Introduction
Ransomware is a form of malware that holds a victims data at ransom. The data is then encrypted so it cannot be retrieved or accessed (crypto ransomware), a ransom payment for the data to be unlocked is then requested.
How it works
Ryuk tries to encrypt all available files and hosts which have Address Resolution Protocol (ARP) entries. A file extension .ryk is appended to each encrypted file, while all directories also contain the ransom note. Ryuk, then deletes any existing shadow copies of the encrypted files. The Ryuk Ransomware is known to run from the Temp folder with a random name and saves a ransom note on the user”s desktop that is titled RyukReadMe.txt. The developers offer a free decryption of two files to prove that decryption is achievable and, attempt, to give the belief that they can be trusted.
Ryuk uses RSA-2048 and AES-256 encryption algorithms and Microsoft SIMPLEBLOB format to store keys in the malware executable, it is similar to HERMES and both use the marker “HERMES” to check whether a file has been encrypted.
How it is Distributed
Ryuk attacks companies that they select(targeted), it is either distributed via spear-phishing emails or Internet-exposed, poorly secured Remote Desktop Protocol (RDP) connections. It is operated manually. This means that Ryuk gathers information and data about the targeted network, such as network mapping and retrieval of credentials, the data can be obtained from other malware infections on the targeted network, such as Emotet and TrickBot before installing Ryuk.
Emotet uses spam emails attached Microsoft Office documents corrupted with malicious scripts, to trick users into opening and running the attachment, Emotet then sends addition malware across the network, such as trickBot, when trickBot is installed and executed it begins to steal credentials, these credentials are used to move lateral in the network, then trickBot drops ryuk ransomware.
Indicators of Compromise (IOC)
|
# |
File Name |
Size |
MD5 |
Detection Count |
|
1 |
file.exe |
359,936 |
465febfdacf37da8a7c4f1076110c3c8 |
1 |
|
2 |
RyukReadMe.txt |
|
|
N/A |
A huge increase in file renames will show as your data gets encrypted, this can trigger behavior alert, it can be set to send out an alert if the number of renames exceed a certain threshold, example: you can base the alert on 4 or more renames per second.
https://community.riskiq.com/article/0bcefe76
Removing Ryuk Ransomware
There are steps that are necessary to be taken when it is suspected that a system is infected with ransomware:
STEP 1. Isolate the infected device(s):
STEP 2. Re-image the infected device(s)
STEP 3. Restore clean copy of files from backups.
PDF Download: RYUK Ransomware.pdf
References