[BreachExchange] Ryuk Ransomware Likely Behind New Orleans Cyberattack

Destry Winant destry at riskbasedsecurity.com
Thu Dec 19 09:29:33 EST 2019


Based on files uploaded to the VirusTotal scanning service, the
ransomware attack on the City of New Orleans was likely done by the
Ryuk Ransomware threat actors.

On December 14th, 2019, one day after the City of New Orleans
ransomware attack, what appear to be memory dumps of suspicious
executables were uploaded from an IP address from the USA to the
VirusTotal scanning service.

One of these memory dumps, which contained numerous references to New
Orleans and Ryuk, was later found by Colin Cowie of Red Flare Security
and shared with BleepingComputer.com.

As memory dumps are a snapshot of the memory being used by an
application while it is running, it can be used to extract useful
strings, file names, commands, and other information that the
executable interacted with or executed. This allows memory dumps to be
used during cyber attack forensic investigations to learn more about
how the attack was conducted.

The memory dump found by Cowie is for an executable named
'yoletby.exe' and contains numerous references to the City of New
Orleans including domain names, domain controllers, internal IP
addresses, user names, file shares, and references to the Ryuk

The Ryuk ransomware strings included in the dump were the HERMES file
marker, file names ending with the .ryk extension, and references to
the created RyukReadMe.html ransom notes.

After investigating the file further, BleepingComputer found an
interesting reference to the C:\Temp\v2.exe executable that was
executed on the machine. It turns out that a memory dump for this file
was also uploaded to VirusTotal.

Of particular interest in the v2.exe memory dump is a string that
refers to the New Orleans City Hall.

After further digging around, BleepingComputer was able to find a
v2.exe executable, and after executing it, was able to confirm that it
was the Ryuk ransomware.

Files encrypted by Ryuk after executing v2.exe

While it is not known if this executable is the one used in the City
of New Orleans attack, it does show that this filename is used in Ryuk
attacks and the memory dumps show that a file of that name was used on
an attack against the City of New Orleans.

If the City of New Orleans was indeed encrypted by Ryuk, which by the
evidence seems likely, then this is just another victim of Ryuk who
has seen increased activity lately.

BleepingComputer has contacted the City of New Orleans for
confirmation that they were infected with Ryuk, but have not heard
back at this time.

Emotet and Trickbot likely present as well

If New Orleans was encrypted by Ryuk, there is also a very high chance
that the Emotet and TrickBot infections are present on the network as

Emotet is a malware infection that is commonly spread through spam
emails that contain malicious attachments. When opened and macros
enabled, these attachments will install the Emotet Trojan on the
victim's computer.

Emotet will then use that infected computer to spam other computers
with malicious attachments and also download further malware on the

One of the most common malware installed by Emotet is the TrickBot
information-stealing Trojan.

When executed, TrickBot will connect back to a command and control
server where it will receive commands to load various modules that
steal information from the computer or install even further malware.

After the TrickBot actors collect all valuable information and data
from the computer, it will then open a reverse shell back to the Ryuk

>From there, the Ryuk team will perform reconnaissance of the network,
collect admin passwords, take over domain controllers, and utilize
post-exploitation toolkits such as PowerShell Empire.

This is why all network admins need to realize that if they have been
encrypted by Ryuk, there has commonly been a malware presence on their
network for quite a while and that other data may have been stolen or

What does this mean for the City of New Orleans?

It means that in addition to the Ryuk Ransomware infection, they also
have to deal with the fact that attackers have been snooping around
their data for some time.

The city will need to be more diligent against targeted phishing
attacks, tighten security on their network, and change passwords.

Also, as it is unknown what financial information may have been
attained by the attackers, the City of New Orleans should contact
their banking partners and put new procedures in place regarding how
money is transferred.

More information about the BreachExchange mailing list