ryuk ransom

About Ryuk Ransomware

The ransomware “Ryuk” has been confirmed to be infected since around 2018 , and it is believed that it was created based on the source code of the Hermes ransomware sold on the Internet hacking forum in 2017 . Since its inception, has been successful targeting large organizations , earning a cumulative total of $ 61.26 million (as of February 2020) , according to a federal government survey . .

One of the reasons behind Ryuk’s abominable success is his ability to evolve the “tactics, techniques and procedures (TTP)” of threat actors. Since early last year, TrickBot, an infostealer Trojan, has always been an ” accomplice ” in many cyberattacks, including other malware, frameworks and tools . While the attacks mentioned earlier used the EMPIRE framework , in an attack observed by Cybereason later that year, Emotet deployed through a TrickBot download .

In March 2020, Threat Actor temporarily suspended the deployment of and introduced a new ransomware called Conti. Cybercrime researchers have discovered that these codebases are similar , suggesting that Conti may be Ryuk’s successor . However, in September 2020, quickly revived, and Conti infection occurred in parallel with it. For this reason, it has been pointed out that Conti is not the successor to Ryuk, but a new and different line of malware.

It was also observed that TrickBot was delivering a new malware called BazarLoader shortly after Ryuk’s hiatus began. Evidence is currently being found that Ryuk, Conti, and BazarLoader are being used by the same threat actors .

Ryuk ransomware is most often recognized as the ultimate payload for larger targeted attacks on businesses and has spread primarily through TrickBot and Bazar Loader infections since its resurrection in September this year. I am.

Overview of execution

clip_image001
Execution of Ryuk ransomware detected by Cybereason’s sensor

When the Ryuk binary is executed, the sample makes a copy of itself (ltbyhrc.exe, a randomly named child process of Ryuk in the screenshot below, is a copy of Ryuk) and the argument “8 LAN To do that. This feature uses the device’s ARP table to find machines on the local LAN , send Wake-on-LAN packets to those machines, and then successfully mount the C $ shared drive on those machines. , Proceed with encryption of the remote drive.

Both the original binary and the dropped copy (ltbyhrc.exe) perform the same task. They will try to remove shadow copies and create after stopping the “audioendpointbuilder”, “samss” and “sqlwriter” services. The malware also uses cacls.exe (a program that modifies access control lists) to provide complete control over all files and folders on the C: and D: drives before encryption. Secure the right.

It has also been confirmed that the original binary injects into other processes. These processes are detected by Cybereason and tagged with floating executable code suspicion.

Upon successful execution, the malware encrypts user files and adds a .RYK extension to those files. Certain files, such as .DLL and .EXE files, are not encrypted to avoid shutting down the host system. The folder searched by Ryuk contains the “RyukReadMe.html” file, but in this sample this file is just a skeleton, just the name and email address of the malware, and more. Does not contain any instructions of. Perhaps threat actors believe their reputation is already widespread.

clip_image002
An encrypted file with the extension .ryk.

clip_image003
Message requesting Ryuk’s ransom

IOCs
92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed 
d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe 
4023a9849ee7d0c7bd80fc779e1d929c69112e324456578136c159e40449cc15 
df3b813d049f8cbd0c8a3b9bb54fba9d385837dc6cced6186157c2adae56ad0e 
8a75b7f15ad770bb5a95b7900ac866a1845b3f20f5d22b8918d1f300435b4fc6 
0bb18ca131a6ee05ef081f008330d8075369a66a3e034f2412c70405d1397608 
44f0da753b38e9ac80f420855d40c4368a906cecb16630d80719e8f758a8c68a 
f266f0a4c5213f23a42787a88cd2e8df76d71b3397ed7cc45b6b535fe34a57dd 
Bae0d9f0625000dd028c3a747b461c28e5fb5412e0de23a1f2fc2d754ac0d0fa 
da83298aae66af3e646b1d9aea2ce8b79514e4681e97faa020d403ca980534fd 
1d40658975e461af39f142b2eec149a3ec1d0071bbaf53020d8068e72243322b 
B624b3b297c5ebac42fabe2371b42d3add17bdb8c811ca5b51e5f27a96360a2e

E62135254b3a51f0180e70a11e4c3ad4a59f81c4 
71015f9c281038d63bf7cd45894550c1a26c6b53 
A6caaa8f8ab2680ce2179a7571a466beb1b60447 
3780f5828fc05bf74649393169f70fafb0ffed25 
7ad297507ca71d65c46013e02fc635bc75b0e3a2 
F155befc8c3c054f3858a6d3e86a7b04c0a4f5dc 
0a5b7330c1e06837b7d47936297f80a87c9057d9 
2584992238615ecbfdb83b2d86f6227d07ae4f96 
B1f6e6eed8dcdf4d354660c2dbec141ada621eb8 
845c2c82415669f8c8b3f565519e29d26d3b1f8a 
7ddbc35d1612162538496eb5ece5fc1b6bce6eb8 
834d876b47ae8e595ae417a370cd47cc8e061131

1737388ce8b0b5fc2dbc22f5b7352b7c
e8673c8a299d1647ead6f3da4565ac54
0d10c1997cd1ebe4da358b1d1965899a
e48caafb8632c7745c813839bdbe4fd4
b0111f641b63251584c140c9806ea3da
c31c1b6dad9acd0528d0c46207e7b64f
26e4d7dceea370ecc416a40df5e5a739
6fd51d93fc196249f9ca8b99347ef296
ecc1cd609308bbd5711d4e79ae6a16e5
577efe37855718785449256798a79643
e61c37b901cc63ce8142e88d9253cd8d
8360336093d3247ed62f389b843eac67
1737388ce8b0b5fc2dbc22f5b7352b7c
e8673c8a299d1647ead6f3da4565ac54
0d10c1997cd1ebe4da358b1d1965899a
e48caafb8632c7745c813839bdbe4fd4
b0111f641b63251584c140c9806ea3da
c31c1b6dad9acd0528d0c46207e7b64f
26e4d7dceea370ecc416a40df5e5a739
6fd51d93fc196249f9ca8b99347ef296
ecc1cd609308bbd5711d4e79ae6a16e5
577efe37855718785449256798a79643
e61c37b901cc63ce8142e88d9253cd8d
8360336093d3247ed62f389b843eac67