###### @rove4ever @ ----- # ABOUT US ###### Cyber Threat Intelligence at Deloitte  Argentina Team  Conference Speakers  Malware Analysis  APT Hunting GABRIELA NICOLAO LUCIANO MARTINS ----- ##### ABOUT RANSOMWARE ----- ## TARGETED RANSOMWARE ######  Samsam  MegaCortex  Lockergoga  Bit Paymer  Ryuk  Sodinokibi (REvil) ----- ## ABOUT RYUK ###### • August 2018. • Targeted campaigns: Newspapers, restaurant, public institutions, cloud service provider, public institutions. • Used along with other threats. • Attributed to different threat actors. • Sold in underground forums as a toolkit. ----- ## ABOUT RYUK ###### Source: https://s3.eu-west-1.amazonaws.com/ncsc-content/files/RYUK%20Advisory%20draft%20CP%20June%202019.pdf ----- ## TECHNICAL ASPECTS ###### Remove shadow copies Some variants modify Run Some variants encrypt the 1 and backups (T1490) 2 registry key (T1060). 3 boot manager. (T1486) Some variants claim to All variants added string Ransom notes contain two encrypt files using HERMES to encrypted emails to contact Threat 4 RSA4096+AES256 5 6 files. actors. (T1486) Some variants append Contain a list of services Avoids to infect systems in RYK to encrypted files. and processes to stop/kill Russian, Ukrainian and 7 Some don’t append any 8 9 (T1489) Belarusian languages. extension (T1042) ----- ### RUYK CHRONOLOGY ###### 2018 DISCOVERY On August 17, 2018, Ryuk August was mentioned in a tweet.. TARGETS Ryuk infected a Canadian October restaurant chain and a water and sewer authority in US ----- |20|19| |---|---| ###### UPDATE & TARGET Removed BTC wallet. December Tribune Publishing group and Cloud hosting provider in the US. 2019 ATTRIBUTION January From North Korea to GRIM SPIDER. TARGET Jackson County email system March compromised ----- ###### 2020 ###### TRIPLE THREAT EMOTET+TRICKBOT+RYUK. April FIN6 delivered LockerGoga and Ryuk UPDATE & TARGET IP Blacklist feature June Bonfiglioli Riduttori italian Company compromised TARGET July LaPorte County pays $130,000 ### 4 MILLION to recover from Ryuk attack USD ###### 2020 ----- ## RANSON BARGAIN ----- ###### Source: https://www.zdnet.com/article/ransomware-gang-wanted-5-3-million-from-us-city-but-they-only-offered-400000/ ## RANSON BARGAIN ###### Source: https://www.zdnet.com/article/ransomware-gang-wanted-5-3-million-from-us-city-but-they-only-offered-400000/ ----- ## RYUK AVERAGE PRICE 82 BTC 674,039 USD ----- ## ONE WALLET MULTIPLE CAMPAIGNS ###### 2019 March April May June July August START disdystkotmo@protonmail.com MaddouxKomara@protonmail.com Giernothcarvell91@protonmail.com SolayaMatheny96@protonmail.com ReisertEleonore@protonmail.com sledsivodetr1977@protonmail.com stalsurniagwar1970@protonmail.com amoreeTapaoan94@protonmail.com TaralynKeels@protonmail.com anstandestbrem@protonmail.com necnuachaba1976@protonmail.com ----- #### WHO IS BEHIND RYUK? ----- #### WHO IS BEHIND RYUK? ###### Source: https://kivuconsulting.com/wp-content/uploads/2019/03/Kivu-Threat-Intelligence-2.1.19-2.pdf ----- #### WHO IS BEHIND RYUK? ###### HERMES RYUK ----- ###### HERMES TIMELINE ----- ###### RYUK TIMELINE ----- ###### HERMES AND RYUK TIMELINE ----- ###### CONCLUTIONS • Ryuk continues to be an active threat as threat actors using Ryuk are releasing newer versions of this family. The newer version of Ryuk released in June 2019 does not have any significant changes in terms of ransomware infection code or file encryption compared to the previous one. The core functionality remains unchanged while adding features to avoid detections • The more you pay, the more attacks they will be: • Ryuk ransomware infected machines of Rural Jackson County, Georgia, in March 2019. It was stated that the county paid $400,000. • In June, 2019, Ryuk obtained more than $1 million dollars from Florida. • These type of high payouts will probably encourage threat actors to perform more campaigns delivering Ryuk and other targeted ransomware ----- ###### 01 02 03 04 RECOMME NDATIONS DON’T PAY! IMPLEMENT CATEGORIZE BACKUPS CONTROLS DATA Threat actor(s) may be unwilling Implement AC and IAM to limit Sensitive reserach or Use frequent, tested, or unable to decrypt them after network privileges business data should not segented and redundant they receive payment. Grant mínimum local privileges reside in the same server backups. Perform remote and local offline backups ----- ###### THANKS FOR WATCHING QUESTIONS? -----