ransomware attack

Ryuk Ransomware Version

Ryuk ransomware has been infecting victims since around 2018 and is believed to be based on the source code of Hermes ransomware, which was sold on an Internet hacking forum in 2017. Since its inception, Ryuk has been used to position large organizations as powerful organizations According to a federal investigation, as of February 2020, the ransom had accumulated up to $61.26 million in ransom payments.

One of the reasons for Ryuk’s unfortunate success is the ability of threat actors to develop their tactics, techniques and procedures (TTP). Since the beginning of last year, the information Trojan has been more or less a partner of criminals, and many campaigns have also included other malware, frameworks and tools. The mentioned campaign used the EMPIRE framework, and in subsequent campaigns in the same year, Cybereason observed Emotet downloading a TrickBot download that deployed Ryuk.

In March 2020, threat actors temporarily stopped deploying Ryuk and introduced a new ransomware called Conti. Researchers found the codebase to be similar, suggesting it may be a successor to Ryuk. However, in September 2020, Ryuk quickly paid off and the Conti infection continued to occur, with evidence that Conti was not only the successor, but also not other new malware.

Shortly after the Ryuk outage, observed a new type of malware called BazarLoader. There is now evidence that Ryuk, Conti and BazarLoader are being used by the same threat actors.

Ryuk ransomware is most often seen as the ultimate payload for large-scale targeted attacks against companies, and since its return in September, it has been infected primarily through or BazarLoader.

CYBEREASON detects and stops Ryuk ransomware
Cybereason detects all phases of Ryuk execution in detail, including process injection, creation and volume shadow copy deletion, as described in the “Execution Overview” section. By applying the correct settings to the sensors in the client environment, Cybereason can stop the Ryuk ransomware before encrypting user files.

When anti-ransomware mode is enabled, Ryuk execution will stop before encrypting the hard drive. A ransom note can be found in the folder where the malware tried to encrypt the files but saved the user’s files. If anti-malware is enabled, the example will be deleted before execution. The following video provides a brief overview of Cybereason’s detection and prevention features for Ryuk ransomware.

Once the Ryuk binary is executed, the example will create its own copy (the randomly named sub-process of Ryuk in the screen snapshot below is a copy of Ryuk-ltbyhrc.exe), executed with the parameter “8 LAN”. This function uses the device’s ARP table to find computers on the local LAN and sends Lake packets to them, and if successful, installs the C $ share on the computer and proceeds to encrypt the remote drive.

Both the original binary and the deleted copy (ltbyhrc.exe) perform the same task – try to stop the services “audioendpointbuilder”, “samss” and ” sqlwriter”, and then tries to delete the volume shadow copy and create persistence. Before encryption, the malware also uses icacls.exe (a program used to change the access control list) to take full control of all files and folders on the C: and D: drives.

The raw binaries can also be seen injected with other processes detected by Cybereason with floating executable code suspected.

Successful execution will encrypt the user files and add the .RYK extension to the end of the file. To avoid damaging the system, some files (such as .DLL and .EXE files) are not encrypted. the folder Ryuk traverses contains a “RyukReadMe.html” file, which in this example is very quasi-systematic and contains only the name and email address of the malware without any other instructions . Perhaps the threat actors believe their reputation precedes them?