A new version of the Ryuk ransomware is capable of worm-like self-propagation within a local network, researchers have found.
The variant first emerged in Windows-focused campaigns earlier in 2021, according to the French National Agency for the Security of Information Systems (ANSSI). The agency said that it achieves self-replication by scanning for network shares, and then copying a unique version of the ransomware executable (with the file name rep.exe or lan.exe) to each of them as they’re found.
“Ryuk looks for network shares on the victim IT infrastructure. To do so, some private IP ranges are scanned: 10.0.0.0/8; 172.16.0.0/16; and 192.168.0.0/16,” according to a recent ANSSI report. “Once launched, it will thus spread itself on every reachable machine on which Windows Remote Procedure Call accesses are possible.”
The fresh version of Ryuk also reads through infected devices’ Address Resolution Protocol (ARP) tables, which store the IP addresses and MAC addresses of any network devices that the machines communicate with. Then, according to ANSSI, it sends a “Wake-On-LAN” packet to each host, in order to wake up powered-off computers.
“It generates every possible IP address on local networks and sends an ICMP ping to each of them,” according to ANSSI. “It lists the IP addresses of the local ARP cache and sends them a [wake-up] packet.”
For each identified host, Ryuk will then attempt to mount possible network shares using SMB, or Server Message Block, according to the report. SMB is a Windows function that allows the sharing, opening or editing files with/on remote computers and servers.
Once all of the available network shares have been identified or created, the payload is then installed on the new targets and is self-executed using a scheduled task, allowing Ryuk to encrypt the targets’ content and delete any Volume Shadow Copies to prevent file recovery.
“The scheduled task is created through a call to the schtasks.exe system tool, a native-Windows tool,” ANSSI explained.
The files are encrypted using Microsoft CryptoAPI with the AES256 algorithm, using a unique AES key which is generated for each file. The AES key is also wrapped with an RSA public key stored in the binary code, according to the analysis.
The malware also interrupts multiple programs based on hardcoded lists, including a list of 41 processes to be killed (task kill) and a list of 64 services to stop, ANSSI found.
How to Contain a Ryuk Worm Infection
As for avoiding infection, Ryuk ransomware is usually loaded by an initial “dropper” malware that acts as the tip of the spear in any attack; these include Emotet, TrickBot, Qakbot and Zloader, among others. From there, the attackers look to escalate privileges in order to set up for lateral movement.
An effective defense thus should involve developing countermeasures that will prevent that initial foothold.
Once infected, things become more complicated. In the 2021 campaign observed by ANSSI researchers, the initial infection point is a privileged domain account. And the analysis shows that the worm-like spread of this version of Ryuk can’t be thwarted by choking off this initial infection point.
“A privileged account of the domain is used for malware propagation,” according to the report. “If this user’s password is changed, the replication will continue as long as the Kerberos tickets [authentication keys] are not expired. If the user account is disabled, the issue will remain the same.”
And on top of the self-propagation functions, this version of Ryuk also lacks any exclusion mechanisms, meaning that there’s nothing preventing infections of the same machine over and over again, which makes fumigation more difficult.
Previous versions of the malware used Mutual Exclusion Objects (MUTEX) to make sure that any given host had access to only one Ryuk process at a time.
“As the malware does not check if a machine has already been infected, no simple system object creation that could prevent infection,” according to the ANSSI report.
One way to tackle an active infection, ANSSI recommended, would be to change the password or disable the account for the privileged user, and then proceed to force a domain password change through KRBTGT. The KRBTGT is a local default account found in Active Directory that acts as a service account for the Key Distribution Center (KDC) service for Kerberos authentication.
“This would induce many disturbances on the domain – and most likely require many reboots – but would also immediately contain the propagation,” according to ANSSI.
Ryuk: A Many-Headed Beast
The Ryuk ransomware was first observed in 2018, as a variant of the Hermes 2.1 ransomware. But unlike Hermes, it’s not peddled on underground markets like the Exploit forum.
“A doubt…remains as to the origins of Ryuk,” according to ANSSI’s report. “The appearance of Ryuk could…be a result of the acquisition of the Hermes 2.1 source code by another attacker group, which may have developed Ryuk from this starting point.”
Deloitte researchers have theorized that Ryuk is sold as a toolkit to attacker groups, which use it to develop their own “flavors” of the ransomware. There could therefore be as many variants as there are attacker groups that buy the code.
In early 2021, it was estimated that Ryuk operators have raked in at least $150 million, according to an examination of the malware’s money-laundering operations.