RYUK RANSOMWARE — A Self-Spreader that’s Getting Smarter

#RSAC 2021

Over 15 sessions at this year’s RSA Security Conference will be around Zero Trust, you will not want to miss out on a demo of the industry’s first automated Ransomware Kill Switch™. Airgap is a proud sponsor of this year’s RSA Security Conference. Please contact Airgap to schedule a time to speak with Ritesh Agrawal, CEO and Co-Founder of Airgap, to learn more about this incredible innovation that will revolutionize the way companies protect their corporate assets in a Zero Trust approach. https://airgap.io/events/

Ryuk Ransomware

Ryuk ransomware has spelled destruction for organizations since its discovery in August 2018. At the end of 2020, Ryuk attackers carried out a series of attacks against various hospitals in the U.S.[1] Their success can be measured from the fact that the Ryuk ransomware gang accumulated a ransom of more than $150 million in Bitcoins[2].

Owing to their victory, Ryuk operators have further developed the ransomware, rendering its innovative and unique capabilities. According to the French national cybersecurity agency, Agence Nationale de la Sécurité des Systèmes d’Information (better known as ANSSI), its new variant, which self-replicates over the local network, can result in unimaginable destruction[3]. The self-spreading capacities were found to work only on Windows machines and with particular tasks.

Ryuk is an advanced ransomware threat that has been targeting businesses, hospitals, government establishments, and other organizations. The malware group is recognized for using manual hacking methods and open-source tools to move laterally through private networks and gain administrative entrance to as many systems as possible before launching the file encryption.

Ryuk’s History and Success

Ryuk first emerged in August 2018 but is based on an older ransomware program called Hermes that was traded on underground cybercrime forums in 2017. The North Korean state-sponsored Lazarus Group employed Hermes in an attack against the Taiwanese Far Eastern International Bank (FEIB) in October 2017, which pointed to reports that Hermes, and later Ryuk, were built by North Korean hackers.

Several security businesses later disproved those claims, and Ryuk is now generally believed to be the work of a Russian-speaking cybercriminal group that gained access to Hermes, just like Lazarus did. The Ryuk gang is pursued by some security businesses such as Wizard Spider and Grim Spider, and is the same group that runs TrickBot, a much older and active credential-theft Trojan program that has a connection with Ryuk[4]. Other researchers believe that Ryuk could be from the original Hermes author or authors working under the handle CryptoTech, who stopped selling their ransomware publicly after acquiring an improved version[5].

The Ryuk attackers necessitate higher ransom payments from their victims compared to various other ransomware gangs. The ransom amounts associated with Ryuk typically rank between 15 and 50 Bitcoins, or roughly between $100,000 and $500,000, although higher-priced payments have reportedly been paid[6]. Because the attackers go after companies with critical assets that are more likely to pay, a technique the security industry describes as “big game hunting,” the Ryuk gang is very strong at monetizing their campaigns.

In a presentation at the RSA Conference 2020, Joel DeCapua, a supervisory special agent with the FBI’s Global Operations and Targeting Unit, revealed that companies paid $144.35 million in bitcoin ransomware groups between 2013 and 2019[7]. The data doesn’t cover ransom payments in cryptocurrencies other than BTC. Of those amounts, $61.26 million were sent to the Ryuk gang, and the total is almost three times larger than what Crysis/Dharma, the second most victorious ransomware gang on DeCapua’s list, managed to obtain from victims in three years of operation.

Ryuk Distribution and Attack Chain

Ryuk is almost completely distributed through TrickBot or follows infection with the Trojan. Nonetheless, not all TrickBot infections lead to Ryuk. But when that happens, the deployment of Ryuk occurs weeks after TrickBot first shows up on a network. This is plausible because attackers use the data collected by TrickBot to recognize potentially valuable networks for Ryuk.

The target selection is superseded by manual hacking projects that involve network surveillance and lateral movement intending to jeopardize domain controllers and obtain access to as many systems as possible. This guarantees that when Ryuk is disposed of, the damage is speedy and widespread across the network, which is more likely to force an organization’s hand than taking just a few of its endpoints hostage.

Microsoft points to Ryuk as a human-operated ransomware attack, and it is part of a more comprehensive trend of ransomware gangs adopting targeted and clandestine techniques[8] that were primarily affiliated with advanced persistent threat (APT) groups in the past[9]. This involves relying on open-source tools and current system administration utilities to evade apprehension, a technique known as “living off the land.”

Succeeding a TrickBot infection and recognizing an interesting target, the Ryuk gang incorporates post-exploitation structures such as Cobalt Strike or PowerShell Empire that permit them to execute malicious actions on networks without triggering security alerts. PowerShell is a scripting language meant for system administration that uses the Windows Management Instrumentation (WMI) API and is authorized by default on Windows computers. Its robust characteristics and unlimited availability on computers have made it a favored alternative for hackers to abuse.

The Ryuk attackers also implement the open-source LaZagne tool to steal credentials stored on compromised computers and BloodHound, which allows penetration testers to investigate and reveal potentially exploitable relationships in Active Directory environments. The end goal of the Ryuk attackers is to recognize domain controllers and gain administrative access to them, which then supplies them power over the whole network.

Ryuk Ransomware’s New Capabilities

ANSSI stated that Ryuk’s new modification uses the Windows operating system’s scheduled tasks to disseminate itself over the local network. It then enumerates all the IP addresses in the local ARP cache and disguises them as Wake-on-LAN (WOL) packets while transferring them to all the discovered devices. It then combines all sharing resources found for each device to encrypt the best content.

ANSSI’s study found that the legitimate schtasks.exe Windows tool is being used to perform scheduled tasks on each subsequently compromised network host.

Airgap Defense: Airgap’s Zero Trust Isolation technology blocks all unauthorized movement within the corporate environment, from either managed or unmanaged devices.

Officially, Ryuk does not apply the Ransomware as a Service (RaaS) model. However, several different attackers are involved in designing multiple infection chains heading to the deployment of Ryuk. Thus, having constant remediation steps for all deployment arrangements is practically impossible. But in this new variant, ANSSI says that infection can be contained by stopping the expanse to other network hosts.

Airgap Defense: Airgap helps implement comprehensive Zero Trust in minutes without the need for agents, APIs, or forklift upgrades. The patent-pending Zero Trust Isolation platform assures threat propagation protection. Airgap’s solution can be deployed in minutes.

Protecting against Ryuk

While companies can put specific technical controls in place to reduce the likelihood of Ryuk infections, protecting against human-operated ransomware attacks, in general, needs the correction of some bad practices among IT staff and administrators.

As for avoiding infection, Ryuk ransomware is normally loaded by an initial “dropper” malware that functions as the spear’s tip. In any attack, these may include Emotet, Qakbot, TrickBot, and Zloader, among others. From there, the attackers seem to escalate privileges to set up for lateral movement[10].

An effective defense should thus include developing countermeasures to prevent that original foothold.

Once infected, things become more difficult. In the 2021 campaign observed by ANSSI researchers, the primary infection point is a privileged domain account. And the analysis displays that the worm-like spread of this version of Ryuk can’t be prevented by choking off this initial infection point.

The report notes that “A privileged account of the domain is used for malware propagation. If this user’s password is changed, the replication will continue as long as the Kerberos tickets [authentication keys] are not expired. If the user account is disabled, the issue will remain the same.”

And on top of the self-propagation purposes, this version of Ryuk also lacks any exclusion devices, meaning that there’s nothing stopping repeated infections of the same machine. This makes fumigation more challenging.

Airgap Defense: Airgap prevents any lateral scanning attempt. Under Zero Trust, if an intruder breaches the perimeter controls, compromises a misconfiguration, or bribes an insider, they will have extremely restricted access to sensitive data, and safety measures would be in place to identify and respond to suspicious data access before it becomes a threat.

“As the malware does not check if a machine has already been infected, no simple system object creation that could prevent infection,” according to the ANSSI report.

Any alternative? ANSSI suggested that one way to stop an active infection would be to change the password or incapacitate the privileged user’s account and force a domain password change via KRBTGT, which is a local default account in Active Directory that serves as a service account for the Key Distribution Center (KDC) service for Kerberos authentication.

“This would induce many disturbances on the domain — and most likely require many reboots — but would also quickly contain the propagation,” according to ANSSI[11].

That’s of course not very easy, and quite specific, while zero trust isolation techniques are more appropriate and cost-effective.

Airgap Defense: Airgap’s Zero Trust Isolation technology ensures that only the first victim could, eventually, be infected, but makes sure that ransomware cannot propagate.

Ransomware threat is growing rapidly. While there are a whole bunch of security companies that are trying to prevent ransomware from getting into your network, Airgap’s “Zero Trust Isolation Platform” protects your organization even if your perimeter is breached or if you have unpatched vulnerable servers inside your networks. Additionally, Airgap’s “Ransomware Kill Switch” is the most potent ransomware response for the IT organization. Airgap can be deployed in minutes without any agents, forklift upgrades, or design changes. The company is founded by highly experienced cybersecurity experts and the solution is trusted by large enterprises and service providers. For more details, check out https://airgap.io








[1] https://cisomag.eccouncil.org/ryuk-ransomware-targeting-us-hospitals/

[2] https://cisomag.eccouncil.org/ryuk-ransomware-gang-made-more-than-150-mn-in-ransom/

[3] https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf

[4] https://www.csoonline.com/article/3403381/what-is-a-trojan-horse-how-this-tricky-malware-works.html

[5] https://www.virusbulletin.com/conference/vb2019/abstracts/shinigamis-revenge-long-tail-ryuk-malware

[6] https://www.secureworldexpo.com/industry-news/florida-city-pays-hacker-ransom

[7] https://published-prd.lanyonevents.com/published/rsaus20/sessionsFiles/17627/2020_USA20_SEM-M03H_01_Feds-Fighting-Ransomware-How-the-FBI-Investigates-and-How-You-Can-Help.pdf

[8] https://www.csoonline.com/article/3540291/android-security-patching-improves-but-fragmentation-challenges-remain.html

[9] https://www.csoonline.com/article/2615666/5-signs-youve-been-hit-with-an-apt.html

[10] https://threatpost.com/ryuk-ransomware-gang-zerologon-lightning-attack/160286/

[11] https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store