# Nice to meet you, too. My name is Ryuk. **4rchib4ld.github.io/blog/NiceToMeetYouRyuk** A comprehensive Ryuk threat analysis February 27, 2021 6 minute read February 27, 2021 This work is a comprehensive analysis of the ransomware Ryuk. It will be break down into three parts : What are the Ryuk operator interested in ? What tactics and tools do they typically use ? How can defenders detect those tools or tactics ? ## From Netflix to your enterprise Ryuk is a Ransomware, [responsible for a third of all ransomware attacks in 2020. Ryuk is](https://www.securitymagazine.com/articles/93769-ryuk-ransomware-responsible-for-one-third-of-all-ransomware-attacks-in-2020) specifically used to target enterprise environments, and specially in the recent times Big Game Hunting – going after bigger, more secure targets in tailored operations and potentially extract larger ransoms –. Like almost all ransomwares, Ryuk goal is to generate as much money as possible, in the shortest amount of time. They often succeed according to the reports, because the average ransom seems to be near $1Millions, and the highest was $34Millions in 2018. For this, Ryuk will targets huge corporations and specially Windows assets (which represents the most part of their infrastructure). Clients and servers will (sadly) go the same way, disregarding of their version. At the time of writing, there is no way to decrypt Ryuk Encryption. That’s because it’s the AES/RSA combo and restoring data without the keys is impossible (unless there is a failure in the implementation). Ryuk is under constant development, new modules and functionalities are added over time. ## How does it operates ? Ryuk is most of the time delivered by TrickBot and more recently Bazar. (**), so with a [phishing mail (T1566).](https://attack.mitre.org/techniques/T1566) [This two malwares are attributed to the same group](https://www.zdnet.com/article/new-bazar-backdoor-linked-to-trickbot-banking-trojan-campaigns/) However, it was also seen to exploit accessible Remote Desktop Services on targets [(T1021.001).](https://attack.mitre.org/techniques/T1021/001/) ----- [Ryuk can also exploit vulnerabilities like ZeroLogon or](https://threatpost.com/ryuk-ransomware-gang-zerologon-lightning-attack/160286/) [EternalBlue to propagate itself into](https://www.computerweekly.com/news/252489779/Ryuk-attack-downs-private-health-provider-in-major-incident) [the networks (T1210).](https://attack.mitre.org/techniques/T1210/) There is actually some works done before Ryuk is run on the victim’s infrastructure. There is [an Active Directory reconnaissance (T1018) done using tools like :](https://attack.mitre.org/techniques/T1018/) Mimikatz PowerShell PowerSploit AdFind Bloodhound PsExec [Investigating the Active Directory is also a behavior seen for TrickBot.](https://www.bleepingcomputer.com/news/security/trickbot-now-steals-windows-active-directory-credentials/) The goal here for Ryuk is to have enough knowledge and privileges to impact as much hosts and shares as possible, as well as estimating the victims infrastructure : A big Active Directory most of the time involves a big entreprise. [There is also instances where Cobalt Strike was used, as it sometimes comes with Bazar.](https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike) Once the Active Directory has delivered all of its secrets, Ryuk is executed. **About the delivery : Even when Emotet is involved, it actually delivers Trickbot which** itself delivers Ryuk. This reinforce the accountancy between this two and the attribution to the same group : Wizard Spider ### Malware Analysis I was able to find a Ryuk Sample (5e1e2920736e1c00104e24ee). I will describe points that seems interesting to have in mind when dealing with Ryuk, as well as how they can be detected/mitigated. **About Hermes : Ryuk is most likely built on the Hermes ransomware, which had it source** code shared on various underground forums. That’s why you’ll see strings that relates to Hermes. **Dropping itself** Upon launching, it copies itself in the current directory with a random 7 characters length and then launch the new file with the parameters “8 Lan” (Wake On Lan) ----- **Anti everything** It then creates a thread that loop thought all running processes and services and kill those who might disturb it : like excel, backup services, virtual machine and such. The full list is in [the Appendix. The goal is to make sure not file are opened in memory (T1489), as well as](https://attack.mitre.org/techniques/T1489/) [performing AntiVM action (T1562.001).](https://attack.mitre.org/techniques/T1562/001) ``` net stop is used for services : taskkill is used for processes : ``` **Detection opportunity : It’s highly suspicious that a process kills a high number of** processes and/or services. Maybe some legit apps do it, but this behavior can be a sign of a malware trying to setup its playground. [It will also performs anti forensics/recovery by executing various commands (T1059.003 and](https://attack.mitre.org/techniques/T1059/003) [T1490) :](https://attack.mitre.org/techniques/T1490) ----- Note the typo for the first command, there is a missing ‘e’ on ‘delete’ **Detection opportunity : This kind of commands are HIGHLY suspicious, and there** should be a rule on the SIEM or EDR that monitor their usages. Also, having a lot of this commands executed in the same interval can be determined in a rule **Privilege Escalation** Ryuk will check for two privileges : ``` SEBackupPrivilege : In order to access to any file and bypass ACL SEDebugPrivilege : In order to execute the process injection ``` In order to do so, Ryuk will open it current thread and retrieve the Thread Token. ----- It will then enable the wanted privilege with the function `AdjustTokenPrivileges (T1134)` ----- The privileges will be used on the next steps **Process Injection** Ryuk injects itself into multiples processes, in order to be very fast. [It enumerates running process (T1057)checks if the process is one of](https://attack.mitre.org/techniques/T1057) `csrss.exe,` ``` explorer.exe, lsaas.exe or is run under NT Admin and then injects into it, using WriteProcessMemory and CreateRemoteThread (T1055). ``` **Detection opportunity : It’s pretty uncommon for a process to inject itself into another, or** even writing to its memory. This kind of behavior can be detected by an EDR, or by Windows Sysmon Event ID 8, for example. **Encryption** [The encryption (T1486) is done with the](https://attack.mitre.org/techniques/T1486) `CryptEncrypt Windows API with AES_256.` ----- All encrypted files have the string HERMES at their end. It is used as a marker to know whether the file has already been encrypted. The file itself is encrypted, so there is no deletion involves and so recovery is unlikely. A file named `RyukReadMe.html is` dropped on every encrypted directory. There is a bunch of directory that are whitelisted by the malware : ----- As well as : Chrome Mozilla Recycle.bin Windows Microsoft AhnLab All encrypted files are appended the `.RYK file extension.` [Any mounted drives (T1547.001)will suffer the same fate, first by having rights :](https://attack.mitre.org/techniques/T1547/001) And then the encryption : ----- [Ryuk will also scan the ARP table in order to find any files or folders in remote hosts. (T1016)](https://attack.mitre.org/techniques/T1016) **Persistence** Create a registry key named ‘svchos’ on the famous ``` HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run ``` [registry (T1547.001)with the full path of the executable using](https://attack.mitre.org/techniques/T1547/001) `cmd.exe (T1059.003)` **Detection opportunity : This registry is a well known location for persistence. A rule can** be easily setup to monitor any suspicious addition. ## What’s next ? ----- Wizard Spider seems to have built an ecosystem of malware, and still continues to develop it, with the addition to Conti, a new ransomware. Some reports seems to indicate that Conti is a new version of Ryuk. Maybe that’s a question I will tackle during another analysis. For now, Ryuk is still going, and should be kept in mind. ## Appendix ### Blacklisted Process ``` - virtual - vmcomp - vmwp - veeam - backup - Backup - xchange - sql - dbeng - sofos - calc - ekrn - zoolz - encsvc - excel - firefoxconfig - infopath - msaccess - mspub - mydesktop - ocautoupds - ocomm - ocssd - onenote - oracle - outlook - powerpnt - sqbcoreservice - steam - synctime - tbirdconfig - thebat - thunderbird - visio - word - xfssvccon - tmlisten - PccNTMon - CNTAoSMgr - Ntrtscan - mbamtray Blacklisted Services ``` ----- ----- ``` vmcomp - vmwp - veeam - Back - xchange - ackup - acronis - sql - Enterprise - Sophos - Veeam - AcrSch - Antivirus - Antivirus - bedbg - DCAgent - EPSecurity - EPUpdate - Eraser - EsgShKernel - FA_Scheduler - IISAdmin - IMAP4 - MBAM - Endpoint - McShield - task - mfemms - mfevtp - mms - MsDts - Exchange - ntrt - PDVF - POP3 - Report - RESvc - sacsvr - SAVAdmin - SamS - SDRSVC - SepMaster - Monitor - Smcinst - SmcService - SMTP - SNAC - swi - CCSF - TrueKey - tmlisten - UI0Detect - W3S - WRSVC - NetMsmq ``` ----- ``` ekrn - EhttpSrv - ESHASRV - AVP - klnagent - wbengine - KAVF - mfefire ## You May Also Enjoy Turla, the Snake of Attribution ``` April 29, 2022 3 minute read How Turla tries to avoid attribution ## Tomorrow night ? Honeymoon on Ice(loader) ? May 14, 2021 3 minute read Write up about the packer used by multiple threat actors during the past few months ## Your attribution appears to have been applied to your life April 25, 2021 5 minute read To what point is attribution useful ? ## IcedID on my neck I’m the coolest April 11, 2021 4 minute read Unpacking IcedID in order to extract the C2 domain name -----