[BreachExchange] Ryuk Ransomware Updated With 'Worm-Like Capabilities'

[Destry Winant]

https://www.databreachtoday.com/ryuk-ransomware-updated-worm-like-capabilities-a-16080

Prolific Ryuk ransomware has a new trick up its sleeve. The developers
behind the notorious strain of crypto-locking malware have given their
attack code the ability to spread itself between systems inside an
infected network.

"A Ryuk sample with worm-like capabilities - allowing it to spread
automatically within networks it infects - was discovered during an
incident response handled by ANSSI in early 2021," according to a Ryuk
report issued Thursday by CERT-FR, the French government's computer
emergency readiness team that's part of the National Cybersecurity
Agency of France, or ANSSI.

Specifically, the worm-like behavior is achieved "through the use of
scheduled tasks," via which "the malware propagates itself - machine
to machine - within the Windows domain," CERT-FR says. "Once launched,
it will thus spread itself on every reachable machine on which Windows
RPC accesses are possible." Remote procedure calls are a mechanism for
Windows processes to communicate with one another.

Updating Ryuk with this capability is notable because it's a type of
human-operated ransomware, meaning that after attackers gain remote
access to a system, they manually conduct reconnaissance of the
system, drop malicious executables and later trigger them. Imbuing the
ransomware with worm-like capabilities, however, means that attackers
appear to be trying to better automate their ability to rapidly
disperse malware from an initial, infected system across an entire
network, thus reducing the "intrusion to infection" time.

Whoever develops Ryuk has the ability to turn networking protocols to
their advantage. In November 2019, cybersecurity firm CrowdStrike
noted that Ryuk had been updated with the ability to scan address
resolution protocol - aka ARP - tables on an infected system to obtain
a list of known systems and their IP and MAC addresses.

For any detected systems that were part of a private IP address range,
the malware was then programmed to use the Windows wake-on-LAN
command, sending a packet to the device's MAC address, instructing it
to wake up, after which the malware could remotely encrypt the drive.

Ryuk has been tied to unidentified Russian cybercrime actors by
CrowdStrike, which calls the gang Wizard Spider, while cybersecurity
firm FireEye refers to Ryuk as UNC1878, aka the One group. UNC stands
for uncategorized, referring to attacks that involve multiple stages
with different players.

Prolific Ransomware

The Ryuk operation is notable for the scale of both its attacks and
profits. "First observed in August 2018, the Ryuk ransomware has since
been used in big game hunting operations," CERT-FR reports.

Big game hunting refers to crime gangs that focus on larger targets.
Many gangs have found that for scant additional effort, they can take
down larger targets and earn much bigger payoffs.

The median size of organizations - in number of employees - hit by
ransomware has continued to increase because more gangs have pursued
larger, more lucrative targets. (Source: Coveware)

The Ryuk gang had already distinguished itself for its propensity to
attack the U.S. healthcare sector, with the gang primarily targeting
organizations in the U.S. and Canada, CERT-FR notes. One of its most
notable apparent takedowns was the hit against major U.S. hospital
chain Universal Health Services in September 2020.

Ryuk attacks are also "characterized by the use of different infection
chains and the extreme speed of the Bazar-Ryuk chain, as well as the
absence of a dedicated leak site," CERT-FR says. That absence is
notable, because numerous gangs now have leak sites where they can
name and shame victims and leak stolen data to try to force victims to
pay.

Origin Story

Where did Ryuk come from?

When Ryuk appeared in 2018, it was a variant of Hermes version 2.1
ransomware, a copy of which appeared to have been purchased for $300
from the cybercrime group CryptoTech, which claimed to have built
Hermes.

Experts say it's unclear if CryptoTech, which disappeared,
subsequently became Ryuk or if an entirely different group spun up.

CryptoTech advertisement for Hermes version 2.1 as seen in August 2017
on a dark web forum (Source: McAfee)

CERT-FR notes that Ryuk does not appear to be sold on any cybercrime
forums, and it's unclear if there's more than one group behind it,
although some security experts believe that is the case.

"Most Ryuk ransomware is laid directly by a hacker that has accessed
an unprotected RDP port, utilized email phishing to remote into a
network via an employee’s computer, or utilized malicious attachments,
downloads, application patch exploits or vulnerabilities to gain
access to a network," ransomware incident response firm Coveware says.

If a system gets infected by Ryuk, the malware forcibly encrypts many
types of files - typically adding a ".ryk" or ".rcrypted" extension -
and then deletes the originals. The malware also targets shadow copies
in Windows to complicate victims' attempts to restore deleted files.

Prolific Strain

Coveware reports that based on thousands of cases it investigated in
Q4 2020, Ryuk was the third most prevalent type of ransomware, seen 9%
of the time, following Sodinokibi - aka REvil - in first place, and
Egregor, which appears to be the successor to Maze.

Ryuk being the third most commonly seen type of ransomware is
significant considering it had previously gone quiet, especially in
April, May and June of last year. But by Q4, the ransomware had
remerged before again going quiet near the end of 2020, "leaving
multiple victims without the option to recover their data," Coveware
reported.

In January, two security researchers reported that they had been able
to trace 61 bitcoin addresses used by Ryuk and its affiliates for
handling ransomware payments from victims. Vitali Kremez, CEO of
Advanced Intelligence, and Brian Carter, principal researcher at
security firm HYAS, noted that ransom payments ranged from thousands
to millions of dollars each, and many were handled by an intermediate
broker.

By tracing bitcoin transactions for the known addresses attributable
to Ryuk, the researchers concluded that the "criminal enterprise"
appeared to have amassed "more than $150 million" in profit.

How the Ryuk gang collects and hides its ill-gotten ransom gains
(Source: Advanced Intelligence/HYAS)

Some ransomware operations are based on the ransomware-as-a-service
model, in which operators provide malicious executables to a number of
affiliates and then share profits with those affiliates when a victim
pays a ransom.

Experts say it's not clear if Ryuk uses that type of RaaS model. "Ryuk
is operated by a number of threat actors, with different actors having
a very unique negotiating style," says Brett Callow, a threat analyst
at security firm Emsisoft. "Whether it's an affiliate operation is not
clear."

Ryuk Often Distributed via MaaS Loaders

Whoever is behind Ryuk does make use of other malware-as-a-service
offerings, for example, to get the ransomware onto victims' systems.
Ryuk was also previously distributed as part of a trifecta involving
the Emotet and TrickBot malware-as-a-service offerings, which would
often drop the Bazar loader onto a system that would then install Ryuk
(see: Law Enforcement Operation Disrupts Notorious Emotet Botnet).

Last October, security firm Sophos noted that a rising number of Ryuk
infections were also tracing to attackers wielding the Buer loader,
which is a malware-as-a-service tool designed to drop malicious
executables on systems that first appeared in 2019 "as an alternative
to Emotet and Trickbot’s Bazar" loader.

Many loaders get spread via phishing attacks, and infections that lead
to Ryuk appear to be no exception.

Source: Coveware, Q4 2020

Human-Operated Ransomware

Experts say there can be a lag between when Ryuk ends up infecting a
system and when attackers remotely log on, conduct reconnaissance,
enumerate the network and potentially launch a full-scale attack. Any
organization that can detect post-intrusion signs of such activity, of
course, has the opportunity to eject attackers before they can
crypto-lock systems.

"Ryuk ransomware is often not observed until a period of time after
the initial infection - ranging from days to months - which allows the
actor time to carry out reconnaissance inside an infected network,
identifying and targeting critical network systems and therefore
maximizing the impact of the attack," the U.K.'s National Cyber
Security Center noted in a June 2019 overview of Ryuk. "But it may
also offer the potential to mitigate against a ransomware attack
before it occurs, if the initial infection is detected and remedied."

In 2019, the NCSC reported that "Ryuk ransomware itself does not
contain the ability to move laterally within a network," meaning that
attackers would first conduct network reconnaissance, identify systems
for exploitation and then run tools and scripts to spread the
crypto-locking malware.

Based on incident reports, many - but not all - Ryuk attacks appear to
have involved the use of PsExec, a Windows Sysinternals utility that
provides telnet-like functionality and enables administrators to
remotely execute processes on systems (see: Ransomware: Beware of 13
Tactics, Tools and Procedures).

Using PsExec helps attackers automate some aspects of ransomware
distribution inside a network. "The attacker crafts a script that
lists the collected targeted machines and incorporates them together
with PsExec, a privileged domain account, and the ransomware," Sophos
says in a report.

"This script successively copies and executes the ransomware onto peer
machines. This takes less than an hour to complete, depending on the
number of machines targeted. By the time the victim spots what’s going
on, it is too late, as these attacks typically happen in the middle of
the night when the IT staff is sleeping."

With CERT-FR warning that Ryuk now has worm-like capabilities,
however, attackers apparently now have the ability to more quickly
spread the malware inside a network.