Ryuk is one of the most famous ransomware options in the last few years. Since he first appeared in the summer of 2018, he has collected , especially in the business environment, which is the main target of its attacks.
1. General information
This document contains an analysis of the Ryuk ransomware variant, as well as the downloader responsible for loading the malware into the system.
The Ryuk ransomware first appeared in the summer of 2018. One of the differences between Ryuk and other ransomware is that it is aimed at attacking corporate environments.
In mid-2019, cyber-criminal groups attacked a huge number of Spanish companies using this ransomware.
Rice. 1: An excerpt from El Confidential about the Ryuk ransomware attack [1]
Rice. 2: Excerpt from El País about the Ryuk ransomware attack [2]
This year, Ryuk attacked a large number of companies in various countries. As you can see in the pictures below, Germany, China, Algeria and India have been hit the hardest.
Comparing the number of cyber attacks, we can see that Ryuk has affected millions of users and compromised a huge amount of data, resulting in serious economic damage.
Rice. 3: An illustration of Ryuk's global activity.
Rice. 4: 16 countries most affected by Ryuk
Rice. Figure 5: Number of users attacked by Ryuk ransomware (in millions)
According to the usual principle of such threats, this ransomware, after encryption is completed, shows the victim a ransom notice, which must be paid in bitcoins to the specified address in order to restore access to encrypted files.
This malware has changed since its first appearance.
The variant of this threat analyzed in this paper was discovered during an attack attempt in January 2020.
Due to its complexity, this malware is often attributed to organized cybercrime groups, also known as APTs.
Part of the Ryuk code bears a noticeable resemblance to the code and structure of another well-known ransomware Hermes, with which they share a number of similar functions. That is why Ryuk was initially associated with the North Korean group Lazarus, which at the time was suspected of being behind the Hermes ransomware.
Subsequently, CrowdStrike's Falcon X service noted that Ryuk was actually created by the WIZARD SPIDER group [4].
There is some evidence to support this assumption. Firstly, this ransomware was advertised on the exploit.in website, which is a well-known Russian malware marketplace and was previously associated with some Russian APT groups.
This fact rules out the theory that Ryuk could have been developed by the Lazarus APT group. it doesn't fit with how the group operates.
In addition, Ryuk was advertised as a ransomware that would not work on Russian, Ukrainian, and Belarusian systems. This behavior is determined by a feature found in some versions of Ryuk, where it checks the language of the system running the ransomware and stops it if the system is in Russian, Ukrainian, or Belarusian. Finally, a forensic analysis of the machine that was hacked by the WIZARD SPIDER group uncovered several "artifacts" that were allegedly used in the development of Ryuk as a variant of the Hermes ransomware.
On the other hand, experts Gabriela Nicolao and Luciano Martins have suggested that the ransomware may have been developed by the CryptoTech APT group [5].
This follows from the fact that a few months before Ryuk appeared, this group posted on the forum of the same site that they had developed a new version of the Hermes ransomware.
Several forum users wondered if CryptoTech really created Ryuk. After that, this group defended themselves and stated that they had evidence that they developed 100% of this ransomware.
2. Characteristics
We start with the bootloader, whose job it is to identify the system it's on so that the "correct" version of the Ryuk ransomware can run.
The bootloader hash is:
MD5 A73130B0E379A989CBA3D695A157A495
SHA256 EF231EE1A2481B7E627921468E79BB4369CCFAEB19A575748DD2B664ABC4F469
One of the features of this loader is that it does not contain any metadata, ie. the creators of this malware did not include any information in it.
Sometimes they include erroneous data in order to make the user think that he is supposedly running a legitimate application. However, as we will see later, if the infection does not involve user interaction (as is the case with this ransomware), then attackers do not consider it necessary to use metadata.
Rice. 6: Sample Meta Data
The sample has been compiled in 32-bit format so that it can be run on both 32-bit and 64-bit systems.
3. Penetration vector
The sample that downloads and runs Ryuk got into our system via a remote connection, and the access parameters were obtained through a preliminary RDP attack.
Rice. 7: Attack Register
The attacker managed to remotely log into the system. After that, he created an executable file with our sample.
This executable was blocked by an antivirus solution before running.
Rice. 8: Pattern lock
Rice. 9: Pattern lock
When the malicious file was blocked, the attacker tried to download an encrypted version of the executable file, which was also blocked.
Rice. 10: A set of samples that the attacker tried to run
Finally, he tried to download another malicious file through an encrypted console
PowerShell to bypass antivirus protection. But it was also blocked.
Rice. 11: PowerShell with Malicious Content Blocked
Rice. 12: PowerShell with Malicious Content Blocked
4. Loader
When it is executed, it writes the ReadMe file to the folder % Temp%, which is typical for Ryuk. This file is a ransom note containing an email address in the protonmail domain, which is quite common in this malware family: [email protected]
Rice. 13: Ransom demand
While the bootloader is running, you may see that it launches several randomly named executables. They are stored in a hidden folder PUBLIC, but if the option is not active in the operating system "Show hidden files and folders", they will remain hidden. Moreover, these files are 64-bit, unlike the parent file, which is 32-bit.
Rice. 14: Executables run by the sample
As you can see in the picture above, Ryuk runs icacls.exe which will be used to change all ACLs (Access control list), thus guaranteeing access and changing flags.
It gets full access as all users to all files on the device (/T) regardless of errors (/C) and without showing any messages (/Q).
Rice. 15: Execution options for icacls.exe launched by the sample
It is important to note that Ryuk checks which version of Windows is running. For this he
performs a version check with GetVersionExW, in which it checks the value of the flag lpVersionInformation, indicating whether the current version of Windows is newer than Windows XP.
Depending on whether you are running a version later than Windows XP, the bootloader will write to the local user's folder—in this case, the %Public%.
Rice. 17: Checking the operating system version
The file being written is Ryuk. It then runs it, passing its own address as a parameter.
Rice. 18: Executing Ryuk via ShellExecute
The first thing Ryuk does is get input parameters. This time there are two input parameters (the executable itself and the dropper address) that are used to remove their own traces.
Rice. 19: Creating a process
You can also see that once it has run its executables, it deletes itself, thus leaving no trace of its own presence in the folder where it was executed.
Rice. 20: Deleting a file
5. RYUK
5.1 Presence
Ryuk, like other malware, tries to stay on the system for as long as possible. As shown above, one way to achieve this goal is to secretly create and run executable files. To do this, the most common practice is to change the registry key CurrentVersionRun.
In this case, you can see that for this purpose, the first executable file VWjRF.exe
(file name is randomly generated) runs cmd.exe.
Rice. 21: Executing VWjRF.exe
Then enter the command RUN With name "svchos". Thus, if you want to check the registry keys at any time, you can quite easily miss this change, given the similarity of this name with svchost. Thanks to this key, Ryuk ensures its presence in the system. If the system has not yet been infected , then when you reboot the system, the executable will try again.
Rice. 22: Sample ensures presence in registry key
We can also see that this executable stops two services:
"audioendpointbuilder", which, as its name implies, corresponds to system audio,
Rice. 23: Sample Stops the System Audio Service
и sams, which is an account management service. Stopping these two services is a characteristic of Ryuk. In this case, if the system is connected to a SIEM system, then the ransomware tries to stop sending to any warnings. Thus, it protects its next steps, since some SAM services will not be able to properly start their work after Ryuk is executed.
Rice. 24: The sample stops the Samss service
5.2 Privileges
Generally speaking, Ryuk starts by traversing horizontally within the network, or it is launched by other malware such as or , which, in the event of privilege escalation, transfer these elevated rights to the ransomware.
Beforehand, as a prelude to the embedding process, we see that he is doing the process ImpersonateSelf, which means that the security content of the access token will be passed to the stream, where it will be immediately retrieved with GetCurrentThread.
Rice. 25: Call ImpersonateSelf
We then see that it will associate an access token with the stream. We also see that one of the flags is Desired Access, which can be used to control the access that the thread will have. In this case, the value that edx will get should be TOKEN_ALL_ACESS or otherwise - TOKEN_WRITE.
Rice. Step 26: Creating a Stream Token
Then he will use SeDebugPrivilege and will make a call to get Debug permissions on the thread, as a result, by specifying PROCESS_ALL_ACCESS, it will be able to access any required process. Now, given that the encryptor already has a prepared stream, it remains only to proceed to the final stage.
Rice. Figure 27: SeDebugPrivilege call and privilege escalation function
On the one hand, we have LookupPrivilegeValueW , which gives us the necessary information about the privileges we want to elevate.
Rice. Figure 28: Requesting Privilege Information to Escalate Privilege
On the other hand, we have AdjustTokenPrivileges, which allows you to get the necessary rights to our stream. In this case, the most important thing is NewState, whose flag will grant privileges.
Rice. 29: Setting the permissions for the token
5.3 Implementation
In this section, we will show how the sample performs the implementation process previously mentioned in this report.
The main goal of the implementation process, like escalation, is to gain access to shadow copies. To do this, he needs to work with a thread with rights higher than that of the local user. As soon as he gets such higher rights, he will delete copies and make changes to other processes in order to make it impossible to return to an earlier restore point in the operating system.
As is common with this type of malware, it uses CreateToolHelp32Snapshotso it takes a snapshot of currently running processes and tries to access those processes with OpenProcess. As soon as he gains access to the process, he also opens a token with his information to get the process parameters.
Rice. 30: Getting processes from the computer
We can dynamically see how it gets the list of running processes in routine 140002D9C using CreateToolhelp32Snapshot. After receiving them, it goes through the list, trying one by one to open processes using OpenProcess until it succeeds in doing so. In this case, the first process he was able to open is taskhost.exe.
Rice. Figure 31: Dynamic Execution of a Procedure to Get a Process
We can see that it subsequently reads the process token information, so it calls OpenProcessToken with parameter "20008"
Rice. 32: Reading process token information
It also checks that the process it will inject into is not Csrss.exe-, explorer.exe, lsaas.exe or that it has a set of rights NT authority.
Rice. 33: Excluded Processes
We can dynamically see how it first performs verification with the process token information in 140002D9C in order to find out if the account whose rights are being used to execute the process is an account NT AUTHORITY.
Rice. 34: Checking NT AUTHORITY
And later, outside the procedure, it checks that it is not csrss.exe, explorer.exe or lsaas.exe.
Rice. 35: Checking NT AUTHORITY
After it has taken a snapshot of the processes, opened the processes, and verified that none of them are excluded, it is ready to write to memory the processes to be injected.
To do this, it first reserves a region in memory (VirtualAllocEx), writes to it (WriteProcessmemory) and creates a stream (CreateRemoteThread). To work with these functions, it uses the PIDs of the selected processes, which it previously obtained using CreateToolhelp32Snapshot.
Rice. 36: Embed code
Here we can dynamically observe how it uses the PID of the process to call the function VirtualAllocEx.
Rice. 37: Calling VirtualAllocEx
5.4 Encryption
In this section, we'll look at the encryption part of this sample. In the following figure, you can see two subroutines called "LoadLibrary_EncodeString" And "Encode_Func", which are responsible for performing the encryption procedure.
Rice. 38: Encryption Procedures
At the beginning, we can see how it loads a string that will later be used to deobfuscate everything that is needed: imports, DLLs, commands, files, and CSPs.
Rice. 39: Deobfuscation chain
The following figure shows the first import that it will deobfuscate in register R4, LoadLibrary. This will be used later to load the required DLLs. We can also see another line in register R12 which is used along with the previous line to perform the deobfuscation.
Rice. 40: Dynamic Deobfuscation
It continues to load commands that it will run later to disable backups, restore points, and safe boot modes.
Rice. 41: Loading Commands
It then downloads the location where it will drop 3 files: Windows.bat, run.sct и start.bat.
Rice. 42: File Locations
These 3 files are used to check the privileges that each location has. If the required privileges are not available, Ryuk stops execution.
It keeps loading the lines corresponding to the three files. First, DECRYPT_INFORMATION.html, contains the information needed to restore the files. Second, PUBLIC, contains the RSA public key.
Rice. 43: DECRYPT INFORMATION.html line
third, UNIQUE_ID_DO_NOT_REMOVE, contains the encrypted key that will be used in the next subroutine to perform the encryption.
Rice. 44: Line UNIQUE ID DO NOT REMOVE
Finally, it downloads the required libraries along with the required imports and CSPs (Microsoft Enhanced RSA и AES Cryptographic Provider).
Rice. 45: Loading Libraries
After all the deobfuscation is completed, it proceeds to perform the actions required for encryption: enumeration of all logical drives, execution of what was loaded in the previous subroutine, strengthening the presence in the system, dropping the RyukReadMe.html file, encryption, enumeration of all network drives, navigating to discovered devices and encrypting them.
It all starts with loadingcmd.exe" and RSA public key entries.
Rice. 46: Preparing for Encryption
Then it gets all logical drives with GetLogicalDrives and disables all backups, restore points, and safe boot modes.
Rice. 47: Deactivating recovery tools
After that, it strengthens its presence in the system, as we saw above, and writes the first file RyukReadMe.html в TEMP.
Rice. 48: Posting a ransom notice
In the following figure, you can see how it creates a file, downloads the content, and writes it:
Rice. 49: Loading and writing the contents of a file
To be able to perform the same steps on all devices, it uses
"icacls.exe" as we showed above.
Rice. 50: Using icalcls.exe
And finally, it starts encrypting files except for "*.exe", "*.dll", system files and other locations specified as an encrypted whitelist. To do this, it uses imports: CryptAcquireContextW (where the use of AES and RSA is indicated), CryptDeriveKey, CryptGenKey, CryptDestroyKey etc. It also attempts to extend its action to discovered network devices using WNetEnumResourceW and then encrypt them.
Rice. 51: Encryption of system files
6. Imports and related flags
Below is a table listing the most relevant imports and flags used by the sample:
7.IOC
references
- usersPublicrun.sct
- Start MenuProgramsStartupstart.bat AppDataRoamingMicrosoftWindowsStart
- MenuProgramsStartupstart.bat
Ryuk ransomware technical report compiled by PandaLabs experts.
8. References
1. “Everis y Prisa Radio sufren un grave ciberataque que secuestra sus sistemas.”https://www. elconfidencial.com/tecnologia/2019-11-04/everis-la-ser-ciberataque-ransomware-15_2312019/, Publicada el 04/11/2019.
2. “Un virus de origen ruso ataca a importantes empresas españolas.”
3. “VB2019 paper: Shinigami's revenge: the long tail of the Ryuk malware.”https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/, Publicada el 11 /12/2019
4. “Big Game Hunting with Ryuk: Another LucrativebTargeted Ransomware.”https://www. crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/, Publicada el 10/01/2019.
5. “VB2019 paper: Shinigami's revenge: the long tail of the Ryuk malware.”https://www. virusbulletin.com/virusbulletin/2019/10/vb2019-paper-shinigamis-revenge-long-tail-r
Source: habr.com