Ryuk Ransomware – Now Uses Worming Self-Propagation!

Ryuk Ransomware – Now Uses Worming Self-Propagation!

The Ryuk issue now has a new technique – Self-replication via SMB shares & port scanning.

A new version of the Ryuk ransomware is capable of worm-like self-propagation within a local network, researchers have found.

The variant 1st emerged in Windows-focused campaigns earlier in 2021, according to the French National Agency for the Security of Information Systems (ANSSI).

Self-Replication

The agency said that it achieves self-replication by scanning for network shares, and then copying a unique version of the ransomware executable (with the file name rep.exe or lan.exe) to each of them as they are found.

“Ryuk looks for network shares on the victim IT infrastructure. To do so, some private IP ranges are scanned: 10.0.0.0/8; 172.16.0.0/16; & 192.168.0.0/16,” according to a recent ANSSI report. “Once launched, it will thus spread itself on every reachable machine on which Windows Remote Procedure Call accesses are possible.”

Address Resolution Protocol

The fresh version of Ryuk also reads through infected devices’ Address Resolution Protocol (ARP) tables, which store the IP addresses and MAC addresses of any network devices that the machines communicate with. Then, according to ANSSI, it sends a “Wake-On-LAN” packet to each host, in order to wake up powered-off computers.

“It generates every possible IP address on local networks & sends an ICMP ping to each of them,” according to ANSSI. “It lists the IP addresses of the local ARP cache and sends them a wake-up packet.”

Server Message Block

For each identified host, Ryuk will then attempt to mount possible network shares using SMB, or Server Message Block, according to the report. SMB is a Windows function that allows the sharing, opening, or editing files with/on remote computers and servers.

Once all of the available network shares have been identified or created, the payload is then installed on the new targets & is self-executed using a scheduled task, allowing Ryuk to encrypt the targets’ content & delete any Volume Shadow Copies to prevent file recovery.

“The scheduled task is created through a call to the schtasks.exe system tool, a native-Windows tool,” ANSSI explained.

Microsoft CryptoAPI

The files are encrypted using Microsoft CryptoAPI with the AES256 algorithm, using a unique AES key which is generated for each file. The AES key is also wrapped with an RSA public key stored in the binary code, according to the analysis.

The malware also interrupts multiple programs based on hardcoded lists, including a list of 41 processes to be killed (task kill) & a list of 64 services to stop, ANSSI found.

Containing  Ryuk Worm Infection

As for avoiding infection, Ryuk ransomware is usually loaded by an initial “dropper” malware that acts as the ‘tip of the spear’ in any attack; these include Emotet, TrickBot, Qakbot & Zloader, & others. The attackers then try to escalate privileges in order to set up for attacks.

An effective defence therefore should involve developing countermeasures that will prevent this initial foothold.

When infected, things become complicated. In the 2021 campaign observed by ANSSI researchers, the initial infection point is a privileged domain account. The analysis shows that the worm-like spread of this version of Ryuk cannot be defeated by plugging off this 1st infection point.

Malware Propagation

“A privileged account of the domain is used for malware propagation,” according to the report. “If this user’s password is changed, the replication will continue as long as the Kerberos tickets [authentication keys] are not expired. If the user account is disabled, the issue will remain the same.”

In addition to the self-propagation, this version of Ryuk also lacks any ‘exclusion mechanisms’, meaning that there is nothing preventing infections of the same machine over & over again, which makes ‘disinfection’ more difficult.

Previous versions of the malware used Mutual Exclusion Objects (MUTEX) to make sure that any host had access to only 1 Ryuk process at a time.

KRBTGT

“As the malware does not check if a machine has already been infected, no simple system object creation that could prevent infection,” states the ANSSI report.

One way to tackle an active infection, ANSSI recommended, would be to change the password or disable the account for the privileged user, & then force a domain password change through KRBTGT.

The KRBTGT is a local default account found in Active Directory that acts as a service account for the Key Distribution Centre (KDC) service for Kerberos authentication.

“This would induce many disturbances on the domain & most likely require many reboots – but would also immediately contain the propagation,” according to ANSSI.

Ryuk: Multi-Headed Monster

The Ryuk ransomware was 1st observed in Aug. 2018, as a variant of the Hermes 2.1 ransomware. However, unlike Hermes, it is not sold on underground markets like the Exploit forum.

“A doubt…remains as to the origins of Ryuk,” according to ANSSI’s report. “The appearance of Ryuk could…be a result of the acquisition of the Hermes 2.1 source code by another attacker group, which may have developed Ryuk from this starting point.”

Many Variants

Deloitte researchers have theorised that Ryuk is sold as a toolkit to attacker groups, which use it to develop their own “flavours” of the ransomware. There could therefore be as many variants as there are attacker groups that buy the code.

In early 2021, it was estimated that Ryuk operators have generated at least $150m, according to an examination of the malware’s money-laundering operations.

https://www.cybernewsgroup.co.uk/virtual-conference-march-2021/

 

SHARE ARTICLE