Cybersecurity Snapshots #14 - The Rise of Ryuk
Cybersecurity Snapshots #14 -
The Rise of Ryuk
Ryuk ransomware first appeared in August 2018 although it is based on an older ransomware program called Hermes that was sold on underground cybercrime forums in 2017. Researchers originally believed that North Korean hackers created Ryuk, but that theory has been disproven. Researchers now generally agree that a Russian-speaking cybercriminal group created Ryuk., and the Ryuk gang is currently causing big problems. Recently, Universal Health Services (UHS), a Fortune-500 owner of a nationwide network of hospitals, was hit with a ransomware attack. UHS has not mentioned the kind of attack it suffered, but information from workers seems to point to the Ryuk ransomware. The encrypted files were being appended with the .RYK extension and a ransom note that showed up on all affected computers referenced the phrase "Shadow of the Universe," which is known to be included in Ryuk ransom notes. A Ryuk ransomware attack also recently disabled the Baltimore County Public School system's entire network, and the adversaries demanded a ransom payment. The cybercriminal group behind Ryuk ransomware usually demands higher ransom payments from their victims than many other ransomware gangs. The ransom amounts associated with Ryuk typically range between 15 and 50 bitcoins ($100,000 - $500,000). The adversaries go after organizations with critical assets that are more likely to pay, known as "big game hunting." The Ryuk gang is very successful at monetizing its campaigns.
Joel Decapua, a supervisory special agent with the FBI's Global Operations and Targeting Unit, found that organizations paid $144.35 million in bitcoin to ransomware groups between 2013 and 2019. The data did not include ransom payments in other cryptocurrencies. Of the payments, $61.26 million were sent to the Ryuk gang, which is three times larger than what Crysis/Dharma, the second most successful ransomware gang, managed to extract from victims in three years of operation. Researchers from HYAS and Advanced Intelligence LLC recently conducted a study and looked at transactions for known bitcoin addresses associated with Ryuk ransomware and concluded that the Ryuk ransomware criminal enterprise is worth more than $150M. The researchers traced 61 deposit addresses associated with the ransomware and found that most of the funds were sent to exchanges through intermediaries for cash out. The cybercriminals appear to be primarily using the Asian crypto-exchanges Huobi and Binance. Additionally, the researchers found that Ryuk operators are sending "significant flows of cryptocurrency" to several small addresses that the researchers believe is a crime service that exchanges the cryptocurrency for local currency or another digital currency.
Ryuk ransomware is almost exclusively distributed through TrickBot. TrickBot is one of the most prevalent Trojans and is distributed through malicious spam emails but is also delivered by another widespread Trojan program called Emotet. TrickBot is believed to follow a similar Malware-as-a-Service (MaaS) model as Emotet, but is only available to a relatively small number of top-tier cybercriminals, according to a recent report by cybercrime intelligence firm Intel 471. Not all TrickBot infections lead to Ryuk. When they do, Ryuk ransomware's deployment happens weeks after TrickBot first shows up on a network. Researchers believe that this is likely because the adversaries use the data collected by TrickBot to identify potentially valuable networks. The Ryuk gang, after picking their target, usually conducts manual hacking activities that involve network reconnaissance and lateral movement, with the end goal to compromise domain controllers and gain access to as many systems as possible. By doing this, the cybercriminals can ensure that when Ryuk ransomware is deployed, the damage is swift and widespread across the network, which is more likely to force an organization's hand than holding just a few of its endpoints hostage.
Ryuk encrypts all files except for those with the extensions dll, lnk, hrmlog, ini, and exe. It also skips files stored in the Windows System32, Chrome, Mozilla, Internet Explorer and Recycle Bin directories. These exclusion rules are likely meant to preserve system stability and allow the victim to use a browser to make payments. Ryuk ransomware uses strong file encryption based on AES-256. The encryption keys are stored at the end of the encrypted files, which have their extension changed to .ryk. The AES keys are encrypted with a RSA-4096 public-private key pair that is controlled by the attackers. Despite the whitelisting of certain system files and directories, Ryuk can still encrypt files critical to the system's normal operation, which sometimes results in unbootable systems after they are restarted. Publicly available tools cannot decrypt Ryuk files. If a victim does pay the ransom, the decrypter that the Ryuk gang sends can sometimes corrupt files. This usually happens on larger files when Ryuk intentionally performs only partial encryption to save time. All these issues can complicate the recovery efforts and increase the cost incurred by victims.
There are multiple steps that security professionals can take to lessen system susceptibility to ransomware attacks. When an organization's security team sees that common malware is removed from company systems, they should perform further investigations because common threats like Emotet and TrickBot rarely come alone. If further investigation is not conducted, it can lead to much deeper problems and more disastrous consequences a few weeks later. Microsoft researchers suggest that when malware infections like Emotet, Dridex, and Trickbot are found on company systems, they should be remediated and treated as a potential full compromise of the system, including any credentials present on them. Security teams should address the infrastructure weaknesses that allowed the malware to get in and propagate. Security teams should also harden their network against lateral movement by practicing good credential hygiene and enforcing least-privilege access. Restricting unnecessary Sever Message Block (SMB) traffic between endpoints and limiting the use of administrative credentials can also make an organization's network more resilient against human-operated ransomware campaigns such as Ryuk.