The Ryuk ransomware has long been both a thorn in the side of victims and an unmitigated success for its developers. In a sample of the malware discovered by the French National Agency for the Security of Information Systems (ANSSI), the offending ransomware has gone through yet another evolution to include worm-like capabilities that allow the malware to infect other devices across a network automatically.
In a white paper published by ANSSI details of the new variant have been illuminated upon. First observed in 2018, the code that forms the basis of the ransomware is believed to have been derived from the Hermes 2.1 ransomware. Since then Ryuk has struck several hospitals and healthcare providers, partnered with other cybercriminal organizations, and weathered numerous storms that threatened to sink operations.
To propagate to other machines, the ransomware copies the executable on identified network shares with a rep.exe or lan.exe suffix, after which it creates a scheduled task on the remote machine. Regarding the ability to spread laterally, researchers further stated,
“Through the use of scheduled tasks, the malware propagates itself - machine to machine - within the Windows domain. Once launched, it will thus spread itself on every reachable machine on which Windows RPC accesses are possible,”
Initially, the ransomware seemed to have no capability to spread laterally across networks automatically. Ryuk gave new meanings to the idea of human-operated ransomware, that being ransomware deployed in highly targeted and strikes and executed by a human operative when it was possible to cause the most damage. This required either the ransomware to be granted access via a first payload or via a backdoor created by TrickBot.
To spread laterally across the network, this would require input from a human operator. Once access is granted a dropper will deploy two versions of a data encryption module, one for 32-bit architecture and the other for 64-bit. After a period of inactivity, the malware will terminate some 40 processes and 180 services to stop security products from preventing encryption or programs that have files open so they can’t be encrypted. The show starts and Ryuk will encrypt files using a combination of symmetric (AES) and asymmetric (RSA) encryption algorithms. Unlike other ransomware variants like Sodinokibi and Maze, Ryuk is not known for stealing data and releasing it to the public via a dedicated leak site. However, researchers have noted that:
- In mid-2019, a stealer type of malware with code similarities to Ryuk was identified by Malware Hunter Team. This code is believed to be used to extract .docs and .xlsx files containing certain keywords from the financial, military, or legal lexical fields (“tank”, “defence”, “military”, “classified”, “federal”, “finance”, “IBAN”, “Swift”,etc.). It is thought to be programmed to avoid files relating to Ryuk, in other words, the RyukReadMe.txt ransom demand and files with the .RYK extension.
- According to the editor FireEye, attackers using Ryuk sometimes exfiltrate data from their victims by means other than the ransomware itself. However, this data is believed to be limited to internal reconnaissance data or data extracted from the Active Directory, allowing attackers to move laterally and escalate their privilege.
Emotet to TrickBot to BazarLoader
Over the years Ryuk has made use of both Emotet and TrickBot for its distribution method. In certain cases, Emotet would be the first malware payload, then TrickBot would follow, finally followed by Ryuk. TrickBot was the most egregious offender, however, due to efforts by big tech and law enforcement TrickBot’s capabilities have been severely crippled. The decline of TrickBot prompted Ryuk to find a new partner in crime. A partner was found in BazarLoader and in mid-September, the BazarLoader-Ryuk infection chain began to dominate the ransomware’s trackable activity. Researchers note,
“BazarLoader is generally distributed through phishing campaigns. Emails can be sent using the SendGrid marketing platform. They contain links to Google Docs pages of document previews, prompting the victim to download the file as the preview does not usually work. Recent campaigns identified by FireEye no longer use the SendGrid platform, but instead use the infrastructure of attackers or compromised email servers to send phishing emails containing links to documents. These documents sometimes include references to the entity for which the target works. The files concerned are executables signed with revoked certificates, hosted on legitimate web services (Google Drive, Basecamp, Slack, Trello, Yougile, JetBrains, cdn77, and others).
Once the IS is compromised, BazarLoader downloads from the C2 server2a payload (encrypted in XOR): BazarBack-door. The backdoor then downloads post-exploitation frameworks, most frequently Cobalt Strike, to enable latter-stages of the intrusion leveraging tools such as Anchor, PowerTrick3, BloodHound, PowerSploit, and AdFind. Reconnaissance data (in particular recoveredviaAdFind) is exfiltrated via FTP.”
The white paper published by ANNSI goes into great detail about other groups that may be linked or partnered with Ryuk. This has generated a lot of confusion in regards to saying for certain what Ryuk’s methods and tactics are for certain, this is certainly advantageous to the developers of Ryuk and may see imitation by other malware developers shortly. As to the major causes of this confusing state of affairs, there are three theories. The first involves a single Ryuk operator making the ransomware available to trusted partners. Trusted partners would then be able to distribute Ryuk via Wizard Spider’s distribution infrastructure believed to include TrickBot and BazarLoader or using their own resources if they don’t have access to the threat group’s infrastructure.
The second theory centers around the possibility that several malicious parties are using Ryuk independently, and that one or more of them are affiliated to TrickBot or at least a client of its distribution service or that of BazarLoader. The last theory involves a single operator behind Ryuk using multiple distribution services which could explain the differences in tactics used across several attacks.
Ryuk Operations worth 150 million USD
This inability to determine Ryuk’s modus operandi is one of the factors that have led to the ransomware's obvious success. This success can be illustrated by researchers estimating that the Ryuk enterprise is worth 150 million USD. According to figures published by The DFIR Report by the start of 2020 Ryuk’s value was estimated at over 60 million USD by the FBI. In the space of a year those behind Ryuk have doubled their earnings and in a likelihood the damage the ransomware strain has caused.
The new estimate was made by Brian Carter, principal researcher at HYAS, and Vitali Kremez, CEO, and chairman of Advanced Intelligence LLC, after they had a look into transactions for known Bitcoin addresses associated with Ryuk. Both individuals were able to trace 61 deposit addresses associated with the ransomware and discovered that the majority of the funds were sent to exchanges through intermediaries so that the cryptocurrency can be laundered and eventually used.
It was further discovered that the laundering operation is primarily using the Asian crypto-exchanges Huobi and Binance, although both require documents to exchange crypto-coins to fiat currency, and both claim to be willing to cooperate with law enforcement. Interestingly, Ryuk operators are sending “significant flows of crypto currency” to several small addresses that are believed to be “a crime service that exchanges the cryptocurrency for local currency or another digital currency.” The tracing of the extorted funds may help narrow down which of the three possible theories mentioned above best describe Ryuk’s modus operandi.
While several ransomware gangs have opted for early retirement Ryuk still seems to keep moving forward. It is suspected that this is because Ryuk is not a strict Ransomware-as-a-Service. Given that it does not use affiliates, only likely a few trusted partners, or a single operator hiring distribution services, it would be harder for law enforcement to bring down operations. As affiliates cannot be arrested revealing the inner workings of the operation. Ryuk may be a threat for years to come.