Hacker
Professional
- Messages
- 1,044
- Reaction score
- 813
- Points
- 113
FBI officers who spoke at an information security conference in South Africa called the Ryuk ransomware Trojan the most profitable ransomware on the market. That, however, is not surprising: according to the company Advanced Intelligence and HYAS, Trojan operators today have earned about 150 million dollars, Lares. In this article I will tell you how this malware works and how it works.
Ryuk is a ransomware program that encrypts files and demands a ransom in Bitcoin from the victim in order to provide the decryption keys. Used exclusively for targeted attacks. This ransomware was first spotted in August 2018 as part of a campaign that targeted multiple businesses. Our experts analyzed the initial versions of the malware and identified similarities and common fragments of the source code with the Hermes ransomware. Hermes is a mass distribution ransomware that is sold on underground forums and is used by several groups of hackers.
For its malicious activities, Ryuk uses a combination of AES symmetric encryption (256 bits) and RSA asymmetric encryption (2048 or 4096 bits). The symmetric key is used to encrypt the contents of the files, and the asymmetric public key is used to encrypt the symmetric key. After paying the ransom, the attackers provide the corresponding asymmetric private key that can be used to decrypt the files.
Since Ryuk is used for targeted attacks, vectors of initial infection are selected taking into account the characteristics of the victim. Very often, these vectors are spear phishing emails, remote access to systems using stolen accounts, and the use of well-known mass malware. The latter a case with In, a combination of Emotet and TrickBot is often the Used to Infect Ryuk; BazarLoader has been reported recently as well
The Ryuk infection chain often starts with a spear phishing email that contains a malicious link or MS Office document. With their help, hackers are able to penetrate the victim's information environment. In some cases, computers with a compromised RDP protocol become such a starting point of access.
The first scenario uses TrickBot or BazarLoader as the malware downloader. As a result of their execution, other hackers will be able to gain access to compromised machines. After that, computers are often loaded with the Cobalt Strike "beacon" to steal usernames and passwords and move horizontally across the network to take over domain controllers. As a result, through these controllers, the Ryuk binary code is distributed to all machines. How does this code work? Let's figure it out.
GENERAL INFORMATION
The file being analyzed is a sample of an unpacked ransomware of the Ryuk family. This sample can be identified using the checksums (hashes) below.
SHA-1
1EFC175983A17BD6C562FE7B054045D6DCB341E5
SHA-256
8F368B029A3A5517CB133529274834585D087A2D3A 5875D03EA38E5774019C8A
Ryuk's final payload is 148KB and compiled on April 30, 2021.
ANTI-DEBUGGING
Ryuk repeatedly uses decompilation protection techniques to make static analysis of program code difficult.
Reception of protection against disassembly
In addition, the malicious code supports anti-debugging techniques using API ZwQueryInformationProcess and various signs (flags), for example ProcessDebugFlags, ProcessDebugPort and ProcessDebugObjectHandle. With their help, the ransomware can detect the presence of a debugger and forcibly close it.
Request process
In addition to this, the ransomware checks for the presence of the trait BeingDebugged in the PEB structure of the process for the same purpose.
Checking Process Debug Signs
EXECUTION
Ryuk copies itself three times to the current folder with different names and runs these new binaries with different command line parameters. Each such performance supports a separate function. The file name for the first copy of malware is generated as the checksum of the current username to which it appended r.exe.
If the malware cannot get the username, the default name is used - rep.exe. When executing this file, the malware uses the command line 9 REP. This process is responsible for Ryuk's self-replication on other machines on the network.
First performance
The name of the second copy of the Trojan is randomly generated and a suffix is added to it lan.exe. This copy corresponds to the command line 8 LAN. This process is responsible for sending Wake On Lan packets to other computers on the network.
Second execution
The name of the third copy is created in exactly the same way as for the second, using the same command line.
Execution of the third copy
Ransom Notice
To notify the user that the files are encrypted, Ryuk uploads an HTML ransom message to each encrypted folder. This message is pretty much the same for all Ryuk variants. The main difference in this example is the presence of a link button and instructions for installing the Tor browser.
Ransom message in HTML format
When you click the Connect button, a pop-up window appears with instructions for contacting the authors of the ransomware.
Browser message with instructions
The onion link specified in the instructions takes the user to the communication portal. There is a special form in which you need to leave your email address, password, organization name and a message for hackers (in a separate field).
A portal to contact hackers using Ryuk
CHANGE DISK PERMISSIONS
The Trojan detects mounted local drives using an API call GetLogicalDrives and, using the Windows icacls tool, changes the permissions of each drive to gain full access to them.
Executing the Icacls command
Here's an example of a command that Ryuk will execute:
Code:
icacls "C:\*" /grant Everyone: F /T /C /QFORCED STOPPING OF PROCESSES AND SERVICES
Before encrypting files, the Trojan creates a new thread to terminate a number of processes and stop some services.
Stream creation
In this new thread, Ryuk creates a list of running processes and services and compares it to a list of 41 processes and 64 services that is hardcoded into his code. Some of these processes and services are related to antivirus and backup tools, while others can use files to be encrypted as part of an attack.
Stream functions
The encoder uses the following command to complete the process:
C:\Windows\System32\taskkill.exe /IM /F
The command to stop the services targeted by the ransomware:
C:\Windows\System32\net.exe stop /y
Since such services and processes are scanned using a function strstrthat returns partial matches of the string, the malware will also terminate other processes that are not its target, for example audioendpointbuilder, because it contains a string endpoint.
Force stopping a service
FILE ENCRYPTION
The Trojan will try to encrypt local and network drives by going through all the files on them and checking the path and name of each file. Ryuk does not encrypt files whose full path contains the following names:
\Windows\
Windows
boot
WINDOWS\
Chrome
Mozilla
SYSVOL
NTDS
netlogon
sysvol
The malware also does not encrypt files with any of the following strings in their names:
RyukReadMe.html
boot
dll
ntldr
exe
.ini
.lnk
bootmgr
boot
NTDETECT
In addition, Ryuk checks the filenames for the element index. If this element is present, the program will call the function RyukDropRansomNoteInIndexFile.
Checking files with the string index in the name
If the file has an extension .php, the ransomware will generate PHP code to generate an HTML ransom message. Otherwise, it will overwrite the contents of the file using the ransom message HTML. Thus, when trying to access the site, the user will see Ryuk's message with the cybercriminals' demands.
Embedding Ryuk ransom message text in files containing index
This feature is believed to have been added in newer versions of malware to attack web servers and hack public sites, replacing their home pages with a Ryuk ransom message. This tactic has never been used in ransomware before, the ultimate goal of which is to compel the victim to pay a ransom.
The encryption scheme in the new version of Ryuk remains the same. For each file, the program uses random AES-256 keys generated using the CryptGenKey API and then encrypts these keys using the RSA public key embedded in the malware code. With this scheme, cybercriminals provide strong encryption and key management.
AES-256 key generation
Before processing a file, the Trojan checks to see if the file has been encrypted before. To do this, a search for keywords is carried out: HERMES for old versions of Ryuk and RYUKTM for new ones. If such keywords are found, the file will not be operated on and will not be encrypted.
Checking HERMES and RYUKTM
After that, the Trojan starts encrypting the file in portions of the specified size - 1,000,000 bytes each.
Encrypting a file in parts
Ryuk then adds a keyword RYUKTMto mark the file as encrypted, exports the AES key, which is encrypted with the RSA public key using the CryptExportKey API, and appends it to the end of the file.
File Key Export
Below is an example of an encrypted file with 274 bytes of metadata appended to the end of the file by Ryuk.
Attached metadata
PRINT JOB
After encrypting the files, Ryuk creates a new scheduled task to print 50 copies of the ransom message in RTF format to the system's default printer. The command line for creating such a job looks like this:
Code:
SCHTASKS /CREATE /NP /SC DAILY /TN "PrintvE" /TR "C:\Windows\System32\cmd. exe /c for /l %x in (1,1,50) do start wordpad.exe /p C:\users\Public\YTKkI. dll" /ST 10:25 /SD 05/18/2021 /ED 05/25/2021The task will be completed at the specified time within a week. The printed 50-page RTF ransom message will contain the password, which is uploaded to the public directory as a file with a random name and extension .dll.
Ryuk Ransom RTF
This feature is also new. It was added to the architecture of the Trojan in order to create chaos in the victim's system and induce him to pay a ransom for decrypting files.
REMOTE NETWORK
The Ryuk command line process is 8 LAN designed to retrieve system ARP caches and send Wake on Lan packets to power up remote computers. To extract the ARP table, the malware uses an API GetIpNetTable from a file iphlpapi.dll. After receiving the specified table, the ransomware starts distributing packages using the API sendtofrom the Winsock library.
Sending a Wake on Lan packet
Wake on Lan Magic packets include 6 bytes with a value of 255 (hex - 0xFF) followed by the target MAC address, spelled 16 times. The total packet size is 102 bytes.
Wake on Lan package
SEQUENCING SHARED NETWORK FOLDERS
Ryuk also tries to horizontally roam to other hosts on the network. To do this, the program obtains all the IP addresses assigned to the system and verifies that they belong to the range of private IPv4 addresses (10.xxx, 172.16.xx and 192.168.xx). Since this check is performed using a function strstr, matches with other public subnets, for example 151.192.172.1, may be detected.
Error Checking for Private IP Networks
If one of the above subnets is found, the ransomware will start sending ICMP Echo requests using the API to discover new machines on that subnet. If the machine responds to the request, it will be considered a potential victim and Ryuk will try to encrypt the files on it.
ICMP Echo Request
Ryuk will try to encrypt the files on each host it finds in a manner similar to that used for local drives. The ransomware generates a UNC path for all drive letters (A to Z) in \\<IP>\<drive letter>$. The Trojan will then try to access and encrypt along the way \\<IP>. Such an attempt is shown in the figure below.
Encrypting files over UNC
SERVER MESSAGE BLOCK REPLICATION (SMB)
The Ryuk command line process 9 REP is responsible for replicating the malware to new computers, while checking to see if the process is running twice. To do this, a mutex object is created whose name matches the name of the machine user. If the mutex already exists, the process will be terminated.
Creating a mutex
In the next step, Ryuk checks the existence of its files on the remote computer using the API GetFileAttributesW. A UNC file path is created in parallel; then the program will try to access the folder C:\Users\Public on the remote computer. A file is created with a name that is the checksum of the current username with a suffix appended r.exe.
Copying the Ryuk file
The ransomware then uses the API CopyFileWto copy the file to the remote computer. To ensure the remote execution of this copy, the malware will create a scheduled task with a random name using the tool schtasks.exe.
Creating a remote service
Thus, for each compromised remote machine, two commands are executed:
Code:
schtasks.exe /Create /S 192.168.56.2 /TN qdpRGwh /TR "C:\\Users\\Pub- lic\\622r.exe" /sc once /st 00:00 /RL HIGHEST
schtasks.exe /S 192.168.56.2 /Run /TN qdpRGwhCONCLUSION
This short report provides a technical description of the Ryuk ransomware and new features that have been incorporated into its code to increase the damage done to victim organizations.
Interestingly, Ryuk's attention has shifted towards web servers, as instead of encrypting the index files in the web server folders, the software replaces them with a ransom message. In addition, the Ryuk developers have added the ability to print a ransom message to the malware on the default printer.
In the first half of the year, several hacker groups that use Ryuk actively campaigned and attacked organizations around the world. This is why cybercriminals who use Ryuk will continue to create new features and working methods to maximize profits.
