Ryuk and the Resurgence of Ransomware - The Monitor, Issue 2

The article below was extracted from The Monitor newsletter, a monthly digest of Kroll’s global cyber risk case intake. The Monitor also includes an analysis of the month’s most popular threat types investigated by our cyber experts. Subscription is available below:

Kroll identified 15 ransomware cases via its cyber intake process during the month of February 2019. In particular, we noted the highly opportunistic Ryuk variant seizing on vulnerable networks, with attacks across industry sectors, including manufacturing, government, education, professional services and healthcare. 

Kroll reviewed Ryuk ransom notes that directed victims to contact a Swiss-based ProtonMail email address. Then the attackers followed up with varying demands for payment in bitcoin. Based on our experience and other reports, most Ryuk ransomware attacks follow this pattern.

However, Ryuk mainly differs from other ransomware families based on its delivery mechanism. Most types of ransomware rely on phishing attacks or open Remote Desktop Protocol (RDP) connections. Ryuk most often leverages established command and control servers associated with Trickbot and Emotet banking trojans. This allows the Ryuk attackers to access a large swath of victims and “cash in” on high-value Trickbot and Emotet victims; they then tailor ransom demands to each organization. (See the Technically Speaking section in this newsletter for a representative attack sequence.)

While Ryuk attackers profit from their ties with these trojans, the connection also provides a tripwire that can alert victims to a potential ransomware attack following a trojan infection. “Ransomware in 2019 is significantly different than ransomware in 2017, with attackers leveraging the access gained with Trickbot and Emotet, which usually includes domain administrator access. Attackers now spend far more time performing reconnaissance on an impacted network, which allows them to have a high level of confidence that an organization will have to pay the ransom. We have identified attackers deleting backups to make recovery increasingly difficult,” says Associate Managing Director Pierson Clair. 

Pierson continues, “Most trojans are introduced via methods such as social engineering attacks, specifically infected email attachments. Emotet and Trickbot are families of polymorphic malware, which makes them very difficult for anti-virus to identify. However, we know these attack vectors can be addressed effectively with several other proven measures. These range from human-focused efforts, such as educating employees and making social engineering exercises part of broader technical penetration testing programs, to implementing layers of technological solutions, including threat intelligence and endpoint detection and response applications. So, organizations can virtually head off Ryuk at the pass by implementing best practices that prevent Trickbot/Emotet from getting a foothold in the first place.”

Technically Speaking

Following is a typical sequence of events that Kroll’s investigations have identified in the evolution of Emotet/Trickbot/Ryuk attack. 

According to an FBI Flash, the Ryuk ransomware variant is marked by these characteristics:

• First appeared as a derivative of Hermes 2.1 ransomware and became available on the open market as of August 2018
   
  • Retains some aspects of Hermes code; all of Ryuk’s files contain the “HERMES” tag, but some of the files have .ryk added to the filename, while others do not.
  • In other parts of the ransomware code, Ryuk has removed or replaced features of its predecessor.
• Ryuk deletes all files related to the dropper used to deploy the malware
   
  • Ryuk has been deployed secondary to Trickbot and/or Emotet banking Trojans, which use Server Message Block (SMB) protocols to propagate through the network and can be used to steal credentials.
• After the initial attack, additional network exploitation tools may be downloaded, including PowerShell Empire, the Microsoft Sysinternals tool psexec, or the penetration testing tool Cobalt Strike.
• Once executed, Ryuk establishes persistence in the registry, injects into running processes, looks for network connected file systems, and begins encrypting files.
• Ryuk utilizes AES-256 to encrypt files and uses an RSA public key to encrypt the AES key.
• The Ryuk dropper drops a .bat file which tries to delete all backup files and Volume Shadow Copies (automatic backup snapshots made by Windows), preventing the victim from recovering encrypted files without the decryption program.

Watch Associate Managing Director Thomas Brittain go into further detail about the Ryuk ransomware timeline.