Update to Ryuk Ransomware Variant Adds Network Worming Capability

The notorious Ryuk ransomware variant has been spotted in the wild by CERT-FR, the French government’s cybersecurity agency, updated with worming capabilities that allow it to automatically proliferate across the network of its victims.

Ryuk was previously delivered via the TrickBot trojan, but the threat actors began to leverage the BazarBackdoor to gain access to targeted networks in September. BazarBackdoor is a stealthy malware downloader, which is also used by the group behind TrickBot.

The threat actors behind the variant continue to evolve the pervasive threat. Previous reports showed the hackers commonly wait until the preferred delivery mechanism is deployed onto the victim’s network before deploying the ransomware.

Ryuk is commonly delivered through malicious phishing emails, disguised as internal business communications, complete with relevant employee names or positions from within the targeted organization. The emails typically contain a link, most often a Google Docs page, but researchers have observed hackers using other file hosting services in these attacks.

Previous versions of the ransomware did not have the capacity for automatic lateral movement within a network. Researchers explained that as such, previous methods deployed access through these phishing emails and other entry points to spread throughout a network, or the attackers would manually proliferate across a network.

However, during an incident response earlier this year, the researchers discovered a Ryuk sample with added worm-like properties that allowed it to automatically spread within the infected networks.

The proliferation is gained through copying the executable on identified network shares.  After, Ryuk creates a scheduled task on the remote machine, which allows it to propagate itself, machine to machine, within the Windows domain.

After the ransomware is launched, it spreads on every reachable machine that allows access through Windows RPC. Once the variant performs recursive scanning of the disks and network sharing within the infected network, the malicious payload is then deployed into trust processes.

Researchers added that it’s then Ryuk begins to encrypt all files on the network, and the variant gains persistence by setting the registry key with Ryuk’s filepath as a value.

“Ryuk consists of a dropper that drops one of the two versions of a data encryption module (32- or 64-bit) on the victim’s computer. The dropper then executes the payload,” researchers explained. “ After a few minutes of inactivity, Ryuk seeks to stop more than 40 processes and 180 services, in particular those related to antivirus softwares, databases and backups.”

“It ensures its persistence through the creation of a registry key,” they continued. “Using a combination of the symmetric (AES) and asymmetric (RSA) encryption algorithms serves both to encrypt the files and to protect the encryption key, making it impossible for a third party to decrypt the data.”

Further, the latest Ryuk version appears to not carry any exclusion mechanism, which fails to prevent repeat infections on the same machines. The variant is also based on randomly-chosen open source software, which is then recompiled and backdoored. 

Notably, Ryuk does not encrypt some Windows, Mozilla, and Chrome files. The researchers explained that basic components and internet browsers are left intact in order for victims to read the ransom demand, purchase cryptocurrencies, and pay the hackers’ ransom.

In some circumstances, however, Ryuk does encrypt Windows base files. As a result, victim organizations may find it difficult or even impossible to reboot infected devices.

Ryuk does not have exfiltration capabilities or even a dedicated leak site. But researchers have previously noted a malware variant with similar code to Ryuk had been spotted extracting certain sensitive .doc files and “is thought to be programmed to avoid files relating to Ryuk.”

“Since October 2019, workstations on the local network that have been powered off can be switched on by Ryuk using a Wake-on-LAN feature allowing it to increase its attack surface,” researchers noted. “It then destroys all shadow copies on the system to prevent the users from restoring their system via vssadmin commands or by running a .bat file1.”

“The Raccine tool available on GitHub can intercept the use of vssadmin, prevent the deletion of shadow copies and even, in some cases, block the chain of infection,” they added. “Raccine is a temporary solution only to be implemented as a last resort in the face of an imminent threat of encryption. Its use is not a substitute for the implementation of technical security measures and defence in depth.”

Ryuk was one of the top five ransomware variants to impact the healthcare sector in 2020. In one of the largest instances, the ransomware took down all 400 US care sites of the Universal Healthcare Services for three weeks in September.

The security incident cost the health system at least $67 million in lost revenue and recovery costs.

Healthcare entities should review previous ransomware insights from NIST, Microsoft, and the Office for Civil Rights to ensure they've employed security measures effective for defending against these types of prolific threats.