Not yet another Death Note caused by the Ryuk Ransomware
Ryuk ransomware is a derivative of the Hermes ransomware. Its objective is to encrypt assets such as files and data, cause the unavailability of resources and force all victims to pay a ransom or suffer the consequences. enSilo prevents Ryuk ransomware attacks.
Your network has been penetrated, your valuable files have been encrypted and the only way to decrypt your data is by paying an unknown entity a ransom via Bitcoins. This is not the beginning of a science fiction story as many of us would think. In recent years, organizations have been facing this harsh reality due to ransomware attacks. Organizations affected by a ransomware attack have their intellectual property and intangible assets encrypted at the mercy of their attackers. Ransomware attacks typically execute towards the same outcomes. On execution, ransomware encrypts assets such as files and data and then requests a ransom, typically in a Bitcoin payment method, for decrypting them. The failure to do so usually results in the destruction of all encrypted files.
According to KrebsonSecurity, a similar story occurred for Data Resolution LLC during Christmas Eve of 2018. Data Resolution LLC is a cloud company offering various cloud and online hosting solutions. The company was hit with a ransomware attack and its online resources went offline. The restoration and recovery of these critical customer facing assets have been a daunting process. Unfortunately, restoration of critical systems and assets isn’t always the end-story of organizations affected by a ransomware attack. Many organizations don’t have updated business continuity and disaster recovery plans in place which easily and quickly provide them with the necessary restoration tools. As a result, unavailability of critical systems results in the loss of money and data and in some cases, even the loss of customers. For many organizations, ransomware attacks are a devastating story they cannot afford.
Over the years there have been many types of ransomware attacks. However, the most recent attack, the same that hit Data Resolution LLC, is the Ryuk ransomware attack. Ryuk is a fictional Japanese character that belongs to that manga series Death Note created by Tsugumi Ohba and Takeshi Obata. The Ryuk character specializes in dropping a “death note” which is analogous to the devastation caused by this Ransomware. Online resources like the one here and here suggest that the Ryuk ransomware is a derivative of the Hermes ransomware as both threats share similar code and functionality. Previously, the Hermes ransomware was associated with the North Korean Lazarus group. However, the Ryuk ransomware is associated with the GRIM SPIDER group. Despite the attribution process, the objective behind the Ryuk ransomware is similar to its predecessors. The objective is to encrypt assets such as files and data, cause unavailability of resources and force all victims to pay a ransom or suffer the consequences. At enSilo, our Endpoint Security Platform can help organizations protect against these types of attacks.
Online resources such as the one here provide great technical analysis and breakdown of the Ryuk Tactics, Techniques and Procedures (TTPs). Therefore, we won’t attempt to get into the technical details in this blog post. Instead, we will discuss the attack workflow and demonstrate how the enSilo Endpoint Security Platform blocks the ransomware on execution in real-time. In addition, we will demonstrate how the platform detects and intercepts the ransomware post the execution process in each step of the attack chain.
Two Ryuk Ransomware Portable Executable (PE) variants were tested on an enSilo protected endpoint. The following is the static characteristics of both files:
File Size:120320 bytes
Compiled Time: 2018-12-21 02:22:06
OS: 32 Bit
File Size: 126976 bytes
Compiled Time: 2018-12-11 23:09:18
OS: 64 Bit
The following figures illustrate how the enSilo Endpoint Security Platform visualized the entire attack chain from detection to prevention in real-time:
Figure 1: Pre-Execution Block
Figure 2: Pre-Execution Block
The enSilo Endpoint Security Platform is capable of detecting and blocking the execution of each variant in multiple stages of the attack chain. For example, the following figures show that on execution, both Ryuk ransomware variants attempt to access and inject the lsass.exe process:
Figure 3: OJVXY.exe Injection
Figure 4: evilRansome.exe Injection
Following the attack chain, the Ryuk ransomware attempts to adjust its token privileges by threat injection into other running processes on the system:
Figure 5: Thread injection
The objective of this thread injection is described very well over here. If successful, the ransomware process will then inject another system process (in this case it is the taskhost.exe process) for the manipulation of existing files and the creation of new ones. The following figures illustrate that process:
Figure 6: file creation
A system running enSilo in full-protection mode will never get to these stages in the attack chain because the platform blocks the ransomware on execution. However, on unprotected endpoints in which the attack is successful files will be encrypted and will be modified with the RYK file extension as shown in the following figure:
Figure 7: Before Encryption
Figure 8: After Encryption
This blog post provides a brief explanation of the possible origination, attribution and the objective of the Ryuk Ransomware. In addition, this blog post also provides a quick overview of the Ryuk ransomware attack chain. However, the most important take away is that organizations that choose to use the enSilo Endpoint Security Platform are protected against the destructive nature of this ransomware.
The following hashes are additional Ryuk ransomware variants found in-the-wild: