In today’s digital age, cyber threats are becoming increasingly sophisticated and dangerous. One such threat that has gained notoriety is the Ryuk ransomware. But what exactly is Ryuk ransomware and why is it causing so much havoc in the cybersecurity world?
Ransomware attacks have become a major concern for individuals and organizations alike. Ryuk ransomware, in particular, has emerged as one of the most impactful and lucrative ransomware strains in recent years. It has targeted various industries, including healthcare, finance, and government sectors, causing significant financial losses and disruption.
Understanding the workings of Ryuk ransomware is crucial in order to protect yourself and your organization from falling victim to this malicious malware.
In this article, we will delve into the intricacies of Ryuk ransomware, its origins, its devastating effects, and most importantly, how to prevent and mitigate the risks associated with it.
Ransomware is an increasingly common type of malware that malicious actors use to hold people’s systems and/or data hostage for payment. One example of ransomware is Ryuk, which has become a widely used ransomware strain for targeted attacks against larger organizations due to its ability to encrypt essential files together into one large ransom package. It is usually accompanied by a hefty ransom demand of hundreds of thousands of US dollars.
Regarding technical details regarding the Ryuk ransomware, its code utilizes cryptographic algorithms such as AES-256 and RSA-2048 to efficiently encrypt the victim’s data so that they would have no choice but to make the payment. Since many individuals and organizations often choose not to risk paying the ransom without rebuilding their networks from scratch, it adds credence to why victims should take preventive measures such as backing up all their data regularly in different locations while also keeping strong password policies and updating security patches in place to minimize potential damage from such infections.
Ryuk encrypts files on infected systems. It is human-operated, making it difficult for autonomous detection. The cyber attackers behind Ryuk interact in a way that appears normal. Ryuk uses a phishing campaign, sending malware through emails, links, and attachments. Victims can also unknowingly download malware while browsing or connecting to WiFi.
This article will delve into the inner workings of Ryuk ransomware, shedding light on its deployment methods, encryption techniques, and the evolving tactics employed by the cyber-criminal groups behind it.
Ryuk ransomware is known for its targeted approach and sophisticated methods of infection. This malicious software typically enters a network through spear phishing emails and compromised credentials for remote access.
Spear phishing emails are a common initial infection vector used by the threat actors behind Ryuk ransomware. These spam emails are carefully crafted to trick users into clicking on malicious links or attachments, which then execute the ransomware payload. Compromised credentials for remote access can also be leveraged to gain unauthorized entry into a network and deploy the ransomware.
This ransomware variant utilizes a combination of robust encryption algorithms, including AES-256 and RSA 4096, to encrypt the targeted files.
The AES-256 encryption algorithm, widely regarded as highly secure, ensures that the files are encrypted with a strong cipher. On the other hand, the RSA 4096 encryption algorithm is leveraged to encrypt the AES-256 key itself, adding an additional layer of security to the encryption process.
In an effort to maintain system stability and prevent critical system files from being encrypted, Ryuk follows exclusion rules. These rules exclude certain file types and folders from the encryption process. File types such as .dll, .exe, .sys, and .lnk are often skipped by Ryuk to avoid potential disruption to the operating system. By excluding these file types, Ryuk ensures that the core functionality of the infected system remains intact, thus enabling the ransomware to continue its malicious activities while leaving essential system files intact.
Ryuk also whitelists specific folder names, ensuring that files within these folders are not encrypted. These whitelisted folders often include system directories, such as Windows, Program Files, and Program Files (x86), as well as popular web browser directories. By sparing these specific folders from encryption, Ryuk minimizes the risk of system instability and allows the infected system to function to some extent, thus facilitating communication and ransom payment between the threat actors and the victims.
Payment for Ryuk ransomware is a critical step in the recovery process for organizations affected by this malicious software. The threat actors behind Ryuk typically demand hefty ransoms to decrypt the encrypted files and restore access to the victim’s network.
The variation in ransom demands can depend on various factors, including the size and value of the targeted company. Larger organizations with more critical assets and significant financial resources may be targeted with higher ransom amounts. This is because the threat actors are aware that these companies are likely to have a greater ability to pay a substantial ransom.
If your device has been infected with Ryuk ransomware, it’s crucial to take immediate action to remove the malware and protect your files. Follow these steps to remove Ryuk ransomware from your infected device:
Isolate the infected device: Disconnect it from any network drives, external hard drives, and cloud storage accounts. This will prevent the ransomware from spreading to other devices and networks.
Disconnect from the internet: Disable your device’s internet connection to prevent any further communication between the ransomware and its command-and-control servers.
Run an antivirus scan: Use reputable antivirus software to scan your device and detect the Ryuk ransomware. The antivirus program will identify and remove the malicious files associated with the ransomware.
Remove all traces of the ransomware: Once the antivirus scan is complete, manually delete any suspicious files or programs that may still be present on your device. Be cautious and ensure that you’re only deleting the ransomware-related files.
Seek professional assistance: If you’re unsure about the removal process or if the ransomware has caused significant damage, consider engaging experienced IT professionals. They can provide expert guidance and assistance in removing the Ryuk ransomware effectively.
Its technical analysis reveals several key features that make it a formidable threat. It employs a three-tier trust encryption model, which ensures that files are locked securely and remain inaccessible to the victim. This model involves encrypting the victim’s files with a unique encryption key, followed by encrypting the key itself with another encryption key.
Finally, the second key is encrypted using a public key, which only the attackers possess. This multilayered encryption makes it extremely difficult to reverse engineer, bypass, or decrypt the files without the attacker’s private key.
To maintain anonymity and evade detection, the attackers behind Ryuk ransomware utilize encrypted email services. They change the email addresses associated with each malware attack, making it challenging for law enforcement and cybersecurity researchers to track them down. This continuous adaptation and evasion tactics contribute to the longevity and success of Ryuk ransomware campaigns.
In this analysis, we will delve into the behavioral patterns exhibited by Ryuk ransomware, shedding light on its encryption methods, email address communication strategies, and adaptation techniques. Understanding the intricacies of Ryuk’s operations is essential in developing effective countermeasures and mitigating the impact of this persistent and evolving threat.
The Ryuk ransomware is executed through a malware dropper, which is responsible for carrying out the initial actions of the attack. The dropper identifies the target operating system of the victim’s device and then chooses the appropriate folder for dropping the Ryuk binary, the main ransomware executable.
The malware dropper performs various actions to ensure the successful execution of the ransomware. It checks for the presence of specific files or registry keys, which helps it determine if it has already infected the target system before. This helps in avoiding duplication and being detected by security measures.
To maintain persistence, the dropper creates a failsafe mechanism in case the file creation process fails. This mechanism enables the malware to restore itself if it is deleted or removed from the system as part of any cleanup process. This ensures that the Ryuk binary continues to operate even if it is initially unable to execute due to system or security restrictions.
The Ryuk binary itself is responsible for the encryption of files on the infected system and the creation of the ransom note, demanding a hefty sum of ransom to release the encrypted files. This ransomware is known for targeting critical systems and assets, encrypting various file types, and affecting network drives.
Persistence, privilege escalation, and process enumeration are important techniques employed by the Ryuk ransomware to ensure its effective operation on the infected system.
To achieve persistence, Ryuk modifies the Windows Registry by overwriting the “Run” registry key and setting a new value that points to the malware’s executable file. By doing so, Ryuk ensures that it is automatically launched every time the system starts, even after a reboot or shutdown. This enables the ransomware to continue its malicious activities without the user’s knowledge.
Privilege escalation is a crucial tactic employed by the Ryuk ransomware to gain higher levels of permissions and access critical system resources. Ryuk achieves privilege escalation by targeting the SeDebugPrivilege argument, which controls the debug privilege for a process in Windows.
To modify the SeDebugPrivilege argument, Ryuk utilizes the AdjustTokenPrivileges function, a Windows API that allows a process to adjust the privileges of its token. By calling this function, Ryuk gains the ability to enable or disable the debug privilege, essentially elevating its privileges within the system.
By obtaining elevated privileges through privilege escalation, Ryuk can bypass restrictions and access critical resources that would otherwise be restricted. This enables the ransomware to carry out its malicious activities, such as encrypting files and executing commands, with significant control and impact.
In addition to privilege escalation, Ryuk also employs other techniques to ensure its persistence on an infected system. One of these techniques involves modifying the Windows Registry’s “Run” key. By overwriting the existing value with its own, Ryuk ensures that it is automatically launched every time the system starts, even after reboots or shutdowns. This persistence allows Ryuk to continue its malicious activities covertly, making it more challenging to detect and remediate.
Process enumeration is an important phase in the operation of Ryuk ransomware, where it identifies and gathers information about running processes on an infected system.
During the process enumeration phase, Ryuk creates an array of structures that contain entries related to each process’s identity. These structures typically include information such as process IDs, handles, thread counts, and other context-specific details. Ryuk then assembles these structures into a list, which serves as a reference for subsequent code injection.
Ryuk focuses on injecting its malicious code into user-level processes by selective process enumeration, allowing it to perform actions such as file encryption and command execution without disrupting critical system processes. This methodology helps ensure that the ransomware can continue its activities with minimal detection and interference.
Code injection is a dangerous form of malware that allows malicious code to be introduced into a process’ memory.
This technique was first used by the Ryuk ransomware back in 2018. The way it works is by using a function called VirtualAllocEx() to target a predefined space within the process memory. It then uses another function called WriteProcessMemory () which enables it to write its own processes into that allocated space. To complete the malicious code injection, Ryuk then uses CreateRemoteThread () as an argument which will help create and execute a separate thread within the injected process.
Upon successful infiltration, affected machines may suffer from a slow-down of performance, data corruption, corruption of crucial system files, and other severe damages that could disrupt normal operations on that device.
Ryuk ransomware can kill and put to sleep up to 180 system and AV-related services, as well as up to 40 processes. This is done through the use of net stop and task kill /IM commands that attack predefined processes. Among those targeted by Ryuk, we find an increase in avalanche error computation over traditional methods, meaning Ryuk can easily sort out the soon-to-be-encrypted tiles. In doing this, it uses FindFirstFileW() and FindNextFileW(), two arguments imported from the kernel32 Dynamic-link library which makes this whole process efficient and fast.
Ryuk ransomware imports several functions from external libraries, such as the kernel32 Dynamic-Link library and NTDll.dll, in order to execute its malicious activities. It also imports a range of other library functions from various libraries used to load additional DLLs and code injection. By importing these functions, Ryuk can take advantage of its capabilities, potentially allowing it to be more effective in its operations.
Ryuk ransomware is capable of deleting backup files from an infected system. This can occur after the encryption process has been completed and is done in order to further hinder a user’s ability to recover their data. By removing backups, Ryuk ensures that any potential file recovery efforts are thwarted, leaving victims little to no hope of recovering their data.
In order to protect systems from a successful Ryuk attack, proper security measures need to be taken. One of the first steps for preventing Ryuk attacks is user awareness training.
Employees must be familiar with phishing techniques and have standard operating procedures in place for how they should handle suspicious documents or emails.
Access controls based on the principle of least privilege and enforced multi-factor authentication (MFA) for all network assets is also essential security measure against these threats. Intrusion detection and prevention (IDS/IPS) appliances should also be installed and maintained to date to detect any abnormal network behavior indicative of a potential attack scenario.
Advanced endpoint security products should also be deployed on all endpoints to see indicators of compromise (IOC), allowing advanced defensive action to block malicious files from running before any damage occurs. Regularly backing up to your cloud provider and having a disaster recovery plan makes retrieving your data easier in case of ransomware encryption.
Conclusion
Ryuk ransomware is a dangerous form of malware that can cause serious disruption to the operations of an affected system. Through techniques such as privilege escalation, process enumeration, code injection, and task-killing, Ryuk is able to carry out its malicious activities with a high degree of control and stealth. As such, it is essential for organizations to understand and defend against Ryuk in order to protect their systems and data from its damaging effects.
© Copyright ExterNetworks Inc. | All Rights Reserved.
