What is Ryuk?
In the autumn fall of 2018, a modified version of Hermes ransomware was discovered: Ryuk. Both Hermes and Ryuk have similar characteristics. They identify and encrypt network devices along with deleting shadow copies stored on the endpoints. The only difference is how they create the encryption keys. While Hermes uses an RSA and private key pair, Ryuk uses a second RSA public key.
Ryuk ransomware is more lucrative than its predecessor. It targets large organizations and government agencies that end up paying up large amounts. The truth is, without the big payoffs, processing Ryuk attacks is not sustainable. It involves a high degree of manual processes (direct exploitation, payment requests handled via email, etc.) and the attackers don’t want to waste time if the ROI isn’t good.
How Does Ryuk Work?
Ryuk ransomware is not the beginning, but the end of an infection cycle. It’s ransomware that comes into form, step-by-step, and when it strikes, it’s lethal.
Here’s how Ryuk Ransomware spreads:
It all starts with phishing emails, visiting a sketchy website, or clicking on a random popup. Bots like TrickBot and Emotet give direct access to the victim’s network. Emotet and TrickBot start spreading laterally through the network and deploy Ryuk ransomware. Generally, there’s a delay between the spread of bots and the deployment of Ryuk. This delay allows Emotet and Trickbot to steal sensitive information, making organizations vulnerable even before a Ryuk attack.
Once Ryuk ransomware is deployed, it checks if the system is suited for it. Dropped ransomware binary works on a fixed algorithm. The dropper identifies a system and runs a module (32 or 64 bit). Based on the results, it drops the malware versions that suit the system and runs it using ShellExecuteW.
Once attackers find a suitable system, two files are uploaded within a subfolder inside the directory:
- PUBLIC: RSA Public Key
- UNIQUE_ID_DO_NOT_REMOVE: Hardcoded Key
This is where Ryuk begins the encryption process.
It sweeps through the file systems and attached drives to initiate encryption using WNetOpenEnum and WNetEnumResource. Each file is encrypted, and the encryption key is destroyed after it has served its purpose.
Ryuk Ransomware Injection
Ryuk injects its code into various remote processes, and so begins the vicious cleanup. Using taskkill and netstop commands, it creates a preconfigured list of 40 processes and 180 services that are wiped out. These include antivirus tools, databases, backups, and other software.
Here’s a list of services stopped by Ryuk: