Revisiting Ryuk: The Very Busy Ransomware Family

The world, right now, has a lot on its hand to deal with and ransomware operators aren’t making it any easier. Take the case of Ryuk ransomware; it has dominated the ransomware landscape for the fourth consecutive quarter. 

The big picture

Ryuk has witnessed a spectacular rise as it climbed up the ranks among the most notorious ransomware strains in the wild. This is not just because of its advanced capabilities, but also due to the innovative ways the operators use to infect targeted systems. Over the past few quarters, Ryuk has evolved tremendously by shifting its tactics. It has shifted from using commodity trojans to living-off-the-land tools. This helps it bypass security tools, evade detection, and have a longer timeframe to achieve its goals.

Most notable attacks by Ryuk

  • Ryuk has been incessantly targeting healthcare providers during the ongoing crisis. In March, it had targeted a U.S. healthcare provider and encrypted its systems overnight. This attack was disseminated via PsExec, a method constantly followed by the operators.
  • In the same month, the ransomware group had attacked 10 healthcare organizations. Two of them were individual hospitals and others were healthcare networks in the U.S.
  • The City of Durham, North Carolina, had to shut down its networks after getting hit by the ransomware. The exploit was contained within a weaponized MS Office document attached to the phishing email. The exploit initiates the download of Emotet, and ultimately facilitates the propagation of the ransomware.
  • EMCOR Group - a Fortune 500 company - was hit by Ryuk on February 15, 2020, and the infection was found to be present even three weeks after the incident. As per the company, only specific IT systems were affected and no sign of data breach was discovered.

What else?

  • Ryuk has been found to be extremely similar to another ransomware family - Hermes, with identical code segments. 
  • Ryuk used to work as a secondary payload through botnets - TrickBot and Emotet. While Emotet affects the endpoints, TrickBot downloads and drops the ransomware on the system. 
  • With Ryuk, there is no guarantee that the encrypted files can be recovered even after paying the ransom.  It was found that the ransomware handlers contain a bug that may prevent victims from recovering large affected files. 
  • Furthermore, attackers, more often than not, stay active on compromised networks through PowerShell Empire and other backdoors deployed on the systems.

Techniques used

  • A variety of techniques are used by the threat actors to steal credentials, including the LaZagne credential theft tool. 
  • After conducting initial reconnaissance, an open-source audit tool - BloodHound - is used to acquire detailed information about the Active Directory environment.
  • The operators leverage stolen domain admin credentials to distribute the payload. This is usually done via Group Policies, PsExec sessions, or setting a startup item in the SYSOL share. 

The bottom line is that Ryuk has achieved a high-level of personalization, along with careful strategies to make the attacks successful. Its recipe for success is reliant on choosing successful businesses that can pay the ransom. However, the challenges presented by Ryuk are not unique and can be overcome. Mitigating these types of attacks requires organizations to address the weaknesses in their infrastructure and resolve them at the earliest since time is of the essence.