Ryuk

1. Introduction

This module provides an overview of Ryuk ransomware, including demonstrating the malware being executed on a Windows OS.

2. What is Ryuk

According to CrowdStrike's analysis, Ryuk ransomware, which was initially detected in August 2018, is derived from Hermes as indicated by the many logic and code similarities between them. Communication methods between the adversaries and victims, two email addresses, one from ProtonMail and another from Tutanota, are also shared with Hermes. Furthermore, Ryuk appends the HERMES keyword as metadata to the encrypted files. While Hermes is commodity ransomware acquired from forums, Ryuk appears to target enterprise environments and is operated by WIZARD SPIDER only.

Hermes used to be advertised for sale in a Russian-speaking forum and did not work on hosts with Russian, Ukrainian, or Belarusian languages set as system languages. Due to the findings outlined above (and more), many cybersecurity specialists are confident that WIZARD SPIDER is a cybercrime group consisting of Russian-speaking individuals operating from Russia or a nearby area.

In 2020, Ryuk reemerged in a new wave of ransomware attacks. The Universal Health Services (UHS) reported a Ryuk ransomware attack that disrupted their sites for weeks. Furthermore, several hospitals and health organizations in the US reported similar ransomware attacks. As a result, the CISA, FBI, and HHS created the joint cybersecurity alert, AA20-302A, regarding the threat to the US healthcare system.

In early 2021, a new strain of Ryuk was discovered that featured worm-like capabilities that enable the malware to self-propagate and extend to other devices on the local database.

Ryuk ransomware creates a ransom note named RyukReadMe.txt and adds it to all directories on the victim's devices. This ransom note informs the user that all files on each host on the network have been encrypted, backups have been deleted or encrypted, shadow copies have been removed, and no decryption software for this attack is available to the public. Furthermore, it warns the user against shutting down or restarting the system or renaming, moving, or deleting any files, including README files, as it might result in permanent loss of the data. Lastly, the note provides two arbitrary contact email addresses from the ProtonMail and Tutanota email service providers and a Bitcoin wallet address where the victim is supposed to send the ransom payment.

In newer versions of the ransom note, adversaries have removed the wallet address and now instruct victims to contact them via the provided email addresses. Furthermore, to prove their intentions and ability to decrypt files, adversaries inform the victim that they can send two files from different hosts and get them decrypted for free.

3. Typical Attack Vectors

Ryuk ransomware is typically loaded by other malware, such as TrickBot or BazarLoader, after many illegal cyber activities. TrickBot is also attributed to WIZARD SPIDER. Furthermore, TrickBot itself has been observed to be loaded by Emotet. Other loaders may also be used to load Ryuk, but the initial exploitation technique is the same. It is mainly carried out using phishing or spear-phishing attacks.

Exact procedures for initial compromise vary from loader to loader and version to version. Some of them come as infected Microsoft Office documents that download loaders upon execution. Others appear as links to Google Drive documents that provide an error message and ask the user to download the malicious file. More recently, attackers have been known to target exposed RDP services, on which they launch large-scale password attacks against exposed RDP hosts to compromise user credentials and gain access.

After the initial compromise and establishment of communications with C2 servers, malicious activities can vary depending on the loader and the motivation of the threat actors. For example, TrickBot is capable of harvesting credentials, mail exfiltration, crypto mining, point-of-sale data exfiltration, and ransomware deployment. These loaders lay dormant for months and then load the Ryuk ransomware.

An example of a typical Ryuk infection using TrickBot.

Ryuk ransomware generally consists of two stages. The first stage is the dropper — its role is to drop the ransomware executable. The dropper first determines the operating system version and writes the ransomware executable to C:\Documents and Settings\Default User\ or C:\users\Public\, depending on the OS version. The name of the executable consists of five randomly generated letters. Next, Ryuk determines whether the OS is 64 or 32 bit and writes the appropriate executable to the chosen location. Finally, the dropper executes the freshly added executable and passes the dropper's path to it as a command-line argument.

In the second stage, the first action is deleting the dropper, making it difficult to detect and investigate the dropper after the incident.

4. Attacker TTPS

To hide its malicious activity, Ryuk attempts to inject itself into all running services that it can access. According to the analysis conducted by CrowdStrike, Ryuk tries to adjust its token privileges before injecting itself to include SeDebugPrivilege and calls CreateToolhelp32Snapshot to enumerate running processes.

Ryuk skips processes named csrss.exe, explorer.exe, lsaas.exe, and all processes running under the NT Authority system account. It then attempts to inject itself into the remaining processes. By skipping processes running under the NT Authority system account, malicious actors assume that the service is running by the current user and is writable.

Ryuk uses a combination of VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread to inject and start itself in other processes. Ryuk allocates memory in the target process with VirtualAllocEx, writes itself to the allocated memory with WriteProcessMemory, and executes the deployed payload with CreateRemoteThread.

According to Fortinet, to achieve persistence on the host, Ryuk uses cmd.exe to invoke reg.exe to set the following registry key:

cmd.exe /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "<Current Folder>\<executable name>" /f

Some variants will also attempt to exploit certain CVE's. These include:

  • CVE-2018-8453: A Windows privilege escalation vulnerability in which the win23k.sys component fails to handle objects in memory properly. If exploited, threat actors will run arbitrary code on a kernel with read/write privileges.

  • CVE-2019-1069: Another Windows privilege escalation vulnerability that can allow threat actors to leverage the Task Schedular functionality to run files with SYSTEM level privileges.

5. Ransomware Execution Example

Connect to the windows06 machine via the RDP shortcut on the desktop.

Once you have connected to the windows06 machine desktop, you should see the Ryuk.exe file is present. Execute this file and watch the ransomware propagate as the machine becomes infected and the files are encrypted. Observe the changes to the file extensions after the Ryuk payload has been executed, and read the ransom note that gets dropped onto the desktop.

After execution of the malware all the files on the desktop got encrypted:

We can also see a note how to get in touch with the threat actor:

6. Encryption Method

Before the encryption, Ryuk enumerates files, checks their path, filename, and file extensions to determine whether the file should be encrypted. For example, files with the following strings in their directory path get spared from encryption:

  • Chrome

  • Mozilla

  • Windows

  • Microsoft

  • AhnLab

Files with the following file extensions also get spared from encryption:

  • .dll

  • .hrmlog

  • .exe

  • .ini

  • .lnk

To increase the encryption speed, Ryuk uses a multi-threading approach, in which it creates a new thread for each file it encrypts. Files not on the allowlist are passed to a new thread for encryption. Each encryption thread generates a random 256 bit AES encryption key. Then, files are encrypted, and metadata is added to the end of the file. Added metadata starts with the keyword HERMES, which the ransomware uses to check whether or not a file was encrypted. As the last step, the AES key is encrypted with the adversaries' public RSA key, which is added to the end of the file.

Ryuk ransomware tries to encrypt local, mapped and network drives. The approach is slightly different for the network drives, but the encryption process is the same. According to Fortinet's analysis, local and mapped drives are encrypted in six rounds. Ryuk ransomware enumerates all drives from A to Z on each round and then begins encryption based on their drive type.

The drive types enumerated on each round are as follows:

  1. Regular drives

  2. Removable drives, such as thumb drives

  3. Mapped network drives

  4. Drives with unknown types

  5. Drives with an invalid root path

  6. Ramdisk drives

Ryuk also tries to encrypt network drives/shares that are not mapped to the infected machine. In earlier versions, Ryuk also gathered the IP addresses from victims' ARP tables and attempted to encrypt their network shares. In later versions, according to Fortinet, this ransomware continuously enumerates the network with the ping scan, identifies hosts, and attempts to encrypt them. Encrypting the network shares from discovered hosts is completed similarly to local and mapped drives. Ryuk attempts to encrypt network shares from both Windows and non-Windows machines.

In addition to that, Ryuk Ransomware is usually loaded by other viruses, such as TrickBot, BazarLoader, and Emotet. These viruses can propagate across the victim's network and infect as many devices as they can. Ryuk ransomware is loaded to all infected machines; hence the damage is usually widespread.

7. Security Questions

  1. What year was the Ryuk Ransomware initially detected?

  2. What is the name of the threat group that is believed to be behind the Ryuk Ranswomware Attacks?

  3. Name one malware that is known to load Ryuk ransomware.

  4. Which registry key does Ryuk set to establish persistence?

  5. Name one of the processes that are skipped during Ryuk's injection step.

  6. What is the keyword at the beginning of the metadata that is added by Ryuk ransomware?

  7. Provide an example of a directory that is spared from encryption.

  8. Provide one of the email addresses used in the ransom note.

  9. What is the bitcoin address used by Ryuk?

8. Answers

  1. 2018

  2. WIZARD SPIDER

  3. Trickbot

  4. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  5. csrss.exe

  6. HERMES

  7. C:\Windows

  8. WayneEvenson@protonmail.com

  9. 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk

Last updated