Ryuk Ransomware is one of the better-known and destructive strains of malware. It has built a reputation for itself, especially in the last 24 months, for attacking healthcare providers and hospitals. The attack vector – the method for how Ryuk Ransomware infects systems, varies between campaigns. Like the majority of ransomware strains, Ryuk ransomware mostly commonly uses phishing as the primary infection path. Usually, this is followed up by targeting servers with vulnerabilities. However, a new case in a European Biomedical Research Institute was caused by just one student trying to pirate software.
The attack was reported on by Sophos, whose Rapid Response team was called upon for clean-up. The research institute is involved in COVID-19 research along with other activities in life sciences. The institute remains unnamed but is believed to have close partnerships with local universities and works with many students on a plethora of programs.
The Ryuk Ransomware infection certainly wasn’t trivial to the institute. It cost a week’s work of vital research data due to the backups being not fully up to date. The Rapid Response team was summoned to contain and neutralize Ryuk ransomware and figure out how the infection took place initially.
When the team analyzed the Ryuk Ransomware data, they narrowed down the point of initial access. An external student who wanted a personal copy of a data visualization software tool already being used for work but didn’t want to pay for it.
After posting a question on an online research forum asking if anyone knew of a free alternative and getting no response, the student then searched for a “crack version.” Having found an apparent copy of the software, the student downloaded it and tried to install it, but the file was pure malware. Windows Defender immediately triggered a security alarm, but the student disabled it and a firewall and tried again.
Instead of a cracked copy of legitimate software, the program was an info-stealer that began logging keystrokes and stealing browser cookies. Eventually, it found the student’s access credentials for the institute network.
13 days later, a remote desktop connection was registered on the institute network – It used the student’s login information. Another 10 days after this, the same connection installed Ryuk Ransomware.
“It is unlikely that the operators behind the ‘pirated software’ malware are the same as the ones who launched the Ryuk attack,” said Peter Mackenzie, manager of Rapid Response at Sophos. “The underground market for previously compromised networks offering attackers easy initial access is thriving, so we believe that the malware operators sold their access on to another attacker. The RDP connection could have been the access brokers testing their access.”
Gary Ogasawara, chief technology officer at enterprise data storage company Cloudian Inc., said that internet-exposed RDP sessions are commonly exploited to infect end-user devices.
“Such sessions are intended to remotely log in to Windows computers and allow the user to securely control the device,” Ogasawara explained. “Unfortunately, hackers have become skilled at brute-force attacks on these exposed computers that enable them to take advantage of RDP vulnerabilities and insert ransomware.”
Lesley Carhart, a principal industrial incident responder at Dragos, recently noted how underreported ransomware attacks like this one really are. “This isn’t something that happens to other people,” she said in a Tweet stream on Tuesday. “You’re not too big, too small, too hybrid, too virtualized or too ‘zero trust’. I promise. Things are very bad. Be prepared now and take serious mitigating measures.”
Ryuk Ransomware Analysis
Note: This Analysis of Ryuk Ransomware was carried out be independent researcher Abdallah Elshinbary.
Ryuk operates in two stages. The first stage is a dropper that drops the real Ryuk ransomware at another directory and exits. Then the ransomware tries to injects running processes to avoid detection. We can also see that it launches a cmd.exe process to modify the registry.
After that, Ryuk goes through encrypting the system files and network shares, it drops a “Ransom Note” at every folder it encrypts under the name RyukReadMe.txt.
The dropper first checks the windows MajorVersion and if it’s equal to 5 (windows 2000 | windows XP | Windows Server 2003), it drops the ransomware executable at C:\Documents and Settings\Default User\ , otherwise it drops it at C:\users\Public.
The name of the dropped executable is five randomly generated characters.
f the creation of this file failed, Ryuk drops the executable at the same directory of the dropper with replacing the last character of its name with the letter ‘V’ (If the dropper name is ryuk.exe, the dropped executable will be ryuV.exe).
Next we can see a call to IsWow64Process() and if it returns true (which means Ryuk is running at a 64 bit system), it writes the 64 bit binary to the dropped executable, else it writes the 32 bit binary. The 2 binary files are stored at the .data section.
The last step is a call to ShellExecuteW() to execute the second stage executable with passing it one argument which is the dropper path (This is used later to delete the dropper).
Before the dropper exits, it passes its path to the second stage executable as a command line argument which in turn deletes the dropper.
Ryuk uses the very well know registry key to achieve persistence, It creates a new value under the name “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos” and its data is set to the executable path which in my case is “C:\users\Public\BPWPc.exe”.
Ryuk has a long list of predefined services and processes to kill using net stop and taskkill /IM respectively. During this process, Ryuk Ransomware will try to kill off many antivirus services.
Ryuk drops a batch script at C:\Users\Public\window.bat which deletes all shadow copies and possible backups, then the script deletes itself.
Ryuk uses a multi threading approach for the encryption process, it creates a new thread for each file it encrypts which makes it very fast.
It starts enumerating files using FindFirstFileW() and FindNextFileW() then it passes each file name to a new encryption thread. Each encryption thread starts by generating a random 256 AES encryption key using CryptGenKey(), Ryuk utilizes the WindowsCrypto API for the encryption. Then it goes into the typical encryption loop, the files are encrypted in chunks with a chunk size of 1000000 bytes.
Finally Ryuk write a metadata block of size 274 bytes at the end of the file. The first 6 bytes are the keyword HERMES. After that, The AES key is encrypted with an RSA public key before it’s written to the end of the file and then exported using CryptExportKey(), This function generates 12 bytes of Blob information + 256 bytes (the encrypted key).
The RSA public key is embedded in the executable, it’s imported using CryptImportKey() and passed to every encryption thread.
Ryuk enumerates network shares using WNetOpenEnumW() and WNetEnumResourceA() respectively. For each network resource found, the resource’s name will be appended to a list separated by a semicolon. This list will be used later to encrypt these network shares with the same encryption process above.
It is advisable to stay away from pirated software. It is often used as a vector for great Malware attacks, like we have seen in this example. While this might be an obvious mitigation technique, it is important to also have the tools necessary for protection against threats at any level. One of these tools is SaferNet.
SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories
Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.