Ryuk Ransomware Attack Sprung by Frugal Student

The student opted for “free” software packed with a keylogger that grabbed credentials later used by “Totoro” to get into a biomolecular institute. 

A European biomolecular research institute involved in COVID-19 research lost a week’s worth of research data, all thanks to a Ryuk ransomware attack traced back to a student trying to save money by buying unlicensed software.

Security researchers at Sophos described the attack in a report published on Thursday, after the security firm’s Rapid Response team was called in to mop up the mess.

Hey, everybody makes mistakes, the researchers said. That frugal student made a few of them. But the student’s goof-ups advanced to a full-fledged ransomware attack because there weren’t security measures in place to stop those missteps from happening, the researchers said.

Remote-Access Slipups

As so many organizations do, the institute allows outsiders to access its network via their personal computers. They can do so by using remote Citrix sessions that don’t require two-factor authentication (2FA).

The lack of required 2FA should raise red flags right there, never mind the fact that Citrix is one of the most widely used platforms that threat actors are actively looking to exploit so as to steal credentials. In April, the U.S. National Security Agency (NSA)  issued an alert warning that nation-state actors were exploiting  vulnerabilities that affect VPNs, collaboration-suite software and virtualization technologies.

zoho webinar promo

Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine.

That included Citrix, along with Fortinet, Pulse Secure, Synacor and VMware, all of them being  in the crosshairs of the advanced persistent threat (APT) group known as APT29 (a.k.a. Cozy Bear or The Dukes). The NSA said at the time that APT29  is conducting “widespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access.”

Starving Student Was Hungry for a ‘Deal’

In this case, the student was looking for a personal copy of a data visualization software tool the person was already using for work. The license would have cost hundreds of dollars per year, so the student started looking around for a free alternative. When the kid didn’t find that in legitimate form, the hunt was on for a cracked version of the software.

Unfortunately, the student found one. Also unfortunately, he or she apparently wasn’t aware of how evil cracked software can be. Cracking software has led to the evolution of badware such as remote-access trojans (RATs) and cryptocurrency stealers as cybercriminals work to make their tools slip through defenses more easily. Cracked apps in and of themselves can also be receptacles to stuff full of malware.

“The file was in fact pure malware,” Sophos researchers said. The student decided to disable Microsoft’s Windows Defender antivirus, which sniffed a threat when the student tried to install it, because hey, free software.

From what security researchers can tell from the laptop – which was handed over for forensics after the ransomware attack unfurled – the student also had to disable the firewall to coax the time-bomb onto the computer.

From Cracked Software to Malware Install

Once installed, the cracked copy of the visualization tool installed an info-stealer that went to work logging keystrokes; stealing browser, cookie and clipboard data; and more. The keylogger also stumbled across the jackpot: The student’s access credentials for the institute’s network.

Fast-forward 15 days, and a remote desktop protocol (RDP) connection was registered on the institute’s network using those stolen credentials. Researchers noted that the connection was made from a computer named after “Totoro,” the adorable and massively popular anime character.

RDPs have been used in plenty of attacks, including being used to exploit BlueKeep. One of the features of RDP, researchers explained, is that a connection also triggers the automatic installation of a printer driver, enabling users to print documents remotely. In this instance, the RDP connection used a Russian-language printer driver that “was likely to be a rogue connection,” they said. Ten days after the RDP connection was made, Ryuk was triggered.

Peter Mackenzie, manager of Rapid Response at Sophos, said that whoever was behind the cracked software was unlikely to be the same threat actor that was behind the resulting Ryuk attack.

“The underground market for previously compromised networks offering attackers easy initial access is thriving, so we believe that the malware operators sold their access on to another attacker,” he wrote in the report. “The RDP connection could have been the access-brokers testing their access.”

Ransomware’s Coming In Fast and Furious

Lesley Carhart, a principal industrial incident responder at Dragos, recently noted how underreported ransomware attacks like this one really are. “This isn’t something that happens to other people,” she said in a Tweet stream on Tuesday. “You’re not too big, too small, too hybrid, too virtualized or too ‘zero trust’. I promise. Things are very bad. Be prepared now and take serious mitigating measures.”

Word, Mackenzie said. Bingo. Exactly. He told Threatpost in an email on Thursday that ransomware is “going through a gold rush” that’s been getting “almost exponentially worse over the last 5 years.”

Security experts are all singing the same tune: Namely, that attacks are getting more vicious and more destructive, with extra time and effort spent on the removal of backups prior to ransomware deployment. Attackers are honing their nasty craft, as well: “They are becoming more sophisticated with new techniques designed to avoid detection, like running in virtual machines, Windows safe mode or completely fileless,” Mackenzie told Threatpost. “The easy access of advanced tools such as Cobalt Strike make even amateur attacks devastating.

“On top of all this, you have a multitude of new extreme pressure tactics put on victims, with the exfiltration and leaking of data, email and phone calls to staff, informing the victims, customers, journalists, and even the stock market,” he continued. “Admins and senior management are under extreme pressure during one of these attacks, not to mention that the ransom demands have skyrocketed, from what used to be $300 per machine to tens of millions for entire estates.”

When we say “vicious,” we’re talking about ransomware thugs that have no qualms about targeting healthcare organizations during a pandemic. That’s the type of gang behind Ryuk, which is what Mackenzie says is generally considered one of the most dangerous groups around. “They are highly professional and have access to a wide range of resources,” he told Threatpost. “They have been launching attacks on a regular basis for several years now and show no sign of stopping. Estimates on the amount of ransom demands they have received start in the hundreds of millions up to the billions. They are also one of the few groups still actively targeting healthcare organizations even during a global pandemic.”

What Could Have Kept Ryuk at Bay: The Basics

There’s no magic bullet. Carhart said that to prevent ransomware attacks, organizations need “basic security hygiene and the investment in enabling it,” mentioning the same defensive mechanisms that might have helped in this case: “Stuff like MFA on VPN and cloud services, routine backups saved offline, limiting account [permissions], planning for an incident and rebuild.”

Sophos’s Mackenzie echoes what Carhart said: Robust network authentication and access controls, plus end user training, “might” have prevented this attack from happening. “It serves as a powerful reminder of how important it is to get the security basics right,” he said. Sophos has a guide, The State of Ransomware 2021, with recommendations on how to raise the drawbridge and keep the ransomware rabble where they belong: in the moat, with the alligators and piranhas.

But here’s a TL;DR cheatsheet with the basic, crucial safeguards:

  1. Enable multifactor authentication (MFA), where possible, for anyone required to access internal networks, including external collaborators and partners
  2. Have a strong, password policy in place for everyone required to access internal networks
  3. Decommission and/or upgrade any unsupported operating systems and applications
  4. Review and install security software on all computers
  5. Regularly review and install the latest software patches on all computers – and check they’ve been installed correctly
  6. Review the use of proxy servers and regularly check security policies to prevent access to malicious websites and/or the downloading of malicious files by anyone on the network
  7. Lock down remote desktop RDP access with static Local Area Network (LAN) rules, via a group policy or using access control lists
  8. Implement segregation for any network access, including for LANs (or consider using virtual LANs) and where necessary use hardware/software/access control lists
  9. Continuously review domain accounts and computers, removing any that are unused or not needed
  10. Review firewall configurations and only whitelist traffic intended for known destinations
  11. Limit the use of admin accounts by different users as this encourages credential-sharing that can introduce many other security vulnerabilities

5/6/2021 23:02 UPDATE: Added additional input from Sophos’s Peter Mackenzie.

Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” – a LIVE roundtable event on Wed, May 12 at 2:00 PM EDT. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and Register HERE for free.

Suggested articles