Not yet another Death Note caused by the Ryuk Ransomware

Ryuk ransomware is a derivative of the Hermes ransomware. Its objective is to encrypt assets such as files and data, cause the unavailability of resources and force all victims to pay a ransom or suffer the consequences. enSilo prevents Ryuk ransomware attacks.

 

SUMMARY

Your network has been penetrated, your valuable files have been encrypted and the only way to decrypt your data is by paying an unknown entity a ransom via Bitcoins. This is not the beginning of a science fiction story as many of us would think. In recent years, organizations have been facing this harsh reality due to ransomware attacks. Organizations affected by a ransomware attack have their intellectual property and intangible assets encrypted at the mercy of their attackers. Ransomware attacks typically execute towards the same outcomes. On execution, ransomware encrypts assets such as files and data and then requests a ransom, typically in a Bitcoin payment method, for decrypting them. The failure to do so usually results in the destruction of all encrypted files. 

Top_Figure

According to KrebsonSecurity, a similar story occurred for Data Resolution LLC during Christmas Eve of 2018. Data Resolution LLC is a cloud company offering various cloud and online hosting solutions. The company was hit with a ransomware attack and its online resources went offline. The restoration and recovery of these critical customer facing assets have been a daunting process. Unfortunately, restoration of critical systems and assets isn’t always the end-story of organizations affected by a ransomware attack. Many organizations don’t have updated business continuity and disaster recovery plans in place which easily and quickly provide them with the necessary restoration tools. As a result, unavailability of critical systems results in the loss of money and data and in some cases, even the loss of customers. For many organizations, ransomware attacks are a devastating story they cannot afford. 

Over the years there have been many types of ransomware attacks. However, the most recent attack, the same that hit Data Resolution LLC, is the Ryuk ransomware attack. Ryuk is a fictional Japanese character that belongs to that manga series Death Note created by Tsugumi Ohba and Takeshi Obata. The Ryuk character specializes in dropping a “death note” which is analogous to the devastation caused by this Ransomware. Online resources like the one here and here suggest that the Ryuk ransomware is a derivative of the Hermes ransomware as both threats share similar code and functionality. Previously, the Hermes ransomware was associated with the North Korean Lazarus group. However, the Ryuk ransomware is associated with the GRIM SPIDER group. Despite the attribution process, the objective behind the Ryuk ransomware is similar to its predecessors. The objective is to encrypt assets such as files and data, cause unavailability of resources and force all victims to pay a ransom or suffer the consequences. At enSilo, our Endpoint Security Platform can help organizations protect against these types of attacks.

Online resources such as the one here provide great technical analysis and breakdown of the Ryuk Tactics, Techniques and Procedures (TTPs). Therefore, we won’t attempt to get into the technical details in this blog post. Instead, we will discuss the attack workflow and demonstrate how the enSilo Endpoint Security Platform blocks the ransomware on execution in real-time. In addition, we will demonstrate how the platform detects and intercepts the ransomware post the execution process in each step of the attack chain.

Attack Workflow 

Two Ryuk Ransomware Portable Executable (PE) variants were tested on an enSilo protected endpoint. The following is the static characteristics of both files:

SHA1: c4f3e9a0dc9b9de53920c4d2fcea8d07f8db2f5b
IMPHASH: 7a7b67ed6ac37b8dae8e18c7b928313b
File Size:120320 bytes
Compiled Time: 2018-12-21 02:22:06
OS: 32 Bit
Filename: OJVXY.exe


SHA1: 948af4614e8ff150fbe0bc38f40806b457acaf3a
IMPHASH: 9f64c8cf2ba268400f51862b635a85b2
File Size: 126976 bytes
Compiled Time: 2018-12-11 23:09:18
OS: 64 Bit
Filename: evilRansom.exe

 

 

 

The following figures illustrate how the enSilo Endpoint Security Platform visualized the entire attack chain from detection to prevention in real-time:

Figure 2-8 Figure 1: Pre-Execution Block
 Figure 3-9Figure 2: Pre-Execution Block

 

The enSilo Endpoint Security Platform is capable of detecting and blocking the execution of each variant in multiple stages of the attack chain. For example, the following figures show that on execution, both Ryuk ransomware variants attempt to access and inject the lsass.exe process:

 

Figure 4-9Figure 3: OJVXY.exe Injection

Figure 5-9Figure 4: evilRansome.exe Injection

Following the attack chain, the Ryuk ransomware attempts to adjust its token privileges by threat injection into other running processes on the system:ryuk

Figure 5: Thread injection

The objective of this thread injection is described very well over here. If successful, the ransomware process will then inject another system process (in this case it is the taskhost.exe process) for the manipulation of existing files and the creation of new ones. The following figures illustrate that process:figure6666


Figure 6: file creation

A system running enSilo in full-protection mode will never get to these stages in the attack chain because the platform blocks the ransomware on execution. However, on unprotected endpoints in which the attack is successful files will be encrypted and will be modified with the RYK file extension as shown in the following figure:  777777

Figure 7: Before Encryption
Figure 7-3
Figure 8: After Encryption

 

Final Notes 

This blog post provides a brief explanation of the possible origination, attribution and the objective of the Ryuk Ransomware. In addition, this blog post also provides a quick overview of the Ryuk ransomware attack chain. However, the most important take away is that organizations that choose to use the enSilo Endpoint Security Platform are protected against the destructive nature of this ransomware.


Additional Variants

The following hashes are additional Ryuk ransomware variants found in-the-wild:

3b9ebfd3ad07528923381eb7ca90105a5125334f

c4f3e9a0dc9b9de53920c4d2fcea8d07f8db2f5b

e953cbfae3a89e3d89d5f613b936525dc0acbf88

9a237247ac1f9f32f874fba12550ba3b9ba233d9

4eb0d5fab83c5a92e442beee4b31a6cd7d05cf4e

631ae3e5bb0b791c2926829a00e99154c94621c9

cbff9d66d68fa67e40ca4a295daed68f0d5f8383

945e0aa129255745eac01089a4f36e0cfc2a2606

948af4614e8ff150fbe0bc38f40806b457acaf3a

74ea44c6ff5125fa4da154f2ae80d2fd7dd7ab33

98e9b71ad8000b4ad7ad3e0875f050dda41ddf7b

2c8ea348cc80ed41737d3d2d8cb5487dcd49d040

fc62460c6ddd671085cde0138cf3d999e1db08cf

c8ecc9b34184e7e1c15b4ed49fb838e7882dbfc6

29abad9d694a43dafa56e589b07d007128f3063b

d9f8eb52ce514d3dbf8f8e6a1ecb29c1dc46ea12

98bc2a03618d7112c9cd130c6836c374c2ff4fcf

Related Blog Posts

Customers Say It Best - Managed Security Service Provider one

cybersecurity , enSilo Corporate and Product

 

Retailers, restaurants, hoteliers, and small businesses are having problems discovering breaches on their POS systems. Delayed detection of a.

Read More

5 Ways to Tackle Ransomware Attacks One

cybersecurity , enSilo Corporate and Product

“Nearly 98% of all recorded point of sale (POS) attacks resulting in a confirmed data breach”. Verizon Data Breach Investigations

PROBLEM:

.

Read More

enSilo Blocks New Variant of Adwind RAT one

cybersecurity , enSilo Corporate and Product

“Nearly 98% of all recorded point of sale (POS) attacks resulting in a confirmed data breach”. Verizon Data Breach Investigations

PROBLEM:

.

Read More

enSilo RECOMMENDED in NSS Labs 2018 Advanced Endpoint Protection (AEP) Group Test

cybersecurity , enSilo Corporate and Product

“Nearly 98% of all recorded point of sale (POS) attacks resulting in a confirmed data breach”. Verizon Data Breach Investigations

PROBLEM:

.

Read More