Ryuk is one of the most prevalent ransomware variants in the threat landscape, with infections doubling from the second to the third quarter in 2019.
Ransomware infections continue to increase in tandem with overall impact and monetary demands.
Furthermore, Ryuk’s ability to delete shadow copies and backups makes Ryuk extremely costly and almost impossible to remediate.
For instance, Ryuk operators demanded nearly $600,000 from one government agency after successfully encrypting nearly all files on the network.
Ryuk uses encryption to block access to a system, device, or file until a ransom is paid. It is often dropped on a system by other malware (e.g., TrickBot) or delivered by cyber threat actors (CTAs) after gaining access to the system through compromising Remote Desktop Services.
Once on a system, CTAs deploy Ryuk through the network using PowerShell, PsExec, or Group Policy, with aim to infect as many systems as possible. The number of infected systems depends upon how the malware is deployed as well as the CTA’s access and privileges.
This may be a local subnet, the list of computers in active directory, or the entire organization depending on the variability and process specific nature of spreading the malware.
Once the malware is pushed out to the network, it targets backups and begins the encryption process.
Researchers have observed an increase in Emotet or TrickBot infections leading to a Ryuk infection.
For example, TrickBot disabled the organization’s endpoint antivirus application and spread throughout the network, infecting hundreds of endpoints and multiple servers.
Since TrickBot is a banking trojan, it likely harvested and exfiltrated financial and other sensitive information prior to deploying Ryuk.
Once Ryuk is deployed network-wide, the CTAs encrypted the organization’s data and backups, and left ransom notes on the machines.
Ryuk ransom notes once contained a message and a ransom amount, but have since evolved over time.
Throughout most of 2019, the ransom note did not list a ransom amount and only contained a message and email address. However, now Ryuk ransom notes are very simplistic, with no price or message, only containing an email address, the ransomware’s name, and the statement “balance of shadow universe.”
The CTAs demands payment via Bitcoin cryptocurrency and direct victims to deposit the ransom into specific Bitcoin wallets.
The ransom demand is typically between $100,000-$600,000, which as of 12/19/19 is 14-84 Bitcoins. Notably the ransom demand is determined by the organizations’ assessed ability to pay and the sensitivity of the data affected.
It is highly likely the CTAs account for characteristics like industry, solvency, subscription to cyber insurance, and network saturation when calculating ransom demands. Furthermore, the CTAs have been known to negotiate with victims and adjust the initial ransom amount.
Ryuk’s main infection method is to be dropped on a system by other malware. The file will have a five-letter random name that is usually generated by the srand1 and GetTickCount2 functions.
Persistence
Once executed, the main payload attempts to stop antivirus related processes and services. It uses a preconfigured list to kill more than 40 specific processes and 180 services with taskkill and net stop commands.
This preconfigured list includes antivirus processes, databases, backups, and document editing software. Additionally, the main payload establishes persistence in the registry and injects malicious payloads into several running processes.
To increase persistence, Ryuk makes changes to the registry allowing it to run the payload every time the user logs on.
Ryuk’s anti-recovery techniques are more extensive and sophisticated than most types of ransomware, making recovery almost impossible without restoring from clean external offline backups.
Ryuk’s process injection allows the malware to gain access to the volume shadow service and delete all shadow copies, including those used by third-party applications.
Encryption
Ryuk uses unbreakable RSA and AES encryption algorithms with three keys. The CTAs use a private global RSA key as their base encryption model. The second RSA key is delivered to the system via the main payload and is encrypted with the CTA’s private global RSA key.
Once the malware is ready for encryption, the final key is created in their three-key encryption model.
Ryuk scans the infected systems and encrypts almost every file, directory, drive, network share, and network resource.
Ryuk attempts to encrypt all mounted network drives. As long as the drives are not CD-ROM types, the files will be encrypted.
Finally, once the malware is finished with the encryption process, it will create the ransom note, “RyukReadMe.txt”, placing it in every folder on the system.