By Keren Pollack, on June 5th, 2019

Ryuk ransomware was first detected in August 2018. One of its famous attacks happened on 2018 Christmas, attacking several big newspapers including The Wall Street Journal and The New York Times, which were unable to send complete pages to printing facilities, forcing them to put out reduced size newspaper addition. Ryuk malware demanded a ransom ranging between 15-50 BTC.

 

“Unlike the common ransomware, systematically distributed via massive spam campaigns and exploit kits, Ryuk is used exclusively for tailored attacks,” Check Point researchers said. “In fact, its encryption scheme is intentionally built for small-scale operations, such that only crucial assets and resources are infected in each targeted network with its infection and distribution carried out manually by the attackers”.

 

When Ryuk infects a system, it kills over 40 processes and stops more than 180 services. It requires Admin privileges to run and maintain in the system by writing itself to the Run registry key. Ryuk is spread as a secondary payload through other malware such as  TrickBot and Emotet.

 

Understanding Ryuk’s infection method may reveal a new trend of bot’s footholds. Similar to TrickBot, Emotet, and AdvisorsBot, a phishing email containing a malicious file is used as the bot delivery vector. The user is tricked to open a file, containing an executable content called macros. The executable content in the macros ends up installing the bot malware. The bot infection is then spreading laterally inside the victim’s environment by leveraging misconfigured Active Directory.

 

Misconfigured and unintentional Active Directory configurations are cyber criminal’s preferred course of action. Mistakes in AD configurations will allow unwanted user/ group/ administrator relationships. Using those relationships, attackers can access the domain administrator’s privileges without the need of an extendable phishing campaign. Once they compromise a domain administrator’s account, they can identify the most critical assets of the organization.

 

 

Encrypting the organization’s most valuable assets is much more effective than harming regular desktop data, making this ransomware much more powerful. In this case, it also deletes any shadow copies of the asset on the endpoint by disabling the Windows System Restore option. Making it Impossible to recover the attack without external backups makes Ryuk even more painful for the victim.

 

Assumptions regarding Ryuk’s origins points toward North Korean Lazaru Group. Similarities in Ryuk to Hermes ransomware suggest that there is both origins in the same place. It is likely that Ryuk was built on top, or is a modified version of Hermes, due to extendable code similarities.

 

 

Protecting your organization:

As much as user education methods could be helpful, you should never trust the user decision making when you build your organization’s IT security strategy. By applying a few basic security measures, Ryuk and similar malware can be held back.

 

  • Network segmentation:

This is a basic tactic for protecting your IT network against malware. To ensure you don’t lose your drives and resources when a single endpoint gets infected, segment the access to certain servers and files.

Delegate the minimal privileges possible to the admins, allowing them to only do what they need for their functionality. Learn how you can manage your whole organization’s servers configuration using only one admin!

Another approach is to use a separate system for storing shared files and folders. In addition, forbid users and administrators to share files.

 

  • Malware scans:

Use your scanning tools on a regular basis and make sure they are updated, so they can recognize the latest threats. Having a scanning tool that is not updated can lead to the miss conception that your IT network is secured.

 

  • Anti-exploit technologies:

The use of exploits for endpoints infection and lateral movement through the system is a common malware strategy. One way to infect the system is by attaching spam Office documents with malicious scripts. Once the user is tricked to click in “Enable content”, additional scripts will be launched to cause more damage.  Anti-exploit technologies will block those malicious scripts from installing the malware.

 

 

  • Monitor changes in servers’ configurations:

In a branched organization, most often local Admins have privileges in servers’ configuration settings, making it hard for management to keep track of changes being made. By monitoring your servers’ configuration changes you can track suspicious changes and recognize hostile activities in your IT infrastructure. By using CHS by CalCom you can prevent all configuration drifts.

 

 

Researchers believe that the Ryuk attack campaign is yet to be over, so implementing basic moves to protect your organization is essential. With 640,000$ ransom demand in only two weeks of operation, you better make sure you are not exposed to the risk.

 

 

 

https://blog.malwarebytes.com/cybercrime/malware/2019/01/ryuk-ransomware-attacks-businesses-over-the-holidays/

https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/

https://www.cyber.nj.gov/threat-profiles/ransomware-variants/ryuk

https://threatpost.com/ryuk-ransomware-emerges-in-highly-targeted-highly-lucrative-campaign/136755/

https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/

https://blog.comodo.com/comodo-news/ryuk-new-ransomware-targeting-businesses-and-enterprises/

https://blog.checkpoint.com/2018/10/23/ransomware-stopped-working-harder-started-working-smarter-botnets-phishing/