UPDATE (March 25th, 2020): VMware Carbon Black’s Managed Detection service and Threat Analysis Unit identified a new Ryuk sample that exhibited new artifacts which had not been previously identified in the original article. This article has been updated with the new Ryuk sample artifacts.

Ryuk Ransomware has been crippling both the public and private sector recently with the ability to disrupt its target environment. The ransomware will typically be dropped by an already compromised system that has been infected by Trickbot or Emotet through a phishing email. Once the Ryuk payload has been successfully dropped and executed, it will encrypt the system’s files and then demand a ransom fee paid to decrypt the victim’s data. Ryuk Ransomware is known for targeting enterprise organizations with the intentions of demanding higher payments for the decryption key. An example of the Ryuk Ransom note can be seen in Figure 1.







Figure 1, Ryuk Ransom Note

Technical Analysis on Ryuk Ransomware

The VMware Carbon Black’s Managed Detection service and Threat Analysis Unit have observed the following Ryuk Ransomware behaviors being executed in our client’s environments.

Data Encryption

Ryuk Ransomware uses either a RSA 4096-bit key or a AES 256-bit key to encrypt files using the extension ‘.ryk’. Ryuk avoids encrypting any ‘dll’, ‘lnk’, ‘hrmlog’, ‘ini’, or ‘exe’ file using hardcoded settings as seen in Figure 2. Ryuk Ransomware also does not encrypt the following locations:

Windows System32

Chrome

Mozilla

Internet Explorer

Recycle Bin

Figure 2, Allowlisted Extensions

Inhibit System Recovery

It is not uncommon for ransomware to attempt to prevent data recovery by deleting or disabling shadow copies as this behavior was exhibited in the Ryuk sample in Figure 3. The first section of ‘vssadmin Delete Shadows /all /quiet’ instructs all shadow copies to be deleted unbeknownst to the user. The section of ‘vssadmin resize shadowstorage’ forces the shadow copies to be deleted. In this case ‘vssadmin resize shadowstorage’ is set to delete all shadow copies with the maximum size of ‘401 MB’ using all available disk space as seen in Figure 3.

Figure 3, Disassembly of Ryuk sample showing Vssadmin instructions

The following commands were exhibited in a new Ryuk sample which had not been seen in the previous samples. The first command leverages Windows Management Instrumentation Command-Line (WMIC.exe) to delete the shadow copies. This behavior is not uncommon as malware authors use ‘Living off the Land’ tactics such as this to help in delivering malware. The second command leverages vssadmin.exe to delete the shadow copies. The third command utilities Boot Configuration Data command-line (BCDEdit) to disable automatic repairs to the system, which helps in preventing the malware from being able to run (Figure 4).

Figure 4, shadow copy commands exhibited in the new Ryuk sample

Process/Service Stop

Ryuk creates and leverages a batch file ‘kill.bat’ with the purpose to kill processes and stop, disable and uninstall services as seen in Figure 5. It should be noted that this batch file includes the commands to leverage PowerShell as a method to uninstall Windows Defender. VMware Carbon Black Endpoint Standard (formally known as CB Defense) alerts on such tactics as seen in Figure 6.

Figure 5, Sample of commands in the kill.bat

Figure 6, VMware Carbon Black Endpoint Standard redacted alert for ‘kill.bat’



When the Ryuk sample was disassembled it was observed that it contained both ‘/IM [process name] /F’ and ‘stop [process name] /y’ commands. When observing the functions the ‘/IM [process name] /F’ command listed a variety of processes related to: Backup, Browser, Database, Email, Gaming, Miscellaneous Services, Microsoft And Word Processing Applications, and Security Protection. Examples of seen ‘/IM [process name] /F’ is shown in Figure 7. The full list can be found at the end of the article.It was also observed when the Ryuk sample ran it utilized net.exe and net1.exe to execute the ‘/IM [process name] /F’ commands.

Figure 7, Seen “/IM [process name] /F” and “stop [process name] /y” in Ryuk Sample

Persistence

To remain persistent on the host, a Registry Run Key ‘svchos’ is created with the key value being the path of the location of the Ryuk executable in the Registry location ‘HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run’ as seen below in Figure 8.

Figure 8, Disassembly of Ryuk Sample showing Registry Run Key

Process Enumeration & DLL Injection

To inject the Ryuk payload into another process, it must write the path to its malicious DLL in the virtual address space of another process and create a remote thread in that process. To do this the malware must identify a target process for injection using the following API calls: ‘CreateToolhelp32Snapshot’ (used to create a snapshot of process, heap, threads, and modules), ‘Process32First’ (retrieves information about the first process in the snapshot) and ‘Process32Next’ (is a loop to go through the snapshots (shown in Figure 9).

Figure 9, Disassembly of Process Enumeration

Once the malware obtains its target process for injection, it will use ‘OpenProcess’ to get the handle of the target. It will allocate space for injection using ‘VirtualAllocEx’ and then write the malicious payload using ‘WriteProcessMemory’ and finally start the remote thread using ‘CreateRemoteThread’ (shown in Figure 10).However, it avoids injecting into ‘explorer.exe’, ‘lsass.exe’, and ‘crss.exe’.

Figure 10, Disassembly of Process Injection

Other Artifacts

Ryuk is copied as an executable with the string ‘8 LAN’ with the command-line argument as seen in Figure 11 and Figure 12.This artifact demonstrates the malware attempts to use the ‘Wake-on-Lan’ feature to turn on powered off devices to spread the ransomware.

Figure 11, VMware Carbon Black Endpoint Standard alert showing command-line argument

Figure 12, New Ryuk sample exhibiting similar command

Ryuk drops a copy of PsExec as a mechanism to gain remote access to copy Ryuk on other systems as seen in Figure 13 and Figure 14. PsExec is a portable tool that allows for process to be run remotely.

Figure 13, VMware Carbon Black Endpoint Standard redacted alert showing PsExec being dropped

Figure 14, VMware Carbon Black Endpoint Standard redacted alert showing PsExec being used to copying Ryuk to remote system

Ryuk leverages Microsoft Windows native command-line utility, icacls, as a ‘Living off the Land’ technique to grant full access to everyone for the “C:\” and “D:\*” locations (Figure 15). This allows the malware to gain access potential locations to encrypt and to spread the malware.

Figure 15, VMware Carbon Black Endpoint Standard alert showing icacls command

Ryuk leverages the BootStatusPolicy to ignore all boot failures when starting Windows in an attempt to avoid detection (Figure 16).

Figure 16, VMware Carbon Black Endpoint Standard alert showing BootStatusPolicy command

Future of Ryuk Ransomware

There are no indications that the Ryuk Ransomware attacks will slow down. Companies must proactively enforce good security practices in both prevention and detection. Attention should also be made in preventing phishing emails from successfully executing.

Customer Protection

VMware’s Carbon Black customers can find policy recommendations in this TAU-TIN article on Ryuk Ransomware attacks and prevention.

Indicators of Compromise (IOCS)

Indicator Type Context e209429fe9c7ef4218c0e5ef46913031c201ae8e47b5784e3c8ff64b3ebab1c8 SHA256 Kill.bat 8d3f68b16f0710f858d8c1d2c699260e6f43161a5510abb0e7ba567bd72c965b SHA256 Ryuk Ransomware Sample 5cbbf37a1bdcb78f346e94ecca606a661bb49c5c9bb10c99a60ff415e118a482 SHA256 Ryuk Ransomware Sample 7b5ccdf2be802eddc3b62ddf2ec3d204e6ff936248b711a03c28c5c84c6c4e6f New Ryuk Ransomware Sample https://fdspofsdrtert[.]best:443/aajhDIAHFIEHFI Domain Domain Associated with Ryuk Ransomware Sample