Ryuk Ransomware Now Targeting Webservers REPORT R y u k R a n s o m w a r e N o w T a r g e t i n g W e b s e r v e r s https://www.mcafee.com/enterprise/en-us/home.html Ryuk Ransomware Now Targeting Webservers2 REPORT Table of Contents 4 General Overview 4 Anti-debugging Checks 5 Execution 6 Ransom Note 6 Change Drive Permissions 7 Process and Service Termination 8 File Encryption 11 Print Task 12 Wake on Lan 12 Network Shares Enumeration 13 SMB Replication 14 Defending Against Ryuk with McAfee 15   Initial Access 15   Command and Control 15 Conclusion 16 Yara Rule 16 IOCs 17 Mitre ATT&CK 18 Appendix A – Terminated processes 19 Appendix B – Terminated services 20 References Connect With Us Author This report was researched and written by: ■ Marc EliasDelPozzo Subscribe to receive threat information. Introduction Ryuk is a ransomware that encrypts a victim’s files and requests payment in Bitcoin cryptocurrency to release the keys used for encryption. Ryuk is used exclusively in targeted ransomware attacks. Ryuk was first observed in August 2018 during a campaign that targeted several enterprises. Analysis of the initial versions of the ransomware by our team revealed similarities and shared source code with the Hermes ransomware. Hermes ransomware is a commodity malware for sale on underground forums and has been used by multiple threat actors. To encrypt files, Ryuk utilizes a combination of symmetric AES (256-bit) encryption and asymmetric RSA (2048-bit or 4096-bit) encryption. The symmetric key is used to encrypt the file contents, while the asymmetric public key is used to encrypt the symmetric key. Upon payment of the ransom the corresponding asymmetric private key is released, allowing the encrypted files to be decrypted. Because of the targeted nature of Ryuk infections, the initial infection vectors are tailored to the victim. Often seen initial vectors are spear-phishing emails, exploitation of compromised credentials to remote access systems and the use of previous commodity malware infections. As an example of the latter, the combination of Emotet and TrickBot has been frequently observed distributing Ryuk, though recently BazarLoader has also been seen distributing it. Ryuk Ransomware Now Targeting Webservers Ryuk Ransomware Now Targeting Webservers3 REPORT https://www.mcafee.com/blogs/ https://twitter.com/mcafee_business https://www.linkedin.com/company/mcafee/ http://www.facebook.com/mcafee http://www.youtube.com/mcafee http://www.slideshare.net/mcafee https://www.mcafee.com/enterprise/en-us/forms/threat-information-subscription.html?eid=X7AOM1OW https://www.mcafee.com/enterprise/en-us/forms/threat-information-subscription.html?eid=X7AOM1OW https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ryuk-exploring-the-human-connection The Ryuk infection chain usually starts with a spear-phishing email with a malicious URL or an Office document to gain initial entry into victim environments. In certain cases, compromised RDP computers provide the initial access. In the first scenario, either Trickbot or BazarLoader will be executed and used as a loader malware, offering other actors the opportunity to purchase hacked machines. Once access to the victim’s machines is acquired by the ransomware actors, a Cobalt Strike beacon is often downloaded in order to obtain users’ credentials and move laterally on the network to take over the domain controllers. Finally, the Ryuk binary is distributed to every machine from the domain controllers. The main goal of this blog is to deeply analyze the Ryuk binary itself. General Overview The analyzed file corresponds to an unpacked ransomware sample from the Ryuk family. The sample can be identified by the following hashes: Hash type Value SHA1 1EFC175983A17BD6C562FE7B054045D6DCB341E5 SHA256 8F368B029A3A5517CB133529274834585D087A2D3A 5875D03EA38E5774019C8A The Ryuk final payload has a size of 148Kb and the compilation date is 30 April 2021 and, while this date could have been manipulated, we believe it is genuine. Anti-debugging Checks Ryuk repeatedly implements anti-disassembly techniques to make analysis with static analysis tools more difficult. Figure 1. Anti-disassembly trick Likewise, the malicious code will implement anti-debugging techniques by using the API ZwQueryInformationProcess (T1106 - Native API) along with various flags such as ProcessDebugFlags, ProcessDebugPort, and ProcessDebugObjectHandle (T1497.001 System Checks) which will allow the ransomware to determine if a debugger is present and, if it is, it will crash itself. Figure 2. Query process Ryuk Ransomware Now Targeting Webservers4 REPORT Additionally, the malware will check the BeingDebugged flag (T1497.001 System Checks) from the PEB structure of the process with the same purpose as stated above. Figure 3. Check if process is being debugged Execution Ryuk copies itself three times in the current directory with different names and launches these new executables with distinct command lines to execute different functionality in each execution. For the first copy of the malware the filename is calculated as a checksum of the current username and the suffix “r.exe” is appended. If the malware cannot obtain the username, it will use the default filename “rep.exe.” Also, when the malware executes the file, it uses the “9 REP” command line. This process will be responsible for the self-replication to other machines in the network. Figure 4. First execution The second copy of the malware has a randomly generated name and the suffix “lan.exe” appended. In this case, the malware passes the command line “8 LAN.” This process will be responsible for sending the Wake On Lan packets to other computers in the network. Figure 5. Second execution The third copy follows the same name convention as the second and has the same command line. Figure 6. Execution of third copy Ryuk Ransomware Now Targeting Webservers5 REPORT Ransom Note To notify the user about the encryption, Ryuk drops an HTML ransom note in every folder that it encrypts. This note is remarkably similar to the note used in other Ryuk variants, with the only difference being the use of a contact button with some instructions to install the Tor Browser. Figure 7. HTML Ransom note When the contact button is clicked, an alert appears with instructions to contact the ransomware actors. Figure 8. Browser alert with instructions If we follow the instructions and access the Onion link, we can find the contact portal with a form asking for an e-mail, password, the name of the organization, and an area in which to write a message to the actors. Figure 9. Ryuk contact portal Change Drive Permissions The malware will identify the mounted local drives via GetLogicalDrives API call and for each of them it will change their permissions using the Windows tool icacls (T1222.001 – Windows File and Directory Permissions Modification) to grant full access to the drive. Figure 10. Icacls execution Below is an example of the command that Ryuk will execute: icacls “C:\*” /grant Everyone: F /T /C /Q Ryuk Ransomware Now Targeting Webservers6 REPORT Process and Service Termination Before starting with the file encryption, the malware will start a new thread where it will try to finish a list of processes and stop some other services. Figure 11. Thread creation In this new thread, the malware will enumerate the running processes (T1057 – Process Discovery) and services (T1489 – Service Stop) and check if the name matches with a list of 41 processes (Appendix A – Terminated Processes) and 64 services (Appendix B – Terminated Services) the malware has hardcoded in the sample. Some of these processes and services belong to AV products, backup services, and others might be using files which the ransomware targets (T1562.001 – Disable or Modify Tools). Figure 12. Thread functions To finish the process execution that the malware targets, it uses the following command: “C:\Windows\System32\taskkill.exe” /IM /F To stop the services that the malware targets, it uses the following command: “C:\Windows\System32\net.exe” stop “” /y Since the services and processes that the malware targets are checked with the function ‘strstr,’ and this function returns partial matches of the string, the malware will finish untargeted process like ‘audioendpointbuilder’ because it contains the string ‘endpoint.’ Figure 13. Bogus service stop Ryuk Ransomware Now Targeting Webservers7 REPORT File Encryption The malware will try to encrypt both local drives and network drives and iterate over each file on the drive and check its path and filename (T1083 – File and Directory Discovery). Ryuk does not encrypt files that contain the following names in its full path: \Windows\ Windows boot WINDOWS\ Chrome Mozilla SYSVOL NTDS netlogon sysvol The malware also does not encrypt files if the filename contains any of the following strings: RyukReadMe.html boot dll ntldr exe .ini .lnk bootmgr boot NTDETECT Also, the malware will verify if the filename contains “index.” and if it is true, it will call a function we named “RyukDropRansomNoteInIndexFile.” Figure 14. Check index files Ryuk Ransomware Now Targeting Webservers8 REPORT If the file name contains “.php” it will dynamically create PHP code to render the HTML ransom note. Otherwise, it will overwrite the file contents with the HTML ransom note code. With this, the malware ensures that when someone accesses a website the Ryuk ransom note will appear. Figure 15. Drop RYUK ransom note in index files It is believed that this functionality was added to newer versions of the malware to target web servers and deface public websites with the Ryuk ransom note. This is a tactic never seen before in the ransomware landscape and whose final purpose is to pressure victims to pay. In this later version of Ryuk, the encryption scheme is the same as previous versions; it uses random AES 256 keys generated with the API CryptGenKey (T1486 – Data Encrypted for Impact) for each file and it encrypts those keys with the actor’s RSA public key that is hardcoded in the malware. With this scheme the attackers ensure that the cryptography and key management are robust. Figure 16. AES 256 key generation Ryuk Ransomware Now Targeting Webservers9 REPORT Before encrypting a file, the malware will check if it is already encrypted, searching for the keyword “HERMES” for old Ryuk versions and “RYUKTM” for recent versions. If it finds those keywords it will close the handle to file and not encrypt it. Figure 17. HERMES and RYUKTM check Then, the malware will start encrypting the file in chunks with a defined size of 1,000,000 bytes. Figure 18. File chunk encryption After that, the malware will write the keyword “RYUKTM” to mark the file as encrypted and will export the AES key encrypted with the RSA public key using the API CryptExportKey and write it at the end of the file. Figure 19. File key exporting Ryuk Ransomware Now Targeting Webservers10 REPORT Here is an example of an encrypted file with the 274 bytes of metadata info appended at the end of file by Ryuk. Figure 20. Appended metadata Print Task After the encryption of the files, the malware will create a new scheduled task (T1053.005 – Scheduled Task) that will print 50 copies of the RTF ransom note in the default printer configured in the system. The command line to create this task (T1059.003 – Windows Command Shell) is the following: SCHTASKS /CREATE /NP /SC DAILY /TN “PrintvE” /TR “C:\Windows\System32\cmd. exe /c for /l %x in (1,1,50) do start wordpad.exe /p C:\users\Public\YTKkI. dll” /ST 10:25 /SD 05/18/2021 /ED 05/25/2021 At a certain time during the week the task would print 50 pages of an RTF ransom note containing the password dropped in the Public directory with a random name and the dll extension (T1036 – Masquerading). Figure 21. Ryuk RTF note This is also a new functionality added to the malware with the intention of creating chaos in the victim’s system and pressurizing them to pay the ransom price to decrypt the files. Ryuk Ransomware Now Targeting Webservers11 REPORT Wake on Lan The Ryuk process with the command line “8 LAN” is responsible for obtaining the ARP cache entries of the system and sending the Wake on Lan packets to try to turn on the remote computers. To extract the ARP table, the malware will use the GetIpNetTable API (T1016 – System Network Configuration Discovery) from the iphlpapi.dll and after retrieving the previously mentioned table, it will begin to send the packets using the API sendto from the Winsock library. Figure 22. Send Wake on Lan packet The Wake on Lan magic packets (T1205 – Traffic Signaling) are made up of 6 bytes with the 255 value (0xFF in hexadecimal) followed by sixteen repetitions of the target computer MAC address for a total of 102 bytes. Figure 23. Wake on Lan packet Network Shares Enumeration Ryuk will also try to move laterally to other hosts in the network, first obtaining all the IP addresses assigned to the system and checking if they belong to a private IPv4 addressing range (10.x.x.x, 172.16.x.x and 192.168.x.x). Because the previously mentioned check is done with the function strstr, it can match with other public subnets such as 151.192.172.1. Figure 24. Bug checking private IP networks Ryuk Ransomware Now Targeting Webservers12 REPORT If the subnet is one of the above, it will proceed to send ICMP Echo requests with the API IcmpSendEcho to discover new machines in the subnet (T1135 – Network Share Discovery). If the machine responds to the ping, it will be considered a potential victim and Ryuk will try to encrypt its files. Figure 25. ICMP Echo request For each host discovered, Ryuk will attempt to encrypt them using a similar method to the one used for local drives, by building a UNC path in the following format for each driver letter, from A to Z: \\\$ Also, it will try to access and encrypt the following UNC path: \\ As can be seen in the following image: Figure 26. Ryuk UNC file encryption SMB Replication The Ryuk process with the command line “9 REP” will be responsible for replicating itself into new computers but first it will check for double executions of the same process creating a mutex object with the name of the username of the machine (T1082 – System Information Discovery). If the mutex already exists it will finish the process. Figure 27. Mutex creation Next, the malware will check if the file already exists in the remote computer using the API GetFileAttributesW. The UNC file path will be constructed on the fly, and it will always try to access the path “C:\Users\ Public” from the remote computer. The filename is created by doing a checksum of the current username and appending the suffix “r.exe”.T1053 Figure 28. Ryuk file copy Then, it will use the API CopyFileW to copy the file to the remote computer and to achieve remote execution it will create a scheduled task with a random name using the schtasks.exe tool to execute the ransomware copy (T1021 – Remote Services). Figure 29. Remote service creation Ryuk Ransomware Now Targeting Webservers13 REPORT https://attack.mitre.org/techniques/T1053/005 Therefore, for each compromised remote machine the following two commands will be executed: schtasks.exe /Create /S 192.168.56.2 /TN qdpRGwh /TR \”C:\\Users\\Pub- lic\\622r.exe\” /sc once /st 00:00 /RL HIGHEST schtasks.exe /S 192.168.56.2 /Run /TN qdpRGwh Defending Against Ryuk with McAfee Ryuk, like other ransomware, leverages multiple techniques to access the network and remain persistent before having an impact. In other words, attacks using ransomware do not start with encryption and therefore you have multiple opportunities to prevent, disrupt, or detect the malicious activity. Below is an overview of how you can defend against Ryuk with McAfee® MVISION™ Security Architecture. Figure 30. Ryuk Kill Chain Ryuk Ransomware Now Targeting Webservers14 REPORT Some best practices to detect or prevent very early in the attack chain with McAfee® Endpoint Protection and MVISION Unified Cloud Edge can include: Initial Access Endpoint Firewall and Web Control (ENS): Restrict access to necessary ports and prevent access to web sites with malicious or unknown reputation. Endpoint Protection Platform (ENS): Configure both Threat Prevention and Adaptive Threat Prevention modules for maximum protection against malware delivered through Spearphishing. In particular, use GTI in both modules and ensure JTI Rules 4 (GTI File Reputation) and 5 (URL Reputation) are enabled. Command and Control Endpoint Protection Platform (ENS) and MVISION EDR can both identify Cobalt Strike and other type of command-and-control techniques. MVISION EDR provides a unified view of endpoint prevention and detection events so you can speed up triage. Unified Cloud Edge (UCE – SWG) can prevent access to risky web sites using threat intelligence, URL reputation, behaviour analysis, and remote browser isolation. Ensure you have a strong web security policy in place and are monitoring logs. More details on specific rules and other defense recommendations can be found here. Conclusion In this short report we have presented a technical overview of the Ryuk ransomware and the new functionalities added to the malware used to increase the damage on the organizations it targets. It is interesting to note that Ryuk has shifted its attention to webservers since it no longer encrypts the index file but replaces it with the ransom note instead. Furthermore, the developers behind Ryuk upgraded the malware with the ability to print the ransom note in the default printer. These new functionalities were included to pressure victims into paying the ransom. In the first half of the year, several Ryuk actors have been known to be actively launching new campaigns and targeting organizations all over the world. This is the reason we believe the criminals behind Ryuk will continue to develop new features and invent new methods to maximize their profits. McAfee Advanced Threat Research is actively monitoring this threat, detected as Ransom-Ryuk![partial-hash], for future releases. Meanwhile, a solid data loss prevention strategy remains the best advice against all forms of ransomware; for general prevention advice please visit NoMoreRansom. Always seek professional assistance when you are faced with a targeted ransomware attack such as Ryuk. Ryuk Ransomware Now Targeting Webservers15 REPORT https://www.nomoreransom.org/en/prevention-advice.html Yara Rule rule RANSOM _ RYUK _ May2021 : ransomware { meta: � description = “Rule to detect latest May 2021 compiled Ryuk variant” author = “Marc Elias | McAfee ATR Team” date = “2021-05-21” � hash = “8f368b029a3a5517cb133529274834585d087a2d3a5875d03e- a38e5774019c8a” version = “0.1” strings: $ryuk _ filemarker = “RYUKTM” fullword wide ascii � $sleep _ constants = { 68 F0 49 02 00 FF (15|D1) [0-4] 68 ?? ?? ?? ?? 6A 01 } � $icmp _ echo _ constants = { 68 A4 06 00 00 6A 44 8D [1-6] 5? 6A 00 6A 20 [5-20] FF 15 } condition: uint16(0) == 0x5a4d and filesize < 200KB and ( $ryuk _ filemarker or ( $sleep _ constants and $icmp _ echo _ constants )) } IOCs Below is a list of files identified as Ryuk: SHA256 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a SHA256 d8a0d25776c28e17e724da2b1c8fdae28d7c6b32cfa9d3d2a20f3f57ff370488 SHA256 703ee3222eccd0e355b9ef414be9153fa3a2ad8efb8176fee887d7744a9f632f SHA256 b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9 SHA256 09a0e87008e34a7a434c5d853600f693ab9de181e1f863ef6a90edf8c3fccd54 SHA256 63b44f7fe68cb8a05fa98c5acc59851d4b73f5bbd76e9910c94042c523da8d5b SHA256 60c16e45c5cbe88a38911f1e3176d90444e4884261d8481d4d719acec1bc5025 SHA256 307a8158e698680c7186e3c1481b29186d8b265bb83662397a54f235b0c9a3d1 SHA256 473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8 SHA256 23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f SHA256 d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9 Ryuk Ransomware Now Targeting Webservers16 REPORT Mitre ATT&CK The sample uses the following MITRE ATT&CK™ techniques: Technique ID Technique Description Observable T1134 Access Token Manipulation Ryuk attempts to adjust its token privilege to have the SeBackupPrivilege. T1059.003 Windows Command Shell Ryuk uses the cmd.exe shell to execute the print task in the infected host. T1486 Data Encrypted for Impact Ryuk utilizes a combination of symmetric AES (256-bit) encryption and asymmetric RSA (2048-bit or 4096-bit) encryption to encrypt files. T1083 File and Directory Discovery Ryuk uses the API FindFirstFileW and FindNextFileW to enumerate files in the system. T1222.001 Windows File and Directory Permissions Modification Ryuk executes the command icacls “:\*” /grant Everyone: F /T /C /Q to grant full access to the drive. T1562.001 Disable or Modify Tools Ryuk stops services related to endpoint security software. T1036 Masquerading Ryuk can create .dll files that contain a Rich Text File document. T1106 Native API Ryuk uses the native API ZwQueryInformationProcess to check if a debugger is present. T1057 Process Discovery Ryuk calls the function CreateToolhelp32Snapshot to enumerate all running processes in the system. T1053.005 Scheduled Task Ryuk creates a local scheduled task to print the ransom note on the default printer. T1489 Service Stop Ryuk uses the command net stop “” /y to stop services before file encryption. T1016 System Network Configuration Discovery Ryuk has called the API GetIpNetTable in attempt to identify all mounted drives and hosts that have Address Resolution Protocol (ARP) entries. T1205 Traffic Signaling Ryuk has used Wake-on-Lan to power on turned off systems for lateral movement. T1078.002 Domain Accounts Ryuk can use stolen domain admin accounts to move laterally within a victim domain. T1497.001 System Checks Ryuk uses the native API ZwQueryInformationProcess to check if a debugger is present. T1135 Network Share Discovery Ryuk will attempt to discover network shares by building a UNC path in the following format for each driver letter, from A to Z: \\\$ T1082 System Information Discovery Ryuk calls the API GetUserNameA and GetVersionExW to obtain information about the system. T1021 Remote Services Ryuk can create a copy of the ransomware on a remote system and create a scheduled task to execute itself. Ryuk Ransomware Now Targeting Webservers17 REPORT https://attack.mitre.org/techniques/T1134 https://attack.mitre.org/techniques/T1059/003/ https://attack.mitre.org/techniques/T1486/ https://attack.mitre.org/techniques/T1083/ https://attack.mitre.org/techniques/T1222/001 https://attack.mitre.org/techniques/T1562/001 https://attack.mitre.org/techniques/T1036 https://attack.mitre.org/techniques/T1106 https://attack.mitre.org/techniques/T1057/ https://attack.mitre.org/techniques/T1053/005 https://attack.mitre.org/techniques/T1489 https://attack.mitre.org/techniques/T1016 https://attack.mitre.org/techniques/T1205 https://attack.mitre.org/techniques/T1078/002 https://attack.mitre.org/techniques/T1497/001/ https://attack.mitre.org/techniques/T1135/ https://attack.mitre.org/techniques/T1082/ https://attack.mitre.org/techniques/T1021/ Appendix A – Terminated processes virtual vmcomp vmwp veeam backup Backup xcha sql dbeng sofos calc ekrn zoolz encsvc excel firefoxconfig infopath msaccess mspub mydesktop ocautoupds ocomm ocssd onenote oracle outlook powerpnt sqbcoreservice steam synctime tbirdconfig thebat thunderbird visio word xfssvccon tmlisten PccNTMon CNTAoSMgr Ntrtscan mbamtray Ryuk Ransomware Now Targeting Webservers18 REPORT Appendix B – Terminated services vmcomp vmwp veeam Back xcha ackup acronis sql Enterprise Sophos Veeam AcrSch Antivirus Antivirus bedbg DCAgent EPSecurity EPUpdate Eraser EsgShKernel FA _ Scheduler IISAdmin IMAP4 MBAM Endpoint Afee McShield task mfemms mfevtp mms MsDts Exchange ntrt PDVF POP3 Report RESvc sacsvr SAVAdmin SamS SDRSVC SepMaster Monitor Smcinst SmcService SMTP SNAC swi _ CCSF TrueKey tmlisten UI0Detect W3S WRSVC NetMsmq ekrn EhttpSrv ESHASRV AVP klnagent wbengine KAVF mfefire Ryuk Ransomware Now Targeting Webservers19 REPORT References https://www.fortinet.com/blog/threat-research/ryuk-revisited-analysis-of-recent-ryuk-attack https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos/5768-ccn-cert-id-03-21-ryuk-ransomware/file.html https://www.intel471.com/blog/understanding-the-relationship-between-emotet-ryuk-and-trickbot https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf https://attack.mitre.org/software/S0446/ Ryuk Ransomware Now Targeting Webservers20 REPORT https://www.fortinet.com/blog/threat-research/ryuk-revisited-analysis-of-recent-ryuk-attack https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos/5768-ccn-cert-id-03-21-ryuk-ransomware/file.html https://www.intel471.com/blog/understanding-the-relationship-between-emotet-ryuk-and-trickbot https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf https://attack.mitre.org/software/S0446/ 6220 America Center Drive San Jose, CA 95002 888.847.8766 www.mcafee.com About McAfee McAfee is the device-to-cloud cybersecurity company. Inspired by the power of working together, McAfee creates business and consumer solutions that make our world a safer place. By building solutions that work with other companies’ products, McAfee helps businesses orchestrate cyber environments that are truly integrated, where protection, detection, and correction of threats happen simultaneously and collaboratively. By protecting consumers across all their devices, McAfee secures their digital lifestyle at home and away. By working with other security players, McAfee is leading the effort to unite against cybercriminals for the benefit of all. www.mcafee.com McAfee ATR The McAfee® Advanced Threat Research Operational Intelligence team operates globally around the clock, keeping watch of the latest cyber campaigns and actively tracking the most impactful cyber threats. Several McAfee products and reports, such as MVISION Insights and APG ATLAS, are fueled with the team’s intelligence work. In addition to providing the latest Threat Intelligence to our customers, the team also performs unique quality checks and enriches the incoming data from all of McAfee’s sensors in a way that allows customers to hit the ground running and focus on the threats that matter. Subscribe to receive our Threat Information. McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. Copyright © 2021 McAfee, LLC. 4761_0621 JUNE 2021 Ryuk Ransomware Now Targeting Webservers21 REPORT https://www.mcafee.com/enterprise/en-us/home.html http://www.mcafee.com http://www.mcafee.com https://www.mcafee.com/enterprise/en-us/forms/threat-information-subscription.html?eid=X7AOM1OW General Overview Anti-debugging Checks Execution Ransom Note Change Drive Permissions Process and Service Termination File Encryption Print Task Wake on Lan Network Shares Enumeration SMB Replication Defending Against Ryuk with McAfee Initial Access Command and Control Conclusion Yara Rule IOCs Mitre ATT&CK Appendix A – Terminated processes Appendix B – Terminated services References