Home
Vulnerability Management

How to Defend Against Ryuk Ransomware’s New Worm-Like Capabilities

Here’s a look at how the Ryuk ransomware has impacted organizations due to its newfound worm-like capabilities and how organizations can protect their networks from Ryuk attacks.

April 5, 2021

The threat potential of the Ryuk ransomware has heightened considerably since 2018. Cybercriminals accelerated the use of Ryuk and other ransomware variants during the pandemic, increasing the hardships faced by healthcare and other industries. In 2021, the business impact of Ryuk ransomware attacks has become even more significant given the ransomware’s newfound ability to spread across enterprise networks with ease.

ResearchOpens a new window from SonicWall has revealed that Ryuk is the third-most prevalent type of ransomware, accounting for a third of all ransomware attacks. First observed in August 2018, it was distributed by the underground forum exploit[dot]in for $300. Cybercriminals who purchased the ransomware received a source code which was then converted into binaries. Because of this, many variants of Ryuk exist due to changes made post-purchase.

Originally using the Emotet botnet, attackers initially infected systems with a dropper which installed Ryuk tools to encrypt systems. Files stored in targeted systems or networks are encrypted with AES, and the key used to encrypt the files is stored and protected by RSA asymmetric encryption.

Ryuk does not encrypt everything. According to the ANSSIOpens a new window (the French government’s CERT), specific Windows, Firefox, and Chrome files are not encrypted so that the victims can read ransom messages. Some Ryuk variants will, however, encrypt Windows-based files to prevent victims from booting infected machines.

Learn More: Ryuk Ransomware is Now More Dangerous Than Ever. Here’s Why

According to SonicWall, as many as 67.3 million Ryuk ransomware attacks took place in Q3 2020, up from just 5,123 attacks in the corresponding quarter of 2019. In addition to ransomware, the Ryuk family also includes tools that perform functions other than encrypting data. These capabilities are as under:

Figure-1-3 image

Figure 1

Since the operators of Ryuk tend to focus on U.S. and Canadian healthcare organizations, this puts additional strain on such organizations amid the COVID-19 pandemic. This poses a real problem for healthcare IT when healthcare organizations are devoting enormous resources towards reacting to and handling growing patient care requirements.

How Ryuk Has Changed

Since 2018, Ryuk has relied on user intervention to propagate inside enterprise systems and networks. In other words, after infiltrating a system, it could not move to other devices quickly. However, ANSSI discovered this year that this had changed- a Ryuk variant can spread across an enterprise network on its ownOpens a new window .

When this variant is installed, it uses the infected system’s ARP cache to determine what other devices might be connected to the network. Matthew J Schwartz, the executive editor at ISMG,  writesOpens a new window that after obtaining the ARP information, Ryuk uses Windows RPC to execute the wake-on-LAN command on discovered MAC addresses. This allows the spread of Ryuk to the target devices. The process appears to use PsExec (requires RPC access) that provides Telnet-like capability. This gives the attacker administrator capability to execute software on remote systems remotely.

According to the ANSSI, Ryuk uses scheduled tasks to propagate “itself – machine to machine – within the Windows domain,” providing this variant with worm-like capabilities.

Learn More: Ryuk Ransomware Operators Claim Over $150M in Ransom Payments

How to Detect a Ryuk Infection

There is often a lag between the infection and when Ryuk begins encryption because the attacker has to engage with it after the malware infects a system. This creates a small window during which threat hunters can detect the malware. Hunting for Ryuk includes looking at individual systems and their traffic. Since most variants do not spread on their own, malware analysts cannot assume that it exists on multiple systems.

According to Malwarebytes, the following are some ways to determineOpens a new window if a system suffers from a Ryuk ransomware infection:

  • Ryuk drops ransomware notes.
    • RyukReadMe.html
    • RyukReadMe.txt
  • After activation of the ransomware, encrypted files have RYK attached to extensions. For example, wordfile.docx.ryk.

In addition to these two symptoms, threat hunters should look for signs of command and control (C2) traffic. Once installed, attackers use C2 traffic to log in to the malware and initiate infection processes. 

Learn More: Looking for an Antidote to Tackle the Ransomware Pandemic? Try These Prevention Tricks

Preventing Ryuk and other Ransomware

Trying to locate and block Ryuk before it begins to spread is an arduous task for malware hunters. It is far easier to take steps to prevent ransomware from gaining a foothold in your enterprise network.

    • Segment the network: Network segmentation with good network segment policy enforcement helps prevent worms and worm-like malware like Ryuk from spreading. Placing database servers on different segments from user devices with strict segment traffic controls is especially helpful. Remember that allowing devices on the same segment to communicate with each other is a vulnerability that ransomware can exploit to propagate.
    • Use updated malware: Once a Ryuk variant is identified, specific anti-malware solutions should be quickly deployed to prevent infection.
    • Use appropriately configured host-based firewalls and IDS. This helps prevent systems from calling home and reaching out to other systems.
    • Use continuously updated network IPS to block known attacks or log anomalous behavior.
    • Control execution of macros.
    • Ensure all email and attachments are filtered and checked for known malware.
    • Control attachment extensions allowed for user delivery.
    • Keep good backups of all data necessary for running the organization. Traditional backup recommendations may not be enough in today’s ransomware environment. How far behind do you want to be if your databases are encrypted, and you have to restore them?
    • Train users about the dangers of phishing and how they can help.

Takeaway 

Having always been a challenge to organizations, Ryuk is now even more dangerous because of its ability to propagate across enterprise networks. Cyber criminals have also taken advantage of the pandemic to pressure organizations to pay a hefty ransom. However, allowing security teams to implement many prevention countermeasures that should already be in place helps ensure the security of patient care information in these troubled times.

Do you think your organization’s security policies are strong enough to secure the network from a ransomware attack? Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to hear from you!

Ransomware
Take me to Community
Do you still have questions? Head over to the Spiceworks Community to find answers.

Recommended Reads

Prepare for the Holiday Ransomware Storm
Vulnerability Management

Prepare for the Holiday Ransomware Storm

How to Avoid a Tech Blackout on Black Friday
Vulnerability Management

How to Avoid a Tech Blackout on Black Friday

10 Reasons for SMBs to Consider a Managed Security Service Provider (MSSP)
Vulnerability Management

10 Reasons for SMBs to Consider a Managed Security Service Provider (MSSP)

November 2024 Patch Tuesday – 89 Microsoft CVEs Addressed
Vulnerability Management

November 2024 Patch Tuesday – 89 Microsoft CVEs Addressed

3 Steps to Create a Strong Security Culture
Vulnerability Management

3 Steps to Create a Strong Security Culture

Are Geopolitical Risks Part of Your Security Strategy?
Vulnerability Management

Are Geopolitical Risks Part of Your Security Strategy?