New Ryuk Strain Discovery
The new Ryuk ransomware strain was discovered by ANSSI in early 2021 while responding to an incident. The details of ANSSI’s findings are provided in a report issued by CERT-FR, France’s Computer Emergency Response Team. Traditionally Ryuk needed to be spread manually from device to device. Attackers would first need to gain remote access to the victim’s network. They then would conduct a manual reconnaissance of the victim’s systems to identify how to move laterally. Until recently, it was believed that Ryuk was unable to move laterally within an infected network automatically. This all changed with the discovery of the new variant. The new Ryuk ransomware strain has worm-like capabilities that allow it to spread automatically within infected networks. This allows the attackers to disperse their malware more rapidly and infect more systems. It also decreases the likelihood of being discovered before the malware has had a chance to encrypt the victim’s files.
How Does the New Strain Self-Spread?
According to CERT-FR’s report, the new Ryuk variant mimics the worm-like behavior “through the use of scheduled tasks”. Ryuk creates the scheduled task using the Schtasks.exe system tool, a native Windows tool, to spread within a Windows domain. It spreads from one device to another on which Remote Procedure Calls (RPCs) are possible. RPCs are used by Windows processes to communicate with each other. To identify all devices on the infected network, Ryuk scans Address Resolution Protocol (ARP) tables held in the local ARP cache. This provides the malware with a list of the network devices’ IP and MAC addresses. It then sends the identified IP addresses a packet, probably using the Wake-on-LAN (WoL) feature, to identify all sharing resources on the devices. It was discovered in 2019 that Ryuk can also use WoL to turn on switched off devices so that it can encrypt them. The malware then creates a copy of itself on each target device. In addition, it remotely creates a scheduled task on each subsequent compromised device to execute itself on these devices. It is these last two steps that differentiates the new Ryuk strain from previous versions. Ryuk then mounts the devices resources to encrypt their content. “Once launched, it will thus spread itself on every reachable machine on which Windows RPC accesses are possible,” the report states.
Self-Spread Difficult to Stop
The report says that the self-spread of the new Ryuk strain is difficult to stop. Nonetheless, it provides a couple of alternatives to halt its spread. One alternative involves changing the password of the privileged domain account the malware is using to propagate itself from device to device. “Then proceed to a double KRBTGT domain password change,” the report recommends. “This would induce many disturbances on the domain – and most likely require many reboots but would also immediately contain the propagation. Other propagation containment approaches could also be considered, especially through the targeting of the malware execution environment,” it goes on to say.
Ryuk’s Attack History
Ryuk was first identified in August 2018. Since then, it has compromised many firms, with these being chosen on their ability to pay high ransoms. In other words, Ryuk has concentrated on Big Game Hunting rather than targeting a specific sector. Nevertheless, Ryuk seems to be targeting firms in the US and Canada most. Threat intelligence firms estimate that the Ryuk operations made at least $150 million last year. The largest payment it received from a single victim is believed to be 2,200 bitcoins, which equates to $34 million. Reportedly, on average Ryuk ransomware has attacked roughly 20 firms per week. Furthermore, the Ryuk group and actors using their ransomware, have reportedly been behind a large wave of attacks on the US healthcare sector. Including an attack on a major universal health services hospital chain last year. Actors using Ryuk are believed to have been attacking this sector since the first half of 2019.