Ryuk Ransomware Continues Assault in Spain as Ministry of Labor and Social Economy is Brought Offline

You are currently viewing Ryuk Ransomware Continues Assault in Spain as Ministry of Labor and Social Economy is Brought Offline

Ryuk Ransomware is continuing its attacks against state and private enterprises in Spain after the Spanish Ministry of Labor and Social Economy (MITES) was forced offline last Wednesday. Presently, they are working to restore services. MITES is a ministerial department with an annual budget of almost €39 million, charged with coordinating and supervising Spain’s employment, social economy, and corporate social responsibility policies.

“The Ministry of Labor and Social Economy has been affected by a computer attack,” MITES’ media office said after the attack. “The technical managers of the Ministry and the National Cryptological Center are working together to determine the origin and restore normality as soon as possible.”

Ryuk Ransomware
MITES Twitter Account After the Attack

The Ministry website remained online after the Ryuk Ransomware attack, however both the communications and multimedia offices were down.

Spain has suffered from a spree of Ryuk Ransomware attacks since March this year, when the Spanish Servicio Público de Empleo Estatal (SEPE), which is a part of MITES, was compromised by Ryuk.

The incident impacted more than 700 agency offices across Spain after hackers encrypted the agency’s network systems. According to an announcement made on the agency’s website at the time, the ransomware also spread beyond SEPE’s workstations and reached the agency’s remote working staff’s laptops. As a direct result of the ransomware attack that hit SEPE’s network, hundreds of thousands of appointments made through the agency were delayed throughout Spain.

Ransomware attacks have been common in Spain, with a leading Spanish managed service provider (MSP), and Cadena SER (Sociedad Española de Radiodifusión), Spain’s largest radio station, hit by ransomware in November 2019.

Ryuk Ransomware Analysis

Ryuk Ransomware

Note: This Analysis of Ryuk Ransomware was carried out be independent researcher Abdallah Elshinbary.

Ryuk operates in two stages. The first stage is a dropper that drops the real Ryuk ransomware at another directory and exits. Then the ransomware tries to injects running processes to avoid detection. We can also see that it launches a cmd.exe process to modify the registry.

Ryuk Ransomware

After that, Ryuk goes through encrypting the system files and network shares, it drops a “Ransom Note” at every folder it encrypts under the name RyukReadMe.txt.

The dropper first checks the windows MajorVersion and if it’s equal to 5 (windows 2000 | windows XP | Windows Server 2003), it drops the ransomware executable at C:\Documents and Settings\Default User\ , otherwise it drops it at C:\users\Public.

The name of the dropped executable is five randomly generated characters.

f the creation of this file failed, Ryuk drops the executable at the same directory of the dropper with replacing the last character of its name with the letter ‘V’ (If the dropper name is ryuk.exe, the dropped executable will be ryuV.exe).

Next we can see a call to IsWow64Process() and if it returns true (which means Ryuk is running at a 64 bit system), it writes the 64 bit binary to the dropped executable, else it writes the 32 bit binary. The 2 binary files are stored at the .data section.

The last step is a call to ShellExecuteW() to execute the second stage executable with passing it one argument which is the dropper path (This is used later to delete the dropper).

Before the dropper exits, it passes its path to the second stage executable as a command line argument which in turn deletes the dropper.

Ryuk Ransomware

Ryuk uses the very well know registry key to achieve persistence, It creates a new value under the name “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos” and its data is set to the executable path which in my case is “C:\users\Public\BPWPc.exe”.

Ryuk has a long list of predefined services and processes to kill using net stop and taskkill /IM respectively. During this process, Ryuk Ransomware will try to kill off many antivirus services.

Ryuk drops a batch script at C:\Users\Public\window.bat which deletes all shadow copies and possible backups, then the script deletes itself.

Ryuk uses a multi threading approach for the encryption process, it creates a new thread for each file it encrypts which makes it very fast.

It starts enumerating files using FindFirstFileW() and FindNextFileW() then it passes each file name to a new encryption thread. Each encryption thread starts by generating a random 256 AES encryption key using CryptGenKey(), Ryuk utilizes the WindowsCrypto API for the encryption. Then it goes into the typical encryption loop, the files are encrypted in chunks with a chunk size of 1000000 bytes.

Finally Ryuk write a metadata block of size 274 bytes at the end of the file. The first 6 bytes are the keyword HERMES. After that, The AES key is encrypted with an RSA public key before it’s written to the end of the file and then exported using CryptExportKey(), This function generates 12 bytes of Blob information + 256 bytes (the encrypted key).

The RSA public key is embedded in the executable, it’s imported using CryptImportKey() and passed to every encryption thread.

The Malware enumerates network shares using WNetOpenEnumW() and WNetEnumResourceA() respectively. For each network resource found, the resource’s name will be appended to a list separated by a semicolon. This list will be used later to encrypt these network shares with the same encryption process above.

Protection

Malware is an ever-present threat for governments, businesses, and homes. It is important to also have the tools necessary for protection against threats at any level. One of these tools is SaferNet.

SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.

Leave a Reply