Ryuk has threatened institutions in a wide range of sectors since its initial detection in the second half of 2018. Ryuk ransomware victims have included at least 32 government entities, IT services company Sopra Steria, prominent international law firm Seyfarth Shaw, office furniture company Steelcase, and a range of healthcare. Tracing Bitcoin transactions to known Ryuk addresses suggests that the threat actors may have earned over $150 million in ransom from this malware campaign. And, the campaign is not over.
Why Ryuk Is So Destructive
Ryuk is stealthy, persistent, and relentless. This malware establishes persistence by creating a scheduled task that runs every 15 minutes, typically calling itself something innocuous-sounding like “autoupdate#12345”. Ryuk then attempts to hide its activity by using process injection techniques, allowing the malware to masquerade in the context of a legitimate process and access the memory, resources, and privileges available to that process. This allows it to stay on a machine longer, letting it spread, continue reconnaissance, and encrypt files.
Ryuk makes it practically impossible to recover files without either paying the ransom or having a safe off-network backup. The ransomware encrypts files with a combination of symmetric and asymmetric techniques, using an AES-256 key to encrypt the files and then encrypting that key with an RSA public key. The malware finds and deletes shadow copies of files in order to lessen the chance of recovery and increase the chance that targets will pay ransom.
How Ryuk Ransomware Works in 2021
Over the course of the campaign Ryuk has spread via multiple vectors, though in recent times there has been an increase in RDP compromise as the initial attack vector. The Ryuk actors have been detected launching large-scale brute-force and password-spraying attacks against hosts with exposed RDP services, and gaining a foothold on machines with weak passwords.
However, some of the previous avenues for the transmission of Ryuk pervade in the wild. Specifically, phishing continues to be an avenue for Ryuk spread. Phishing emails deliver TrickBot downloaders, which then install the Ryuk ransomware. A DNS tunneling module in TrickBot can disguise command-and-control traffic as benign DNS traffic. Though TrickBot was disrupted by a US government-led action in 2020, it was not completely disabled, and TrickBot is still an active attack vector for Ryuk. In September 2020, Ryuk began to use BazarLoader as well. Spread via infected Google documents, BazarLoader hides itself in legitimate Windows processes, spreads across the network, and spreads Ryuk.
Once Ryuk threat actors make their way onto the network, they begin to gather information. They use popular network reconnaissance tools like Bloodhound, ADFind, and Cobalt Strike to look legitimate while mapping out the network and services, as well as extending its foothold.
Ryuk has also evolved how it spreads. Originally, Ryuk ransomware was unable to move laterally on its own, and required a dropper and then manual spreading. However, recent versions of Ryuk have shown the ability to spread within a Windows domain, via Remote Procedure Call (RPC) access. This evolution may be linked to the disruption of the Emotet botnet in January 2021, when a consortium of law enforcement agencies seized control. Earlier Ryuk attacks were dropped by the Emotet banking trojan as a payload, though the demise of Emotet has made other infection vectors necessary for its survival.
In addition to spreading to machines that are powered on, it also attempts to infect machines that are turned off but have wired connections to the network. It is easy to forget about Wake-on-LAN capabilities if they are not typically authorized or used, and Ryuk takes advantage of that. Recent strains of Ryuk have been detected using the Wake-on-LAN to power on machines and then attempt to infect them.
Ryuk has also adopted new ways to gain privileged access to machines on networks as it spreads. According to Advintel, new Ryuk ransomware TTPs to monitor for include:
- CVE-2018-8453: A Windows elevation of privilege vulnerability, that allows a local user to execute code in kernel mode due to a data handling vulnerability in win32k.sys.
- CVE-2019-1069: A Windows privilege escalation vulnerability that takes advantage of high-level privileges available to Windows Task Scheduler.
Practical Advice for Resisting Ryuk
The best way to prevent Ryuk infection is to be proactive. Malware gangs are persistent, which means you need to be on guard and ready to resist them at every possible turn.
- Ensure that your enterprise has a strong patching program in place, and can test and apply critical operating system and software patches as soon as possible.
- Ensure that the security operations center is equipped with the visibility and knowledge necessary to detect this malware, including the latest Ryuk indicators of compromise. This includes both broad network telemetry as well as the processes to regularly monitor and update TTPs and IOCs for the malware.
- Train employees on security awareness. Though they may not be security professionals, they need to have frequent, digestible training about what phishing attempts look like, and what the stakes are for falling victim to such attacks.
Incident response capabilities also matter. In case an attack does succeed, preparation can help you minimize the repercussions of an attack and ensure there is as little interruption as possible. Your business should plan, implement, and practice incident response procedures, since a set of incident response processes on a sheet of paper means little unless your security team knows it can translate them into real response when ransomware strikes. It is also important to implement regular backups, including off-site and off-line copies of critical data. The more data is saved and out of the hands of ransomware actors, the less likely it will be that you have to make tough decisions about whether to pay a ransom.
Be Ready for Ryuk
No matter what industry your business is in, the time to take Ryuk ransomware seriously is now. Your best defense against this threat is knowledge: knowledge of how Ryuk operates, knowledge of how to detect it, and knowledge of how to defend against it.
For more information about Ryuk ransomware, including specific technical details, Mitre TTPs, indicators of compromise (IOCs), and detailed mitigation advice, download our full threat report entitled Update on Ryuk Ransomware Targeting Healthcare & Other Sectors.