[BreachExchange] Ryuk ransomware strikes at least four organizations in Canada

Destry Winant destry at riskbasedsecurity.com
Wed Oct 10 23:02:11 EDT 2018


A new strain of ransomware first reported in August is now being seen
in Canada, hitting at least four organizations here.

“I’m starting to see a certain type of ransomware called Ryuk
targeting healthcare organizations,”  Canadian cyber security lawyer
Imrad Ahmad told IT World Canada on Tuesday. “Typically ransomware
locks up your system. This one actually exfiltrates data” as well.

Ahmad, a partner and national leader of the cybersecurity law practice
at Miller Thomson LLP said his practice knows of four organizations in
the past month alone that were hit. He wouldn’t say how many of the
organizations had lost data.

Typically the ransom demanded was around 40 to 50 Bitcoin, he said,
which at current value is roughly $34,000 to $42,00.

How each were infected isn’t clear yet,

In August the U.S. Department of Health and Human Services and Check
Point Software issued alerts on this particular strain of ransomware.

The way attacks have been executed suggest the people behind it have
researched their targets well, probably infiltrating networks before
launching the ransomware, because they know where valuable data is.
Check Point in the incidents it has seen Ryuk is only used in targeted

To maintain persistence Ryuk writes itself to the Windows Run registry
key. The ransomware will kill more than 40 processes and stop more
than 180 services from a list of predefined service and process names.
Most belong to antivirus, database, backup and document editing

There are similarities between Ryuk and ransomware dubbed Hermes, seen
first in the fall of 2017, by some researchers. That led Check Point
to believe those behind Ryuk are either the same operators of the
Hermes strain, or someone has got access to the Hermes source code. It
then adds injected code for file encryption.

Protection tip

According to Check Point, it’s important to note that the malware will
attempt to write a dummy file to the Windows directory, which would
only be allowed with Admin privileges. This file will write two more
files to a subfolder in the Windows directory, one of which contains
an RSA Public key for encryption, and the second contains a hardcoded
key. But if the creation of the first dummy file fails, the malware
will sleep for a while and attempt the same another five times. If
failure persists beyond these attempts, Ryuk will simply terminate.

This is important because one of the ways to stop Ryuk is to make sure
people with Windows administration privileges have to log in with
complex passwords requiring multi-factor authentication.

Check Point said the Hermes strain is “commonly attributed” to the
North Korean threat actors dubbed the Lazarus Group,

The U.S. government report included the following recommendations to
infosec pros:

 Firewall off SMB (server message block) port 445 for internal
computers. If access to this service is required, it should be
permitted only for those IP’s that require access. i.e. 445 is
required for SCOM to push an agent install, therefore 445 should only
be allowed from that source server;
 Application blacklisting should be implemented to prevent the use of
tools such as vssadmin.exe, cmd.exe, powershell.exe and similar;
 File Integrity Monitoring should be considered and configured to
monitor file creations in “trusted” locations such as the System32
directory. This can also be used to monitor deletes, with an alert
configured to fire on excessive deletes in a row;
 Windows Security Event logs should be monitored to capture Scheduled
Task creation events – Event ID 4698;
 Registry Auditing should be enabled and monitored to capture any additions to
 Excessive use of known administrative privilege accounts should be
alerted on – specifically in a “one to many” behavioral configuration.
i.e. is one specific IP connecting to a large number of devices using
the same credentials in a short period of time;
 Ensure privileged accounts have a complex password that does not
include any part of the username, or application it relates to.

More information about the BreachExchange mailing list