Ryuk yog ib lub npe nrov tshaj plaws ransomware xaiv nyob rau hauv ob peb xyoos dhau los. Txij li thaum nws thawj zaug tshwm sim nyob rau lub caij ntuj sov 2018, nws tau sau , tshwj xeeb tshaj yog nyob rau hauv kev lag luam ib puag ncig, uas yog lub hom phiaj tseem ceeb ntawm nws cov kev tawm tsam.
1. Cov ntaub ntawv dav dav
Cov ntaub ntawv no muaj ib qho kev soj ntsuam ntawm Ryuk ransomware variant, nrog rau lub luag haujlwm rau thauj cov malware rau hauv lub cev.
Ryuk ransomware thawj zaug tshwm sim thaum lub caij ntuj sov xyoo 2018. Ib qho ntawm qhov sib txawv ntawm Ryuk thiab lwm yam ransomware yog tias nws yog tsom rau kev tawm tsam kev lag luam ib puag ncig.
Nyob rau hauv nruab nrab-2019, cybercriminal pawg tau tawm tsam ntau lub tuam txhab Spanish siv cov ransomware no.
Rice. 1: Tshaj tawm los ntawm El Confidencial txog Ryuk ransomware nres [1]
Rice. 2: Tshaj tawm los ntawm El PaΓs txog kev tawm tsam siv Ryuk ransomware [2]
Xyoo no, Ryuk tau tawm tsam ntau lub tuam txhab hauv ntau lub tebchaws. Raws li koj tuaj yeem pom hauv cov duab hauv qab no, lub teb chaws Yelemees, Tuam Tshoj, Algeria thiab Is Nrias teb yog qhov nyuaj tshaj plaws.
Los ntawm kev sib piv tus naj npawb ntawm kev tawm tsam cyber, peb tuaj yeem pom tias Ryuk tau cuam tshuam ntau lab tus neeg siv thiab cuam tshuam cov ntaub ntawv loj heev, ua rau muaj kev lag luam loj heev.
Rice. 3: Piv txwv ntawm Ryuk txoj haujlwm thoob ntiaj teb.
Rice. 4: 16 lub teb chaws feem ntau cuam tshuam los ntawm Ryuk
Rice. 5: Tus naj npawb ntawm cov neeg siv tawm tsam los ntawm Ryuk ransomware (hauv lab)
Raws li txoj cai kev ua haujlwm ib txwm muaj ntawm cov kev hem thawj no, qhov ransomware no, tom qab encryption tiav, qhia tus neeg raug tsim txom cov ntawv ceeb toom uas yuav tsum tau them rau hauv bitcoins rau qhov chaw nyob uas tau teev tseg kom rov nkag mus rau cov ntaub ntawv encrypted.
Cov malware no tau hloov pauv txij li nws tau nthuav tawm thawj zaug.
Qhov txawv ntawm qhov kev hem thawj no tau txheeb xyuas hauv cov ntaub ntawv no tau tshawb pom thaum muaj kev tawm tsam thaum Lub Ib Hlis 2020.
Vim nws txoj kev nyuaj, qhov malware no feem ntau yog los ntawm pawg cybercriminal, tseem hu ua APT pawg.
Ib feem ntawm Ryuk code muaj qhov pom zoo sib xws rau cov cai thiab cov qauv ntawm lwm tus paub zoo ransomware, Hermes, uas lawv qhia ntau yam haujlwm zoo ib yam. Qhov no yog vim li cas Ryuk tau pib txuas nrog North Kauslim pab pawg Lazarus, uas thaum lub sijhawm xav tias yog tom qab Hermes ransomware.
CrowdStrike's Falcon X kev pabcuam tom qab tau sau tseg tias Ryuk yog qhov tseeb tsim los ntawm WIZARD SPIDER pawg [4].
Muaj qee qhov pov thawj los txhawb qhov kev xav no. Ua ntej, qhov ransomware no tau tshaj tawm rau ntawm lub vev xaib exploit.in, uas yog lub khw lag luam uas paub zoo hauv Lavxias thiab yav dhau los tau cuam tshuam nrog qee pawg Lavxias APT.
Qhov tseeb no txwv txoj kev xav tias Ryuk tuaj yeem tsim los ntawm pawg Lazarus APT, vim nws tsis haum rau txoj kev uas pab pawg ua haujlwm.
Tsis tas li ntawd, Ryuk tau tshaj tawm tias yog ransomware uas yuav tsis ua haujlwm ntawm Lavxias, Ukrainian thiab Belarusian systems. Qhov kev coj cwj pwm no yog txiav txim los ntawm ib qho tshwj xeeb pom nyob rau hauv ib co versions ntawm Ryuk, qhov twg nws xyuas cov lus ntawm lub system uas lub ransomware tab tom khiav thiab nres nws los ntawm kev khiav yog hais tias lub system muaj ib tug Lavxias teb sab, Ukrainian los yog Belarusian lus. Thaum kawg, cov kws tshaj lij kev tshuaj xyuas ntawm lub tshuab uas raug nyiag los ntawm pab pawg WIZARD SPIDER tau nthuav tawm ob peb "cov khoom cuav" uas tau liam tias siv hauv kev txhim kho Ryuk raws li qhov sib txawv ntawm Hermes ransomware.
Ntawm qhov tod tes, cov kws tshaj lij Gabriela Nicolao thiab Luciano Martins tau tawm tswv yim tias ransomware yuav tau tsim los ntawm APT pawg CryptoTech [5].
Qhov no ua raws li qhov tseeb tias ob peb lub hlis ua ntej qhov tshwm sim ntawm Ryuk, pawg no tau tshaj tawm cov ntaub ntawv ntawm lub rooj sib tham ntawm tib lub vev xaib uas lawv tau tsim kho tshiab ntawm Hermes ransomware.
Ob peb lub rooj sib tham cov neeg siv nug seb puas yog CryptoTech tiag tiag tsim Ryuk. Cov pab pawg tau tiv thaiv nws tus kheej thiab hais tias nws muaj pov thawj tias lawv tau tsim 100% ntawm ransomware.
2. Cov yam ntxwv
Peb pib nrog lub bootloader, uas nws txoj hauj lwm yog los txheeb xyuas qhov system nws nyob rau kom qhov "tshem tawm" version ntawm Ryuk ransomware tuaj yeem tso tawm.
Lub bootloader hash yog raws li nram no:
MD5 A73130B0E379A989CBA3D695A157A495
SHA256 EF231EE1A2481B7E627921468E79BB4369CCFAEB19A575748DD2B664ABC4F469
Ib qho ntawm cov yam ntxwv ntawm no downloader yog tias nws tsis muaj cov metadata, i.e. Cov tsim ntawm no malware tsis tau suav nrog cov ntaub ntawv hauv nws.
Qee lub sij hawm lawv suav nrog cov ntaub ntawv yuam kev los ntxias tus neeg siv xav tias lawv tab tom khiav daim ntawv thov raug cai. Txawm li cas los xij, raws li peb yuav pom tom qab, yog tias tus kab mob tsis cuam tshuam nrog cov neeg siv kev sib cuam tshuam (xws li cov ntaub ntawv no ransomware), ces cov neeg tawm tsam tsis xav tias nws yuav tsum siv cov metadata.
Rice. 6: Sample Meta Data
Cov qauv tau muab tso ua ke hauv 32-ntsis hom kom nws tuaj yeem khiav ntawm 32-ntsis thiab 64-ntsis tshuab.
3. Kev nkag mus vector
Cov qauv uas rub tawm thiab khiav Ryuk nkag mus rau peb lub kaw lus ntawm kev sib txuas ntawm cov chaw taws teeb, thiab cov kev nkag tsis tau tau los ntawm kev tawm tsam ua ntej RDP.
Rice. 7: Attack Sau npe
Tus neeg tawm tsam tau tswj kom nkag mus rau hauv qhov system remotely. Tom qab ntawd, nws tsim ib cov ntaub ntawv executable nrog peb cov qauv.
Cov ntaub ntawv executable no tau thaiv los ntawm cov tshuaj tiv thaiv kab mob ua ntej khiav.
Rice. 8: Pattern xauv
Rice. 9: Pattern xauv
Thaum cov ntaub ntawv tsis zoo raug thaiv, tus neeg tawm tsam tau sim rub tawm ib qho encrypted version ntawm cov ntaub ntawv executable, uas kuj raug thaiv.
Rice. 10: Txheej cov qauv uas tus neeg tawm tsam sim khiav
Thaum kawg, nws sim rub tawm lwm cov ntaub ntawv tsis zoo los ntawm lub console encrypted
PowerShell los hla kev tiv thaiv antivirus. Tab sis nws kuj raug thaiv.
Rice. 11: PowerShell nrog cov ntsiab lus tsis zoo raug thaiv
Rice. 12: PowerShell nrog cov ntsiab lus tsis zoo raug thaiv
4. Loader
Thaum nws ua tiav, nws sau cov ntaub ntawv ReadMe rau hauv daim nplaub tshev % temp%, uas yog ib txwm rau Ryuk. Cov ntaub ntawv no yog daim ntawv nqe txhiv uas muaj email chaw nyob hauv protonmail sau, uas muaj ntau heev hauv tsev neeg malware: [email tiv thaiv]
Rice. 13: Tus nqe txhiv
Thaum lub bootloader tab tom khiav, koj tuaj yeem pom tias nws tso tawm ntau cov ntaub ntawv ua tiav nrog cov npe random. Lawv muab khaws cia rau hauv ib daim nplaub tshev zais PAJ YEEB, tab sis yog tias qhov kev xaiv tsis ua haujlwm hauv lub operating system "Qhia cov ntaub ntawv zais thiab folders", ces lawv yuav nyob twj ywm zais. Ntxiv mus, cov ntaub ntawv no yog 64-ntsis, tsis zoo li cov ntaub ntawv niam txiv, uas yog 32-ntsis.
Rice. 14: executable files launched los ntawm tus qauv
Raws li koj tuaj yeem pom hauv daim duab saum toj no, Ryuk launches icacls.exe, uas yuav siv los hloov tag nrho ACLs (Access control lists), yog li xyuas kom nkag mus thiab hloov cov chij.
Nws tau txais kev nkag mus tag nrho hauv qab txhua tus neeg siv rau tag nrho cov ntaub ntawv ntawm lub cuab yeej (/T) tsis hais qhov yuam kev (/C) thiab tsis qhia cov lus (/Q).
Rice. 15: Execution parameters of icacls.exe launched los ntawm tus qauv
Nws yog ib qho tseem ceeb uas yuav tsum nco ntsoov tias Ryuk txheeb xyuas qhov version ntawm Windows koj tab tom khiav. Rau qhov no nws
ua ib qho kev kuaj xyuas siv GetVersionExW, nyob rau hauv uas nws xyuas tus nqi ntawm tus chij lpVersionInformationqhia seb qhov tam sim no version ntawm Windows yog tshiab dua lub qhov rais XP.
Nyob ntawm seb koj tab tom khiav ib qho version tom qab Windows XP, khau raj loader yuav sau rau hauv cov neeg siv hauv zos nplaub tshev - qhov no mus rau lub nplaub tshev % pej xeem%.
Rice. 17: Txheeb xyuas qhov operating system version
Cov ntaub ntawv raug sau yog Ryuk. Nws mam li khiav nws, dhau nws qhov chaw nyob raws li qhov parameter.
Rice. 18: Execute Ryuk ntawm ShellExecute
Thawj qhov Ryuk ua yog tau txais cov kev nkag tsis tau. Lub sijhawm no muaj ob qhov kev nkag tsis tau (qhov kev ua tiav nws tus kheej thiab qhov chaw nyob hauv dropper) uas tau siv los tshem tawm nws cov kab.
Rice. 19: Tsim Cov Txheej Txheem
Koj tseem tuaj yeem pom tias thaum nws tau khiav nws cov executables, nws deletes nws tus kheej, yog li tawm hauv tsis muaj kab ntawm nws tus kheej nyob rau hauv daim nplaub tshev uas nws tau tua.
Rice. 20: Tshem tawm cov ntaub ntawv
5. RYUK
5.1 Kev muaj
Ryuk, zoo li lwm yam malware, sim nyob twj ywm hauv lub system kom ntev li ntev tau. Raws li tau qhia saum toj no, ib txoj hauv kev kom ua tiav lub hom phiaj no yog los zais tsim thiab khiav cov ntaub ntawv executable. Txhawm rau ua qhov no, qhov kev coj ua feem ntau yog hloov pauv tus lej sau npe CurrentVersionRun.
Hauv qhov no, koj tuaj yeem pom tias rau lub hom phiaj no thawj cov ntaub ntawv yuav raug tso tawm VWjRF.exe
(cov ntaub ntawv npe yog randomly generated) launches cmd.exe.
Rice. 21: Executing VWjRF.exe
Ces sau cov lus txib KHIAV Nrog lub npe "svchos". Yog li, yog tias koj xav tshawb xyuas cov yuam sij npe txhua lub sijhawm, koj tuaj yeem nco qhov kev hloov pauv no yooj yim, muab qhov zoo sib xws ntawm lub npe no nrog svchost. Ua tsaug rau tus yuam sij no, Ryuk xyuas kom nws muaj nyob hauv lub system. Yog tias lub kaw lus tsis tau. tseem tau kis tus kab mob, ces thaum koj reboot lub system, lub executable yuav sim dua.
Rice. 22: Cov qauv ua kom muaj nyob hauv tus yuam sij rau npe
Peb kuj tuaj yeem pom tias qhov kev ua tiav no nres ob qhov kev pabcuam:
"audioendpointbuilder", uas, raws li nws lub npe qhia, sib raug rau lub kaw lus suab,
Rice. 23: Sample nres qhov kev pabcuam suab
ΠΈ Samss, uas yog ib qho kev pabcuam tswj nyiaj txiag. Kev txwv ob qhov kev pabcuam no yog tus yam ntxwv ntawm Ryuk. Hauv qhov no, yog tias lub kaw lus txuas nrog SIEM system, ransomware sim nres xa mus rau tej lus ceeb toom. Ua li no, nws tiv thaiv nws cov kauj ruam tom ntej vim qee qhov kev pabcuam SAM yuav tsis tuaj yeem pib ua haujlwm kom raug tom qab ua tiav Ryuk.
Rice. 24: Sample nres Samss kev pabcuam
5.2 Muaj cai
Feem ntau hais lus, Ryuk pib los ntawm kev txav mus tom qab hauv lub network lossis nws tau pib los ntawm lwm tus malware xws li los yog , uas, nyob rau hauv cov xwm txheej ntawm kev muaj cai nce ntxiv, hloov cov cai nce mus rau ransomware.
Ua ntej, raws li ib tug prelude rau qhov kev siv, peb pom nws ua tus txheej txheem Ua Tus Kheej, uas txhais tau hais tias cov ntsiab lus kev ruaj ntseg ntawm tus nkag token yuav raug xa mus rau cov kwj deg, qhov twg nws yuav raug muab rov qab tam sim ntawd siv GetCurrentThread.
Rice. 25: Hu rau Tus Kheej
Peb mam li pom tias nws yuav koom nrog ib qho kev nkag token nrog ib txoj xov. Peb kuj pom tias ib tug chij yog DesiredAccess, uas tuaj yeem siv los tswj kev nkag mus uas cov xov yuav muaj. Hauv qhov no tus nqi uas edx yuav tau txais yuav tsum yog TOKEN_ALL_ACESS los yog lwm yam - TOKEN_WRITE.
Rice. 26: Tsim Flow Token
Ces nws yuav siv SeDebugPrivilege thiab yuav hu kom tau Debug tso cai ntawm cov xov, ua rau PROCESS_ALL_ACCESS, nws yuav muaj peev xwm nkag tau rau txhua txoj kev xav tau. Tam sim no, muab hais tias tus encryptor twb tau npaj kwj, txhua yam uas tseem tshuav yog mus rau theem kawg.
Rice. 27: Hu rau SeDebugPrivilege thiab Privilege Escalation Function
Ntawm ib sab, peb muaj LookupPrivilegeValueW, uas muab cov ntaub ntawv tsim nyog rau peb txog cov cai uas peb xav kom nce.
Rice. 28: Thov cov ntaub ntawv hais txog kev muaj cai rau kev nce qib kev cai lij choj
Ntawm qhov tod tes, peb muaj Kho TokenPrivileges, uas tso cai rau peb kom tau txais cov cai tsim nyog rau peb cov kwj dej. Hauv qhov no, qhov tseem ceeb tshaj plaws yog NewState, nws tus chij yuav muab cov cai.
Rice. 29: Teeb tsa kev tso cai rau lub cim
5.3 Kev ua tiav
Hauv seem no, peb yuav qhia tias tus qauv ua tau zoo li cas rau kev siv cov txheej txheem uas tau hais dhau los hauv tsab ntawv ceeb toom no.
Lub hom phiaj tseem ceeb ntawm cov txheej txheem kev siv, nrog rau kev nce ntxiv, yog kom tau txais kev nkag mus duab ntxoov ntxoo luam. Txhawm rau ua qhov no, nws yuav tsum ua haujlwm nrog cov xov nrog cov cai siab dua li cov neeg siv hauv zos. Thaum nws tau txais cov cai zoo li no, nws yuav rho tawm cov ntawv luam tawm thiab hloov mus rau lwm cov txheej txheem txhawm rau ua kom nws tsis tuaj yeem rov qab mus rau qhov ua ntej rov qab taw tes hauv kev ua haujlwm.
Raws li yog ib txwm nrog hom malware, nws siv CreateToolHelp32Snapshotyog li nws yuav siv lub snapshot ntawm cov txheej txheem tam sim no thiab sim nkag mus rau cov txheej txheem siv OpenProcess. Thaum nws nkag mus rau cov txheej txheem, nws kuj qhib lub token nrog nws cov ntaub ntawv kom tau txais cov txheej txheem tsis.
Rice. 30: Rov qab cov txheej txheem los ntawm lub computer
Peb tuaj yeem pom qhov ua tau zoo li cas nws tau txais cov npe ntawm cov txheej txheem khiav hauv niaj hnub 140002D9C siv CreateToolhelp32Snapshot. Tom qab tau txais lawv, nws mus dhau cov npe, sim qhib cov txheej txheem ib los ntawm ib qho siv OpenProcess kom txog thaum nws ua tiav. Nyob rau hauv rooj plaub no, thawj txheej txheem nws muaj peev xwm qhib tau "taskhost.exe".
Rice. 31: Dynamically Execute ib tug txheej txheem kom tau ib tug txheej txheem
Peb tuaj yeem pom tias nws tom qab nyeem cov txheej txheem token cov ntaub ntawv, yog li nws hu OpenProcessToken nrog parameter "20008"
Rice. 32: Nyeem cov txheej txheem token cov ntaub ntawv
Nws kuj xyuas tias cov txheej txheem nws yuav raug txhaj rau hauv tsis yog csrs.exe ua, explorer.exe, lsaas.exe los yog nws muaj txoj cai NT txoj cai.
Rice. 33: Cov txheej txheem tsis suav nrog
Peb tuaj yeem dynamically pom tias nws thawj zaug ua qhov kev kuaj xyuas siv cov txheej txheem token cov ntaub ntawv hauv 140002d9c ua txhawm rau txheeb xyuas seb tus account uas nws txoj cai raug siv los ua tus txheej txheem yog tus account NT AUTHORITY.
Rice. 34: NT AUTHORITY check
Thiab tom qab ntawd, sab nraum cov txheej txheem, nws xyuas tias qhov no tsis yog csrss.exe, explorer.exe los yog lwj.exe.
Rice. 35: NT AUTHORITY check
Thaum nws tau txais ib qho snapshot ntawm cov txheej txheem, qhib cov txheej txheem, thiab xyuas kom meej tias tsis muaj leej twg raug cais tawm, nws tau npaj sau rau kev nco txog cov txheej txheem uas yuav raug txhaj.
Txhawm rau ua qhov no, nws thawj zaug khaws thaj chaw hauv lub cim xeeb (VirtualAllocEx), sau rau hauv nws (WriteProcessmory) thiab tsim ib txoj xov (CreateRemoteThread). Txhawm rau ua haujlwm nrog cov haujlwm no, nws siv PIDs ntawm cov txheej txheem xaiv, uas nws yav dhau los tau siv CreateToolhelp32Snapshot.
Rice. 36: Embed code
Ntawm no peb tuaj yeem soj ntsuam seb nws siv cov txheej txheem PID hu li cas VirtualAllocEx.
Rice. 37: Hu rau VirtualAllocEx
5.4 encryption
Hauv seem no, peb yuav saib qhov encryption ntawm tus qauv no. Hauv daim duab hauv qab no koj tuaj yeem pom ob lub subroutine hu ua "LoadLibrary_EncodeString"thiab"Encode_Func", uas yog lub luag haujlwm rau kev ua cov txheej txheem encryption.
Rice. 38: Cov txheej txheem encryption
Thaum pib peb tuaj yeem pom yuav ua li cas nws thauj cov hlua uas tom qab ntawd yuav siv los ua kom tshem tawm txhua yam uas xav tau: imports, DLLs, cov lus txib, cov ntaub ntawv thiab CSPs.
Rice. 39: Deobfuscation Circuit Court
Cov duab hauv qab no qhia tau hais tias thawj tus ntshuam nws deobfuscates hauv npe R4. Loadlibrary. Qhov no yuav siv tom qab los thauj cov DLLs xav tau. Peb kuj tuaj yeem pom lwm txoj kab hauv kev sau npe R12, uas yog siv nrog rau kab dhau los los ua qhov kev tsis sib haum xeeb.
Rice. 40: Dynamic deobfuscation
Nws txuas ntxiv mus download tau cov lus txib uas nws yuav khiav tom qab los lov tes taw thaub qab, rov qab cov ntsiab lus, thiab kev nyab xeeb khau raj hom.
Rice. 41: Loading commands
Ces nws loads qhov chaw uas nws yuav poob 3 cov ntaub ntawv: Windows.bat, run.sct ΠΈ pib.bat.
Rice. 42: Cov ntaub ntawv qhov chaw
3 cov ntaub ntawv no yog siv los txheeb xyuas cov cai uas txhua qhov chaw muaj. Yog tias tsis muaj cov cai tsim nyog, Ryuk nres kev tua.
Nws txuas ntxiv mus thauj cov kab sib txuas rau peb cov ntaub ntawv. Ua ntej, DECRYPT_INFORMATION.html, muaj cov ntaub ntawv tsim nyog los rov qab cov ntaub ntawv. Thib ob, PAJ YEEB, muaj tus yuam sij rau pej xeem RSA.
Rice. 43: Kab DECRYPT INFORMATION.html
Peb, UNIQUE_ID_DO_NOT_REMOVE, muaj tus yuam sij encrypted uas yuav siv nyob rau hauv lub sij hawm tom ntej los ua tus encryption.
Rice. 44: Kab UNIQUE ID TSIS TXAUS SIAB
Thaum kawg, nws rub tawm cov tsev qiv ntawv xav tau nrog rau kev xa khoom thiab CSPs (Microsoft Enhanced RSA ΠΈ AES Cryptographic Provider).
Rice. 45: Xa cov tsev qiv ntawv
Tom qab tag nrho cov deobfuscation ua tiav, nws pib ua cov haujlwm uas yuav tsum tau ua rau encryption: suav tag nrho cov logical drives, ua tiav cov khoom thauj hauv lub sijhawm dhau los, ntxiv dag zog rau qhov muaj nyob hauv lub kaw lus, pov cov ntaub ntawv RyukReadMe.html, encryption, suav tag nrho cov network drives. , hloov mus rau cov cuab yeej kuaj pom thiab lawv cov encryption.
Nws tag nrho pib nrog loading "cmd.exe" thiab RSA cov ntaub ntawv tseem ceeb rau pej xeem.
Rice. 46: Npaj rau encryption
Tom qab ntawd nws tau txais tag nrho cov logical drives siv GetLogicalDrives thiab lov tes taw tag nrho cov thaub qab, rov qab cov ntsiab lus thiab kev nyab xeeb khau raj hom.
Rice. 47: Tshem tawm cov cuab yeej rov qab
Tom qab ntawd, nws ntxiv dag zog rau nws lub xub ntiag nyob rau hauv lub system, raws li peb tau pom saum toj no, thiab sau thawj cov ntaub ntawv RyukReadMe.html Π² Temp.
Rice. 48: Tshaj tawm tsab ntawv ceeb toom tus nqe txhiv
Hauv daim duab hauv qab no koj tuaj yeem pom tias nws tsim cov ntaub ntawv li cas, rub tawm cov ntsiab lus thiab sau nws:
Rice. 49: Chaw thau khoom thiab sau cov ntsiab lus
Yuav kom ua tau zoo ib yam ntawm txhua yam khoom siv, nws siv
"iccls.exe ua", raws li peb tau qhia saum toj no.
Rice. 50: Siv icalcls.exe
Thiab thaum kawg, nws pib encrypting cov ntaub ntawv tshwj tsis yog rau "*.exe", "*.dll" cov ntaub ntawv, cov ntaub ntawv kaw lus thiab lwm qhov chaw teev tseg hauv daim ntawv teev npe dawb encrypted. Ua li no, nws siv imports: CryptAcquireContextW (qhov twg siv AES thiab RSA tau teev tseg), CryptDeriveKey, CryptGenKey, CryptDestroyKey lwm. Nws kuj tseem sim ua kom nws ncav cuag mus nrhiav pom cov khoom siv network siv WNetEnumResourceW thiab tom qab ntawd nkag mus rau lawv.
Rice. 51: Encrypting system cov ntaub ntawv
6. Ntshuam thiab coj tus chij
Hauv qab no yog cov lus teev cov feem cuam tshuam tshaj plaws thiab cov chij siv los ntawm cov qauv:
7. IOC
ua tim khawv
- cov neeg sivPublicrun.sct
- Pib MenuProgramsStartupstart.bat AppDataRoamingMicrosoftWindowsStart
- MenuProgramsStartupstart.bat
Daim ntawv tshaj tawm kev tshaj lij ntawm Ryuk ransomware tau sau los ntawm cov kws tshaj lij los ntawm lub chaw kuaj kab mob tiv thaiv PandaLabs.
8. Txuas
1. "Everis y Prisa Radio sufren un grave ciberataque que secuestra sus sistemas."https://www. elconfidencial.com/tecnologia/2019-11-04/everis-la-ser-ciberataque-ransomware-15_2312019/, Publicada el 04/11/2019.
2. "Unvirus de origen ruso ataca a importantes empresas espaΓ±olas." https://elpais.com/tecnologia/2019/11/04/actualidad/1572897654_ 251312.html, Publicada el 04/11/2019
3. "VB2019 daim ntawv: Shinigami's kua zaub ntsuab: tus Tsov tus tw ntev ntawm Ryuk malware." https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/, Publicada el 11 /12/2019
4. "Kev Sib Tw Loj Loj nrog Ryuk: Lwm Yam LucrativebTargeted Ransomware."https://www. crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/, Publicada el 10/01/2019.
5. "VB2019 daim ntawv: Shinigami lub kua zaub ntsuab: tus Tsov tus tw ntev ntawm Ryuk malware." https://www. virusbulletin.com/virusbulletin/2019/10/vb2019-paper-shinigamis-revenge-long-tail-r
Tau qhov twg los: www.hab.com