<li>Ramdisk drives (type is DRIVE_RAMDISK).<\/li>\n<\/ol>\n<p>It is interesting to note the injected payloads will iterate the drives in reverse order, from Z: to A:. We estimate that the goal is that the main process and the injected payloads will have less chance to encrypt the same drive at the same time.<\/p>\n<h3>Network Drives Encryption and Host Discovery<\/h3>\n<p>As mentioned earlier, Ryuk authors put a lot of effort into encrypting network drives. It does so by constantly scanning the network using ping scan in order to discover new hosts. For each of the hosts, Ryuk attempts to run the encryption algorithm. The goal of this step is to encrypt both Windows and non-Windows machines with network drives that were not mapped to the local machine. This step is executed continuously as the samples wait for new potential victims to show up on the network.<\/p>\n<p><i><b>Host Discovery<\/b><\/i><\/p>\n<p>The host discovery algorithm works in two stages. First, the sample attempts to discover which subnets the machine is connected to, and during the second stage it scans the subnet.<\/p>\n<p>In order to find the local subnets, the sample leverages the GetAdaptersAddresses API, as can be seen in Figure 6:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/ryuk-revisited-analysis-of-recent-ryuk-attack\/_jcr_content\/root\/responsivegrid\/image_755473319.img.png\/1583363759481\/picture6.png\" alt=\"Figure 6: GetAdaptersAddresses usage\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 6: GetAdaptersAddresses usage<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Next, it will iterate over the IPs of each of the adapters while also looking for private IPs that belong to one of the following subnets: 10. \/ 172.16. \/ 192.168. . This check is done using the strstr function, which is equivalent to the \u201ccontains\u201d operation, and as such can inadvertently match other subnets, such as if the IP is 191.192.168.1. This can be seen in figure 7:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/ryuk-revisited-analysis-of-recent-ryuk-attack\/_jcr_content\/root\/responsivegrid\/image_2122652536.img.png\/1583363774160\/picture7.png\" alt=\"Figure 7: Internal addresses which the sample is scanning\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 7: Internal addresses which the sample is scanning<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>If the subnet is one of the above, it will send ICMP ping packets to the hosts under the subnet. Any host that responds is considered a potential victim \u2013 which it will later try to encrypt.<\/p>\n<p><i><b>Discovered Hosts Encryption<\/b><\/i><\/p>\n<p>Once new hosts are discovered, Ryuk attempts to encrypt them using a similar method to the one used for local and mapped drives, by building a UNC path in the following format for each driver letter, from A to Z:<\/p>\n<p>\\&lt;host&gt;&lt;drive letter&gt;$<\/p>\n<p>Then it tries to access the following UNC path as well and encrypt it: <\/p>\n<p>\\&lt;host&gt;<\/p>\n<p>This can be seen in Figure 8:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/ryuk-revisited-analysis-of-recent-ryuk-attack\/_jcr_content\/root\/responsivegrid\/image_1180912492.img.png\/1583364412465\/picture8.png\" alt=\"Figure 8: UNC path\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 8: UNC path<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><i><b>Unused Functionality<\/b><\/i><\/p>\n<p>During our analysis of this Ryuk sample, we noticed two other host discovery methods that never executed. The first one leverages the GetIpNetTable API to extract hosts from the ARP table. The second method enumerates network resources by leveraging the \u201cWNetOpenEnumW\u201d and \u201cWNetEnumResourceW\u201d API functions.\u00a0<\/p>\n<p>The code is never executed because this Ryuk sample continually attempts to ping hosts on the LAN.<\/p>\n<h3>Ransom Note<\/h3>\n<p>The ransomware drops a simple html file containing the ransom note, Figure 9 , leaving no instruction but an email address. This note is very similar to the note used in other Ryuk variants.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/ryuk-revisited-analysis-of-recent-ryuk-attack\/_jcr_content\/root\/responsivegrid\/image_1630114269.img.png\/1583363806771\/picture9.png\" alt=\"Figure 9: Ransom Note\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 9: Ransom Note<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Conclusion<\/h2>\n<p>In this blog, we presented a deep dive analysis of one of the most menacing and wide-spread ransomware variants in-the-wild. We also showed the techniques it uses to increase the damage it imposes on the organizations it targets by trying to reach and encrypt as many machines in the network as possible.\u00a0<\/p>\n<p>Given the success Ryuk ransomware has had over the past few years, we estimate it will keep evolving and inventing new methods to attack organizations. As a result, it is important to know the Ryuk ransomware modus operandi and tactics in order to develop better methods to protect against it.<\/p>\n<h2>Solutions<\/h2>\n<p><a href=\"https:\/\/www.fortinet.com\/products\/endpoint-security\/fortiedr.html?utm_source=blog&amp;utm_campaign=2020-q1-fortiedr\">FortiEDR<\/a> detects and blocks Ryuk ransomware out-of-the-box without any prior knowledge or special configuration. It uses both its AI-based AV and post-execution prevention engines, as can be seen in Figure 10:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/ryuk-revisited-analysis-of-recent-ryuk-attack\/_jcr_content\/root\/responsivegrid\/image_922672579.img.png\/1583363823565\/picture10.png\" alt=\"Figure 10: FortiEDR in action\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 10: FortiEDR in action<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><a href=\"https:\/\/www.fortinet.com\/products\/endpoint-security\/forticlient.html?utm_source=blog&amp;utm_campaign=2018-q2-endpoint-web-page\">FortiClient<\/a> AV detects this sample as W32\/Kryptik.HAJB!tr.<\/p>\n<p>In addition, as part of our membership in the Cyber Threat Alliance, details of this threat were shared in real time with other Alliance members to help create better protections for customers.<\/p>\n<h2>IOCs<\/h2>\n<p><b>SHA256 &#8211;<\/b><\/p>\n<p>BDDAF6020F8DF169E1901C709701240F1A810D0E0FCEC7D4479D5354360E1795<b><\/b><\/p>\n<p><b>Registry:<\/b><\/p>\n<p>HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun<\/p>\n<h2>Appendix A &#8211;\u00a0MITRE Techniques<\/h2>\n<p><a href=\"https:\/\/attack.mitre.org\/techniques\/T1059\/\">T1059 &#8211; Command-Line Interface<\/a><\/p>\n<p><a href=\"https:\/\/attack.mitre.org\/techniques\/T1106\/\">T1106 &#8211; Execution Through API<\/a><\/p>\n<p><a href=\"https:\/\/attack.mitre.org\/techniques\/T1060\/\">T1060 &#8211; Registry Run Keys \/ Startup Folder<\/a><\/p>\n<p><a href=\"https:\/\/attack.mitre.org\/techniques\/T1140\/\">T1140 &#8211; Deobfuscate \/ Decode Files or Information<\/a><\/p>\n<p><a href=\"https:\/\/attack.mitre.org\/techniques\/T1045\/\">T1045 &#8211; Software Packing<\/a><\/p>\n<p><a href=\"https:\/\/attack.mitre.org\/techniques\/T1055\/\">T1055 &#8211; Process Injection<\/a><\/p>\n<p><a href=\"https:\/\/attack.mitre.org\/techniques\/T1135\/\">T1135 &#8211; Network Share Discovery<\/a><\/p>\n<p><a href=\"https:\/\/attack.mitre.org\/techniques\/T1018\/\">T1018 &#8211; Remote System Discovery<\/a><\/p>\n<p><a href=\"https:\/\/attack.mitre.org\/techniques\/T1486\/\">T1486 &#8211; Data Encrypted for Impact<\/a><\/p>\n<p><a href=\"https:\/\/attack.mitre.org\/techniques\/T1490\/\">T1490 &#8211; Inhibit System Recovery<\/a><\/p>\n<p><a href=\"https:\/\/attack.mitre.org\/techniques\/T1083\/\">T1083 &#8211; File and Directory Discovery<\/a><\/p>\n<p><a href=\"https:\/\/attack.mitre.org\/techniques\/T1082\/\">T1082 &#8211; System Information Discovery<\/a><\/p>\n<h2>Appendix B &#8211; Skipped File Names<\/h2>\n<ul>\n<li>RyukReadMe.html<\/li>\n<li>UNIQUE_ID_DO_NOT_REMOVE<\/li>\n<li>boot<\/li>\n<li>PUBLIC<\/li>\n<li>PRIVATE<\/li>\n<li>Windows<\/li>\n<li>sysvol<\/li>\n<li>netlogon<\/li>\n<li>bin<\/li>\n<li>Boot<\/li>\n<li>dev<\/li>\n<li>etc<\/li>\n<li>lib<\/li>\n<li>initrd<\/li>\n<li>sbin<\/li>\n<li>sys<\/li>\n<li>vmlinux<\/li>\n<li>run<\/li>\n<li>var<\/li>\n<\/ul>\n<h2>Appendix C &#8211; Terminated Processes<\/h2>\n<ul>\n<li>virtual<\/li>\n<li>vmcomp<\/li>\n<li>vmwp<\/li>\n<li>veeam<\/li>\n<li>backup<\/li>\n<li>Backup<\/li>\n<li>xchange<\/li>\n<li>sql<\/li>\n<li>dbeng<\/li>\n<li>sofos<\/li>\n<li>calc<\/li>\n<li>ekrn<\/li>\n<li>zoolz<\/li>\n<li>encsvc<\/li>\n<li>excel<\/li>\n<li>firefoxconfig<\/li>\n<li>infopath<\/li>\n<li>msaccess<\/li>\n<li>\u00a0mspub<\/li>\n<li>mydesktop<\/li>\n<li>ocautoupds<\/li>\n<li>ocomm<\/li>\n<li>ocssd<\/li>\n<li>onenote<\/li>\n<li>oracle<\/li>\n<li>outlook<\/li>\n<li>powerpnt<\/li>\n<li>sqbcoreservice<\/li>\n<li>steam<\/li>\n<li>synctime<\/li>\n<li>tbirdconfig<\/li>\n<li>thebat<\/li>\n<li>thunderbirdvisio<\/li>\n<li>word<\/li>\n<li>xfssvccon<\/li>\n<li>tmlisten<\/li>\n<li>PccNTMon<\/li>\n<li>CNTAoSMgr<\/li>\n<li>Ntrtscan<\/li>\n<li>mbamtray<\/li>\n<\/ul>\n<h2>Appendix D &#8211; Terminated Services<\/h2>\n<ul>\n<li>vmcomp<\/li>\n<li>vmwp<\/li>\n<li>veeam<\/li>\n<li>Back<\/li>\n<li>xchange<\/li>\n<li>ackup<\/li>\n<li>acronis<\/li>\n<li>sql<\/li>\n<li>Enterprise<\/li>\n<li>Sophos<\/li>\n<li>Veeam<\/li>\n<li>AcrSch<\/li>\n<li>Antivirus<\/li>\n<li>Antivirus<\/li>\n<li>bedbg<\/li>\n<li>DCAgent<\/li>\n<li>EPSecurity<\/li>\n<li>EPUpdate<\/li>\n<li>Eraser<\/li>\n<li>EsgShKernel<\/li>\n<li>FA_Scheduler<\/li>\n<li>IISAdmin<\/li>\n<li>IMAP4<\/li>\n<li>MBAM<\/li>\n<li>Endpoint<\/li>\n<li>Afee<\/li>\n<li>McShield<\/li>\n<li>task<\/li>\n<li>mfemms<\/li>\n<li>mfevtp<\/li>\n<li>mms<\/li>\n<li>MsDts<\/li>\n<li>Exchange<\/li>\n<li>ntrt<\/li>\n<li>PDVF<\/li>\n<li>POP3<\/li>\n<li>Report<\/li>\n<li>RESvc<\/li>\n<li>sacsvr<\/li>\n<li>SAVAdmin<\/li>\n<li>SamS<\/li>\n<li>SDRSVC<\/li>\n<li>SepMaster<\/li>\n<li>Monitor<\/li>\n<li>Smcinst<\/li>\n<li>SmcService<\/li>\n<li>SMTP<\/li>\n<li>SNAC<\/li>\n<li>swi_<\/li>\n<li>CCSF<\/li>\n<li>TrueKey<\/li>\n<li>tmlisten<\/li>\n<li>UI0Detect<\/li>\n<li>W3S<\/li>\n<li>WRSVC<\/li>\n<li>NetMsmq<\/li>\n<li>ekrn<\/li>\n<li>EhttpSrv<\/li>\n<li>ESHASRV<\/li>\n<li>AVP<\/li>\n<li>klnagent<\/li>\n<li>wbengine<\/li>\n<li>KAVF<\/li>\n<li>mfefire <\/li>\n<\/ul>\n<p><i>Find out about the FortiGuard Security Services\u00a0<a href=\"https:\/\/www.fortinet.com\/support\/support-services\/fortiguard-security-subscriptions.html?utm_source=blog&amp;utm_campaign=2018-blog-security-services\">portfolio<\/a>\u00a0and <a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">sign up<\/a>\u00a0for our weekly FortiGuard Threat Brief.<\/i><\/p>\n<p><i>Discover how the FortiGuard\u00a0<a href=\"https:\/\/www.fortinet.com\/support\/support-services\/fortiguard-security-subscriptions\/security-rating.html?utm_source=blog&amp;utm_campaign=2018-blog-security-rating-service\">Security Rating Service<\/a>\u00a0provides security audits and best practices to guide customers in designing, implementing, and maintaining the security posture best suited for their organization.<\/i><\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<div id=\"om-qxx1b0gslklfu2kjckea-holder\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<p><a href=\"http:\/\/feedproxy.google.com\/~r\/fortinet\/blog\/threat-research\/~3\/0XMR6CReb3c\/ryuk-revisited-analysis-of-recent-ryuk-attack.html\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/blog\/threat-research\/ryuk-revisited-analysis-of-recent-ryuk-attack\/_jcr_content\/root\/responsivegrid\/image.img.png\/1583363649293\/picture1.png\"\/><br \/>Find out more about the tactics, techniques, and procedures (TTPs) of a recently discovered Ryuk ransomware variant to ensure that you can detect and protect against it.&lt;img src=&#8221;http:\/\/feeds.feedburner.com\/~r\/fortinet\/blog\/threat-research\/~4\/0XMR6CReb3c&#8221; height=&#8221;1&#8243; width=&#8221;1&#8243; alt=&#8221;&#8221;\/&gt;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-17918","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17918","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=17918"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17918\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=17918"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=17918"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=17918"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}