Ryuk Ransomware Updated With 'Worm-Like Capabilities'Prolific Ransomware Can 'Spread Automatically' Inside Networks, CERT-FR Warns
Prolific Ryuk ransomware has a new trick up its sleeve. The developers behind the notorious strain of crypto-locking malware have given their attack code the ability to spread itself between systems inside an infected network.
"A Ryuk sample with worm-like capabilities - allowing it to spread automatically within networks it infects - was discovered during an incident response handled by ANSSI in early 2021," according to a Ryuk report issued Thursday by CERT-FR, the French government's computer emergency readiness team that's part of the National Cybersecurity Agency of France, or ANSSI.
Specifically, the worm-like behavior is achieved "through the use of scheduled tasks," via which "the malware propagates itself - machine to machine - within the Windows domain," CERT-FR says. "Once launched, it will thus spread itself on every reachable machine on which Windows RPC accesses are possible." Remote procedure calls are a mechanism for Windows processes to communicate with one another.
Updating Ryuk with this capability is notable because it's a type of human-operated ransomware, meaning that after attackers gain remote access to a system, they manually conduct reconnaissance of the system, drop malicious executables and later trigger them. Imbuing the ransomware with worm-like capabilities, however, means that attackers appear to be trying to better automate their ability to rapidly disperse malware from an initial, infected system across an entire network, thus reducing the "intrusion to infection" time.
Whoever develops Ryuk has the ability to turn networking protocols to their advantage. In November 2019, cybersecurity firm CrowdStrike noted that Ryuk had been updated with the ability to scan address resolution protocol - aka ARP - tables on an infected system to obtain a list of known systems and their IP and MAC addresses.
For any detected systems that were part of a private IP address range, the malware was then programmed to use the Windows wake-on-LAN command, sending a packet to the device's MAC address, instructing it to wake up, after which the malware could remotely encrypt the drive.
Ryuk has been tied to unidentified Russian cybercrime actors by CrowdStrike, which calls the gang Wizard Spider, while cybersecurity firm FireEye refers to Ryuk as UNC1878, aka the One group. UNC stands for uncategorized, referring to attacks that involve multiple stages with different players.
The Ryuk operation is notable for the scale of both its attacks and profits. "First observed in August 2018, the Ryuk ransomware has since been used in big game hunting operations," CERT-FR reports.
Big game hunting refers to crime gangs that focus on larger targets. Many gangs have found that for scant additional effort, they can take down larger targets and earn much bigger payoffs.
The Ryuk gang had already distinguished itself for its propensity to attack the U.S. healthcare sector, with the gang primarily targeting organizations in the U.S. and Canada, CERT-FR notes. One of its most notable apparent takedowns was the hit against major U.S. hospital chain Universal Health Services in September 2020.
Ryuk attacks are also "characterized by the use of different infection chains and the extreme speed of the Bazar-Ryuk chain, as well as the absence of a dedicated leak site," CERT-FR says. That absence is notable, because numerous gangs now have leak sites where they can name and shame victims and leak stolen data to try to force victims to pay.
Where did Ryuk come from?
When Ryuk appeared in 2018, it was a variant of Hermes version 2.1 ransomware, a copy of which appeared to have been purchased for $300 from the cybercrime group CryptoTech, which claimed to have built Hermes.
Experts say it's unclear if CryptoTech, which disappeared, subsequently became Ryuk or if an entirely different group spun up.
CERT-FR notes that Ryuk does not appear to be sold on any cybercrime forums, and it's unclear if there's more than one group behind it, although some security experts believe that is the case.
"Most Ryuk ransomware is laid directly by a hacker that has accessed an unprotected RDP port, utilized email phishing to remote into a network via an employee’s computer, or utilized malicious attachments, downloads, application patch exploits or vulnerabilities to gain access to a network," ransomware incident response firm Coveware says.
If a system gets infected by Ryuk, the malware forcibly encrypts many types of files - typically adding a ".ryk" or ".rcrypted" extension - and then deletes the originals. The malware also targets shadow copies in Windows to complicate victims' attempts to restore deleted files.
Coveware reports that based on thousands of cases it investigated in Q4 2020, Ryuk was the third most prevalent type of ransomware, seen 9% of the time, following Sodinokibi - aka REvil - in first place, and Egregor, which appears to be the successor to Maze.
Ryuk being the third most commonly seen type of ransomware is significant considering it had previously gone quiet, especially in April, May and June of last year. But by Q4, the ransomware had remerged before again going quiet near the end of 2020, "leaving multiple victims without the option to recover their data," Coveware reported.
In January, two security researchers reported that they had been able to trace 61 bitcoin addresses used by Ryuk and its affiliates for handling ransomware payments from victims. Vitali Kremez, CEO of Advanced Intelligence, and Brian Carter, principal researcher at security firm HYAS, noted that ransom payments ranged from thousands to millions of dollars each, and many were handled by an intermediate broker.
By tracing bitcoin transactions for the known addresses attributable to Ryuk, the researchers concluded that the "criminal enterprise" appeared to have amassed "more than $150 million" in profit.
Some ransomware operations are based on the ransomware-as-a-service model, in which operators provide malicious executables to a number of affiliates and then share profits with those affiliates when a victim pays a ransom.
Experts say it's not clear if Ryuk uses that type of RaaS model. "Ryuk is operated by a number of threat actors, with different actors having a very unique negotiating style," says Brett Callow, a threat analyst at security firm Emsisoft. "Whether it's an affiliate operation is not clear."
Ryuk Often Distributed via MaaS Loaders
Whoever is behind Ryuk does make use of other malware-as-a-service offerings, for example, to get the ransomware onto victims' systems. Ryuk was also previously distributed as part of a trifecta involving the Emotet and TrickBot malware-as-a-service offerings, which would often drop the Bazar loader onto a system that would then install Ryuk (see: Law Enforcement Operation Disrupts Notorious Emotet Botnet).
Last October, security firm Sophos noted that a rising number of Ryuk infections were also tracing to attackers wielding the Buer loader, which is a malware-as-a-service tool designed to drop malicious executables on systems that first appeared in 2019 "as an alternative to Emotet and Trickbot’s Bazar" loader.
Many loaders get spread via phishing attacks, and infections that lead to Ryuk appear to be no exception.
Experts say there can be a lag between when Ryuk ends up infecting a system and when attackers remotely log on, conduct reconnaissance, enumerate the network and potentially launch a full-scale attack. Any organization that can detect post-intrusion signs of such activity, of course, has the opportunity to eject attackers before they can crypto-lock systems.
"Ryuk ransomware is often not observed until a period of time after the initial infection - ranging from days to months - which allows the actor time to carry out reconnaissance inside an infected network, identifying and targeting critical network systems and therefore maximizing the impact of the attack," the U.K.'s National Cyber Security Center noted in a June 2019 overview of Ryuk. "But it may also offer the potential to mitigate against a ransomware attack before it occurs, if the initial infection is detected and remedied."
In 2019, the NCSC reported that "Ryuk ransomware itself does not contain the ability to move laterally within a network," meaning that attackers would first conduct network reconnaissance, identify systems for exploitation and then run tools and scripts to spread the crypto-locking malware.
Based on incident reports, many - but not all - Ryuk attacks appear to have involved the use of PsExec, a Windows Sysinternals utility that provides telnet-like functionality and enables administrators to remotely execute processes on systems (see: Ransomware: Beware of 13 Tactics, Tools and Procedures).
Using PsExec helps attackers automate some aspects of ransomware distribution inside a network. "The attacker crafts a script that lists the collected targeted machines and incorporates them together with PsExec, a privileged domain account, and the ransomware," Sophos says in a report.
"This script successively copies and executes the ransomware onto peer machines. This takes less than an hour to complete, depending on the number of machines targeted. By the time the victim spots what’s going on, it is too late, as these attacks typically happen in the middle of the night when the IT staff is sleeping."
With CERT-FR warning that Ryuk now has worm-like capabilities, however, attackers apparently now have the ability to more quickly spread the malware inside a network.