Ryuk Ransomware: Now with Worming Self-Propagation

ryuk worm self-propagation

The Ryuk scourge has a new trick in its arsenal: Self-replication via SMB shares and port scanning.

A new version of the Ryuk ransomware is capable of worm-like self-propagation within a local network, researchers have found.

The variant first emerged in Windows-focused campaigns earlier in 2021, according to the French National Agency for the Security of Information Systems (ANSSI). The agency said that it achieves self-replication by scanning for network shares, and then copying a unique version of the ransomware executable (with the file name rep.exe or lan.exe) to each of them as they’re found.

“Ryuk looks for network shares on the victim IT infrastructure. To do so, some private IP ranges are scanned: 10.0.0.0/8; 172.16.0.0/16; and 192.168.0.0/16,” according to a recent ANSSI report. “Once launched, it will thus spread itself on every reachable machine on which Windows Remote Procedure Call accesses are possible.”

The fresh version of Ryuk also reads through infected devices’ Address Resolution Protocol (ARP) tables, which store the IP addresses and MAC addresses of any network devices that the machines communicate with. Then, according to ANSSI, it sends a “Wake-On-LAN” packet to each host, in order to wake up powered-off computers.

“It generates every possible IP address on local networks and sends an ICMP ping to each of them,” according to ANSSI. “It lists the IP addresses of the local ARP cache and sends them a [wake-up] packet.”

For each identified host, Ryuk will then attempt to mount possible network shares using SMB, or Server Message Block, according to the report. SMB is a Windows function that allows the sharing, opening or editing files with/on remote computers and servers.

Once all of the available network shares have been identified or created, the payload is then installed on the new targets and is self-executed using a scheduled task, allowing Ryuk to encrypt the targets’ content and delete any Volume Shadow Copies to prevent file recovery.

“The scheduled task is created through a call to the schtasks.exe system tool, a native-Windows tool,” ANSSI explained.

The files are encrypted using Microsoft CryptoAPI with the AES256 algorithm, using a unique AES key which is generated for each file. The AES key is also wrapped with an RSA public key stored in the binary code, according to the analysis.

The malware also interrupts multiple programs based on hardcoded lists, including a list of 41 processes to be killed (task kill) and a list of 64 services to stop, ANSSI found.

How to Contain a Ryuk Worm Infection

As for avoiding infection, Ryuk ransomware is usually loaded by an initial “dropper” malware that acts as the tip of the spear in any attack; these include Emotet, TrickBot, Qakbot and Zloader, among others. From there, the attackers look to escalate privileges in order to set up for lateral movement.

An effective defense thus should involve developing countermeasures that will prevent that initial foothold.

Once infected, things become more complicated. In the 2021 campaign observed by ANSSI researchers, the initial infection point is a privileged domain account. And the analysis shows that the worm-like spread of this version of Ryuk can’t be thwarted by choking off this initial infection point.

“A privileged account of the domain is used for malware propagation,” according to the report. “If this user’s password is changed, the replication will continue as long as the Kerberos tickets [authentication keys] are not expired. If the user account is disabled, the issue will remain the same.”

And on top of the self-propagation functions, this version of Ryuk also lacks any exclusion mechanisms, meaning that there’s nothing preventing infections of the same machine over and over again, which makes fumigation more difficult.

Previous versions of the malware used Mutual Exclusion Objects (MUTEX) to make sure that any given host had access to only one Ryuk process at a time.

“As the malware does not check if a machine has already been infected, no simple system object creation that could prevent infection,” according to the ANSSI report.

One way to tackle an active infection, ANSSI recommended, would be to change the password or disable the account for the privileged user, and then proceed to force a domain password change through KRBTGT. The KRBTGT is a local default account found in Active Directory that acts as a service account for the Key Distribution Center (KDC) service for Kerberos authentication.

“This would induce many disturbances on the domain – and most likely require many reboots – but would also immediately contain the propagation,” according to ANSSI.

Ryuk: A Many-Headed Beast

The Ryuk ransomware was first observed in 2018, as a variant of the Hermes 2.1 ransomware. But unlike Hermes, it’s not peddled on underground markets like the Exploit forum.

“A doubt…remains as to the origins of Ryuk,” according to ANSSI’s report. “The appearance of Ryuk could…be a result of the acquisition of the Hermes 2.1 source code by another attacker group, which may have developed Ryuk from this starting point.”

Deloitte researchers have theorized that Ryuk is sold as a toolkit to attacker groups, which use it to develop their own “flavors” of the ransomware. There could therefore be as many variants as there are attacker groups that buy the code.

In early 2021, it was estimated that Ryuk operators have raked in at least $150 million, according to an examination of the malware’s money-laundering operations.

Suggested articles

Discussion

  • Todd on

    Um, what? I have information on a very clear, documented and recovered (without ransom) RYUK attack that used port scanning and SMB replication in May of 2017 also via lan.exe. How is this a "new threat" based on the use of SMB transports and port scanning? I promise the first variant of such an attack did not occur in 2021. Following airgap and isolation procedures, oddly enough it was CDW's security researchers who realized the encryption was propagating via SMB, allowing us to shut it down through group policy deployment for isolation and recovery.
  • Todd on

    Sorry, Trickbot harvest was May 2017, the subsequent Ryuk attack began on 5/5/2018 propagating via SMB and port scanning.
  • Todd on

    "The Ryuk ransomware was first observed in August 2018". One more time. I helped a couple of companies RECOVER from RYUK attacks, back in business full speed before June 2018. It was definitely "observed" by many in the industry starting in April-May 2018. Lots of servers and all their files found with the .ryk extension well before August of 2018!
    • Tara Seals on

      Thanks Todd. Obviously we're not privy to all of the incident response and research that goes on behind the scenes and especially of course not information that isn't published publicly. So thanks for this -- we appreciate any contribution to the greater understanding of the evolution of the threat for our readers.
  • Anonymous on

    Where can I get a ryuk toolkit....asking for a friend...
  • Gernot Ueblacker on

    The AndroidSystem app hits me No Root Firewall at a Singapore IP 47.88.229.74.9000. Its tied to Alibaba The Google of China
  • Gernot on

    And TeleEpoch is my hostvon WiFi and they too are Chinese. And ever bodies USERNAME in MS Environmental Variables has been switched from username to SYSTEM which logs on with elevated privileges and impersonates the local user. Welcome to #Mornins12IsbadBIOS

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.