ryuk ransom

Analysis of new variants of Ryuk ransomware

Introduction

In 2020, due to the continuous spread of the new crown virus (COVID-19), the demand for telecommuting has surged, and cyber attacks have also surged, among which is the most obvious. The ransomware is in an outbreak state throughout 2020, and the scale of attacks and ransom payments have increased significantly. Among them, the highest ransom was the Foxconn blackmail incident. In December 2020, Foxconn’s Mexico factory server was attacked by a virus. The attackers demanded that Foxconn pay 1804.0955 bitcoins within a deadline of 21 days, or about 230 million yuan.

Currently the most popular families are Maze, REvil, Sodinokibi, NetWalker, Ryuk, etc. With the evolution of offense and defense, ransomware will also add new features in 2020. For example, blackmail is divided into two stages. First, the victim is required to pay a ransom in exchange for the key to decrypt the file, and then the victim is required to pay another ransom to ensure that confidential information is not disclosed. At the same time, the manipulators of the ransomware changed their strategies from the perspective of cost-effectiveness, changing their attack targets from wide-spreading to precise delivery, striking key high-value targets in exchange for high ransoms. There is also from the pure blackmail behavior to the combination with botnets and mining.

The Ryuk ransomware was first disclosed by foreign security companies in 2018. Its main feature is to spread through spam and exploit kits. Alibaba Cloud Security Center recently captured a sample of a new variant of ryuk, and we conducted a detailed analysis of its horizontal transmission technology to reveal the common technical means of ransomware. Through analysis, everyone will find that the ransomware will do everything possible to spread, expand the results, and cause the greatest damage. Finally, we will give preventive suggestions.

Detailed Analysis

1. Anti-debugging and unpacking

The sample compilation time is 2021.1.22, and the first appearance time on VT is 2021.2.2, so the sample is still very new. The first thing is of course static analysis in IDA. The analysis found that the sample used a unique packer program, which would bring trouble to static analysis. So we try to let it run to the state of unpacking and decryption, and then we will do further analysis. As shown in the figure below, the sample encrypts the resources used, such as strings.

ryuk encrypted string

When running in the debugger, it is found that the sample also has an anti-debugging mechanism. as follows:

Here is a DebugPort query operation, the pointer address is 1, which of course will trigger an exception. There are several similar places that need to be dealt with.

image

After solving the anti-debugging problem, the sample code will unpack and decrypt itself, and then we will dump the memory and fix the IAT, so that the code will be much clearer after analysis.

2. Fileless encryption blackmail method

In the subsequent analysis, we found an interesting point. When the Ryuk ransomware infects a remote machine, it does not transfer the executable file and then pull it up and encrypt it. But through the SMB protocol, remote infection of encrypted files. The advantage of this is that on the attacked machine, the context of reading and writing files is all system processes. For the defense engine, it will be difficult to decide whether it is malicious extortion.

The attacker uses the SMB protocol for remote login and file access, and needs to have login permissions first. In many enterprise LAN environments, the server login password is the same. In this case, the attacker can obtain the account login credential information through mimikatz and wce, so that it is easy to establish an smb session. No discussion here.

The analysis of the remote infection process is as follows:

We have two test machines with the same username and password in the test environment: test machine 1 (192.168.0.28), test machine 2 (192.168.0.31), run the ransomware sample on test machine 1, and capture and analyze packets on test machine 2.

image

After the test machine 1 runs the sample, the decoy file of the test machine 2 shows that it has been encrypted and is written into the blackmail notification file.

By capturing packets on the testing machine 2, it is found that the testing machine 1 remotely logs in to the testing machine 2 through SMB, and then remotely encrypts the decoy file of the testing machine 2.

On the premise of obtaining the local credentials, the sample logs into the machine with the same password in the LAN through the SMB protocol, and then encrypts the files in the remote machine through SMB to achieve the purpose of extortion.

The premise of logging in through the SMB protocol is to have a clear text password or NTLM hash. The clear text password can be obtained by blasting, which is relatively difficult, but the password NTLM hash is relatively easy to obtain. Currently public tools: mimikatz, wce ( Credentials Editor) can be obtained Get the NTLM hash, so the virus can also get the NTLM hash in the same way.

image

The sample first connects to port 445, and then uses NTLM to log in to the remote machine through the SMB protocol.

image

The Response package shows that the login was successful. At the same time, the log on the remote machine also records the successful login process. (192.168.0.28 is the IP of the attacker)

image

It can be seen here that the disk partition is traversed after successful login.

image

Here you can see the remote encrypted rename decoy file.

image

The above process realizes the file encryption and extortion of the target machine through the SMB protocol without injecting viruses. For the defensive side, this brings certain difficulties to the detection and defense.

3. Persistence and Wormization

Here it can be seen that the ransomware has copied the virus itself through SMB and placed it in the C:\User\Public\ directory.

image

After the virus is spread, the subsequent process is naturally to establish a startup item and a process to start. Through PronMon monitoring, it was found that the Ryuk ransomware created a scheduled task for the remote victim machine through schtasks. After the scheduled task was established, immediately sent the Run command to start it. Through this process, the spread and transmission of the virus itself is realized, and the ransomware realizes persistence and wormization.

image

The code corresponding to the logic of creating a scheduled task found in IDA is as follows.

image

Conclusions

Ryuk’s ransomware sample includes shell encryption, local ransomware, and horizontal transmission and remote ransomware. The technology is relatively comprehensive. Another interesting point is that we found that this ransomware will print its own ransom statement through the printer, which can be said to be very arrogant.

The Ryuk ransomware is still evolving, and the defender needs to always pay attention to the trend of sample evolution and propose new defense, detection and repair solutions.