RYUK is a ransomware which was first spotted in the year 2018 being distributed as a part of a targeted campaign. The attacks using this ransomware are well planned and highly targeted. This ransomware is known to have encrypted a number of PCs, storage and data centers in various organizations. The attackers behind this ransomware have carefully curated the ransomware to target highly sensitive data in large organizations to extort the highest ransom amount possible. Ryuk is considered a high profile ransomware due to its wide impact on the networks it infects, high ransom demands, and reports of having earned close to 3.7 million dollars. Reports indicate that Ryuk was responsible for 23.9% of the ransomware attacks against enterprises.
A careful analysis of the malware reveals the extensive research that the ransomware attackers perform in mapping networks and collecting credentials of their targets. Ryuk has meddled with the functioning of a number of organizations and has created huge losses for them. Ryuk encrypted files are identified by the .RYK extension and the RyukReadMe.html ransom note left behind on infected systems.
Ryuk ransomware has made close allies with other attackers to muscle in on large businesses. Check Point researchers found close connections of this ransomware with a North Korean group named Lazarus and code similarities with another ransomware called Hermes. Ryuk follows the same encryption procedure as that of Hermes. Ryuk is also known to have rented other malwares as an Access-as-a-Service to gain entrance to a networks. Ryuk leveraged TrickBot and Emotet malwares to infiltrate organizations. TrickBot and Emotet, which were distributed in large malspam campaigns, create a reverse shell back to the Ryuk attackers giving them remote access to the infected machines to install ransomware.
- Deletes shadow volumes and backup files on infected machines.
- Distributes different versions of ransomware for 32 and 64-bit architectures.
- Kills processes and stops services by executing taskkill and net stop on a list of predefined services and process names mostly under the categories of antivirus, database, backup and document editing software.
- Ensures persistence on the target machine by writing itself to the Run registry key.
- Uses specific keywords to look for sensitive files.
- Uses the Wake-on-Lan feature to turn on powered off devices on a compromised network.
- Blacklists Windows Subsystem for Linux
- Performs thorough reconnaissance of the network, collects admin passwords, takes over domain controllers, and utilizes post-exploitation toolkits such as PowerShell Empire to spread ransomware.
- Shuts down entire networks after infection.
- Steals confidential financial, military, and law enforcement files.
How can Ryuk infect your system?
- Spearphishing emails : Trickbot and Emotet malwares are delivered to computers through spam mail which open a reverse shell back to the Ryuk actors.
- Publicly accessible Remote Desktop Services on targets.
- Using Wake-on-Lan feature for lateral movement in the compromised network.
Ryuk ransomware has exploited the following vulnerabilities for infection:
- Network Weathermap HTML Injection Vulnerability (CVE-2013-2618 )
- Zyxel EMG2926 home router OS Command Injection Vulnerability (CVE-2017-6884)
- Internet Explorer Remote Code Execution Vulnerability (CVE-2018-8389)
Attackers can trick users into opening malicious links using vulnerable Internet Explorer to exploit the underlying vulnerability and deliver malware.
- Adobe Acrobat and Reader Arbitrary Code Execution Vulnerability (CVE-2018-12808)
Malicious PDF files are transported to target systems through spear phishing emails. These documents exploit the vulnerability in Adobe Acrobat and Reader to deliver malware.
SanerNow lists the potential targets for malwares in an enterprise network(shown in the figures below).
General recommendations to prevent ransomware infections
- Keep your systems up-to-date with the latest patches available from vendors.
- Maintain an active backup of the files on your machines.
- Refrain from opening any suspicious emails or links.
- Allow Remote Desktop connections through a Windows Firewall and make it only accessible through a VPN.