Ryuk ndeimwe yeanonyanya kufarirwa ransomware sarudzo mumakore mashoma apfuura. Sezvo yakatanga kuonekwa muzhizha ra2018, yakaunganidza , kunyanya munharaunda yebhizimisi, iyo ndiyo inonyanya kurwisa kwayo.
1. General information
Iri gwaro rine ongororo yeiyo Ryuk ransomware musiyano, pamwe nemutakuri ane basa rekurodha iyo malware muhurongwa.
Iyo Ryuk ransomware yakatanga kuoneka muzhizha ra2018. Mumwe wemisiyano pakati peRyuk nedzimwe ransomware ndeyekuti ine chinangwa chekurwisa nharaunda dzemakambani.
Pakati pa2019, mapoka e-cybercriminal akarwisa nhamba huru yemakambani eSpain achishandisa iyi ransomware.
Mupunga. 1: Chidimbu kubva kuEl Confidencial nezve Ryuk ransomware kurwisa [1]
Mupunga. 2: Chidimbu kubva kuEl PaΓs nezve kurwiswa kwakaitwa pachishandiswa Ryuk ransomware [2]
Gore rino, Ryuk yakarwisa nhamba huru yemakambani munyika dzakasiyana-siyana. Sezvauri kuona munhamba dziri pazasi, Germany, China, Algeria neIndia ndidzo dzakanyanya kurova.
Nekuenzanisa nhamba yekurwiswa kwe cyber, tinogona kuona kuti Ryuk yakabata mamirioni evashandisi uye yakakanganisa huwandu hukuru hwe data, zvichikonzera kurasikirwa kwakanyanya kwehupfumi.
Mupunga. 3: Mufananidzo wezviitwa zvepasi rose zvaRyuk.
Mupunga. 4: Nyika dze16 dzakanyanya kubatwa neRyuk
Mupunga. 5: Nhamba yevashandisi vakarwiswa neRyuk ransomware (mumamiriyoni)
Zvinoenderana neyakajairwa kushanda musimboti wekutyisidzira kwakadai, iyi ransomware, mushure mekuvharirwa kwapera, inoratidza munhu akabatwa chiziviso cherudzikinuro chinofanira kubhadharwa muma bitcoins kukero yakatarwa kudzoreredza kuwana mafaera akavharidzirwa.
Iyi malware yachinja kubva payakatanga kuunzwa.
Musiyano wekutyisidzira uku wakaongororwa mugwaro iri wakawanikwa panguva yekuyedza kurwisa muna Ndira 2020.
Nekuda kwekuoma kwayo, iyi malware inowanzonzi yakarongeka cybercriminal mapoka, anozivikanwawo semapoka eAPT.
Chikamu cheiyo Ryuk kodhi ine inooneka yakafanana kune iyo kodhi uye chimiro cheimwe inozivikanwa ransomware, Hermes, iyo yavanogovana nayo akati wandei mabasa akafanana. Ichi ndicho chikonzero Ryuk pakutanga akabatanidzwa neboka reNorth Korea Razaro, iro panguva iyoyo raifungidzirwa kuti riri shure kweHermes ransomware.
CrowdStrike's Falcon X sevhisi yakazocherechedza kuti Ryuk yakatogadzirwa neboka reWIZARD SPIDER [4].
Pane humbowo hunotsigira fungidziro iyi. Chekutanga, iyi ransomware yakashambadzirwa pawebhusaiti exploit.in, inova inozivikanwa yeRussia malware musika uye yakambobatanidzwa nemamwe mapoka eRussia APT.
Ichi chokwadi chinobvisa dzidziso yekuti Ryuk ingadai yakagadziridzwa neboka raRazaro APT, nekuti hazvienderani nemashandiro anoita boka.
Mukuwedzera, Ryuk yakashambadzirwa sechidzikinuro chisingashande paRussia, Ukrainian uye Belarusian systems. Maitiro aya anotemerwa nechinhu chinowanikwa mune dzimwe shanduro dzeRyuk, apo inotarisa mutauro weiyo system iyo ransomware iri kushanda uye inomisa kushanda kana sisitimu iine mutauro wechiRussian, Ukrainian kana Belarusian. Pakupedzisira, ongororo yenyanzvi yemuchina wakabirwa neWIZARD SPIDER timu yakaratidza akati wandei "zvigadzirwa" zvinonzi zvakashandiswa mukugadzira Ryuk seyakasiyana yeHermes ransomware.
Kune rimwe divi, nyanzvi Gabriela Nicolao naLuciano Martins vakakurudzira kuti rudzikinuro runogona kunge rwakagadzirwa neboka reAPT CryptoTech [5].
Izvi zvinotevera kubva mukuti mwedzi yakati wandei kusati kwaonekwa Ryuk, boka iri rakatumira ruzivo paforamu yesaiti imwechete iyo ivo vakagadzira vhezheni itsva yeHermes ransomware.
Vazhinji vashandisi veforum vakabvunza kana CryptoTech yakanyatso gadzira Ryuk. Boka rakazozvidzivirira uye rakataura kuti raive nehumbowo hwekuti vaive vagadzira 100% yeransomware.
2. Hunhu
Isu tinotanga nebootloader, iro basa rekuona hurongwa hwairi kuitira kuti "chaiyo" vhezheni yeRyuk ransomware inogona kutangwa.
Iyo bootloader hashi ndeiyi inotevera:
MD5 A73130B0E379A989CBA3D695A157A495
SHA256 EF231EE1A2481B7E627921468E79BB4369CCFAEB19A575748DD2B664ABC4F469
Chimwe chezvinhu zvemudhaunirodha uyu ndechekuti haina chero metadata, i.e. Vagadziri veiyi malware havana kuisa chero ruzivo mairi.
Dzimwe nguva dzinosanganisira data isiriyo yekunyengedza mushandisi kuti afunge kuti vari kumhanyisa application iri pamutemo. Zvisinei, sezvatichaona gare gare, kana hutachiona husingabatanidzi kushandiswa kwevashandisi (sezvakaita neiyi ransomware), saka vanorwisa havaoni zvakakodzera kushandisa metadata.
Mupunga. 6: Muenzaniso Meta Data
Sample yakaumbwa mu32-bit fomati kuitira kuti ikwanise kumhanya pane ese 32-bit uye 64-bit masisitimu.
3. Penetration vector
Sample inodhawunirodha uye inomhanyisa Ryuk yakapinda sisitimu yedu kuburikidza neyekure yekubatanidza, uye maparamita ekuwana akawanikwa kuburikidza nekutanga RDP kurwisa.
Mupunga. 7: Rejista Yekurwisa
Murwi akakwanisa kupinda musystem ari kure. Mushure meizvozvo, akagadzira faira rinogoneka nemuenzaniso wedu.
Iri faira rinogoneka rakavharwa neantivirus mhinduro isati yatanga.
Mupunga. 8: Patani kiyi
Mupunga. 9: Patani kiyi
Pakavharwa faira rakashata, murwi akaedza kudhawunirodha vhezheni yakavharidzirwa yefaira rinogoneka, iro rakavharwa zvakare.
Mupunga. 10: Seti yemasampuli akaedza kumhanya nemurwi
Pakupedzisira, akaedza kudhawunirodha rimwe faira rakashata kuburikidza neiyo encrypted console
PowerShell yekunzvenga kudzivirira antivirus. Asi akavharirwawo.
Mupunga. 11: PowerShell ine zvakashata zvemukati zvakavharwa
Mupunga. 12: PowerShell ine zvakashata zvemukati zvakavharwa
4. Loader
Kana ichiita, inonyora ReadMe faira kune folda % temp%, izvo zvinowanzoitika kuRyuk. Iri faira rondedzero yerudzikinuro ine kero yeemail mune protonmail domain, iyo yakajairika mumhuri iyi ine malware: [email inodzivirirwa]
Mupunga. 13: Kudiwa Kwerudzikinuro
Ipo bootloader iri kushanda, unogona kuona kuti inotangisa akati wandei mafaera ane mazita asina kujairika. Izvo zvakachengetwa mune yakavanzika folda MABHUKU, asi kana sarudzo isiri kushanda muhurongwa hwekushandisa "Ratidza mafaera akavanzika nemaforodha", ipapo acharamba akavanzwa. Uyezve, mafaira aya ane 64-bit, kusiyana nefaira remubereki, iro riri 32-bit.
Mupunga. 14: Mafaira anoteedzera akatangwa nemuenzaniso
Sezvauri kuona pamufananidzo uri pamusoro, Ryuk inotanga icacls.exe, iyo ichashandiswa kushandura ma ACL ese (Access control lists), nokudaro kuve nechokwadi chekuwana uye kuchinjwa kwemureza.
Inowana mukana wakazara pasi pevashandisi vese kune ese mafaera pane mudziyo (/T) zvisinei nekukanganisa (/ C) uye pasina kuratidza chero meseji (/ Q).
Mupunga. 15: Execution paramita ye icacls.exe yakatangwa nemuenzaniso
Izvo zvakakosha kuti uzive kuti Ryuk inotarisa kuti ndeipi vhezheni yeWindows yauri kuita. Nokuda kweizvi
inoita cheki cheki uchishandisa GetVersionExW, mairi inotarisa kukosha kwemureza lpVersionInformationzvichiratidza kana vhezheni yazvino yeWindows iri nyowani pane Windows XP.
Zvichienderana nekuti urikumhanyisa vhezheni gare gare pane Windows XP, iyo bootloader inonyorera kune yemuno mushandisi folda - mune ino folda %Public%.
Mupunga. 17: Kutarisa iyo yekushandisa system vhezheni
Iyo faira iri kunyorwa ndeye Ryuk. Inobva yaimhanyisa, ichipfuura kero yayo separameter.
Mupunga. 18: Shandisa Ryuk kuburikidza neShellExecute
Chinhu chekutanga chinoitwa naRyuk kugashira mapeji ekuisa. Panguva ino kune maviri ekuisa paramita (iyo inogoneka pachayo uye iyo inodonhedza kero) iyo inoshandiswa kubvisa zvayo.
Mupunga. 19: Kugadzira Nzira
Iwe unogona zvakare kuona kuti kana ichinge yamhanyisa maitiro ayo, inodzima pachayo, nekudaro ichisiya isina tsananguro yekuvapo kwayo muforodha kwayakaurairwa.
Mupunga. 20: Kudzima faira
5. RYUK
5.1 Kuvepo
Ryuk, semamwe malware, anoedza kugara pahurongwa kwenguva yakareba sezvinobvira. Sezvinoratidzwa pamusoro, imwe nzira yekuzadzisa chinangwa ichi kugadzira muchivande uye kumhanya mafaira anogona kuitika. Kuti uite izvi, iyo yakajairika tsika ndeyekuchinja registry kiyi CurrentVersionRun.
Muchiitiko ichi, iwe unogona kuona kuti nekuda kweichi faira rekutanga kutangwa VWjRF.exe
(zita refaira rinogadzirwa zvisina tsarukano) kutanga cmd.exe.
Mupunga. 21: Kuita VWjRF.exe
Wobva waisa murairo RUN Nezita"svchos". Nokudaro, kana iwe uchida kutarisa makiyi e registry chero nguva, unogona kupotsa kuchinja uku nyore nyore, uchipiwa kufanana kwezita iri ne svchost. Nekuda kwekiyi iyi, Ryuk inovimbisa kuvapo kwayo muhurongwa. Kana iyo system isina asi wakatapukirwa, ipapo kana iwe uchitangazve system, iyo inogoneka ichaedza zvakare.
Mupunga. 22: Sample inovimbisa kuvepo mune registry kiyi
Isu tinogona zvakare kuona kuti izvi zvinogoneka zvinomisa masevhisi maviri:
"audioendpointbuilder", iyo, sezita rayo rinoratidza, inoenderana nesystem audio,
Mupunga. 23: Sample inomisa iyo system audio service
ΠΈ Samss, inova sevhisi yekutarisira account. Kumisa masevhisi maviri aya hunhu hweRyuk. Muchiitiko ichi, kana iyo system yakabatana neSIEM system, iyo ransomware inoedza kumira kutumira kune chero yambiro. Nenzira iyi, anodzivirira matanho ake anotevera sezvo mamwe masevhisi eSAM asingazokwanise kutanga basa ravo nemazvo mushure mekuuraya Ryuk.
Mupunga. 24: Sample inomisa basa reSamss
5.2 Ropafadzo
Kazhinji kutaura, Ryuk inotanga nekufamba yakatarisana mukati metiweki kana kuti inotangwa neimwe malware yakadai kana , iyo, muchiitiko chekuwedzera kweropafadzo, inoendesa aya maruramiro akakwirira kune ransomware.
Pamberi, senhanganyaya yekuitwa kwekuita, tinomuona achiita maitiro Zvitevedzere, zvinoreva kuti chengetedzo yemukati mechiratidzo chekupinda ichapfuudzwa kurwizi, kwainozotorwa nekukasira uchishandisa. GetCurrentThread.
Mupunga. 25: Dana Kuzvitevedzera
Isu tinozoona kuti ichabatanidza chiratidzo chekuwana neshinda. Isu tinoona zvakare kuti imwe yemureza ndeye DesiredAccess, iyo inogona kushandiswa kudzora kuwana iyo shinda ichave nayo. Muchiitiko ichi kukosha kuchagashira edx kunofanirwa kuve TOKEN_ALL_ACESS kana zvimwe - TOKEN_NYORA.
Mupunga. 26: Kugadzira Chiratidzo Chekuyerera
Ipapo achashandisa SeDebugPrivilege uye achafona kuti atore mvumo yeDebug pashinda, zvichikonzera PROCESS_ALL_ACCESS, achakwanisa kuwana chero nzira inodiwa. Zvino, nekupihwa kuti encryptor atove nerukova rwakagadzirirwa, chasara kuenderera kunhanho yekupedzisira.
Mupunga. 27: Kudana SeDebugPrivilege uye Ropafadzo Escalation Basa
Kune rimwe divi, isu tine LookupPrivilegeValueW, iyo inotipa ruzivo rwakakosha nezve ropafadzo dzatinoda kuwedzera.
Mupunga. 28: Kumbira ruzivo nezve ropafadzo dzekuwedzera ropafadzo
Kune rumwe rutivi, tine AdjustTokenPrivileges, izvo zvinotibvumira kuwana kodzero dzinodiwa kurwizi rwedu. Muchiitiko ichi, chinhu chinonyanya kukosha NewState, ane mureza uchapa ropafadzo.
Mupunga. 29: Kumisikidza mvumo yechiratidzo
5.3 Kuitwa
Muchikamu chino, ticharatidza kuti sampuli inoita sei nzira yekushandisa yakambotaurwa mumushumo uyu.
Chinangwa chikuru chekugadzirisa maitiro, pamwe nekuwedzera, kuwana mukana mumvuri makopi. Kuti aite izvi, anofanira kushanda neshinda ine kodzero dzakakwirira kudarika dzemushandisi wepanzvimbo. Kana ichinge yawana kodzero dzakakwirira kudaro, inodzima makopi uye kuita shanduko kune mamwe maitiro kuitira kuti zvisaite kudzoka kune yekutanga kudzoreredza nzvimbo mune yekushandisa system.
Sezvinowanzoitika nerudzi urwu rwemarware, inoshandisa CreateToolHelp32Snapshotsaka zvinotora snapshot yezvino kuita maitiro uye kuyedza kuwana iwo maitiro uchishandisa OpenProcess. Kana ichinge yawana mukana wekuita, inovhurawo chiratidzo neruzivo rwayo kuti iwane iyo maitiro paramita.
Mupunga. 30: Kutora maitiro kubva pakombuta
Isu tinokwanisa kuona zvine simba kuti inowana sei runyorwa rwekumhanyisa maitiro muitiro 140002D9C uchishandisa CreateToolhelp32Snapshot. Mushure mekuvagamuchira, anoenda kuburikidza nerondedzero, achiedza kuvhura maitiro mumwe nemumwe achishandisa OpenProcess kusvika abudirira. Muchiitiko ichi, nzira yekutanga yaakakwanisa kuvhura yaive "taskhost.exe".
Mupunga. 31: Ita Nesimba Nzira Yekuwana Maitiro
Isu tinogona kuona kuti inozoverengera iyo maitiro tokeni ruzivo, saka inodana OpenProcessToken ine parameter"20008"
Mupunga. 32: Verenga maitiro tokeni ruzivo
Inotarisawo kuti maitiro aachabayirwa haasi richidhani.exe, Explorer.exe, lsaas.exe kana kuti ane seti yekodzero chiremera chetestamende itsva.
Mupunga. 33: Maitiro asina kubatanidzwa
Isu tinogona kuona zvine simba kuti inotanga kuita sei cheki tichishandisa ruzivo rwechiratidzo mukati 140002D9C kuitira kuti uone kana iyo account ine kodzero dziri kushandiswa kuita maitiro iaccount NT AUTHORITY.
Mupunga. 34: NT AUTHORITY cheki
Uye gare gare, kunze kwemaitiro, anotarisa kuti izvi hazvisi csrss.exe, explorer.exe kana lsaas.exe.
Mupunga. 35: NT AUTHORITY cheki
Kana achinge atora mufananidzo wemaitiro, akavhura maitiro, uye akasimbisa kuti hapana kana mumwe wavo akasiiwa, akagadzirira kunyora kundangariro maitiro anozoiswa jekiseni.
Kuti uite izvi, inotanga kuchengetedza nzvimbo mundangariro (VirtualAllocEx), anonyora mairi (WriteProcessmemory) uye inogadzira tambo (GadziraRemoteThread) Kushanda nemabasa aya, inoshandisa maPID emaitiro akasarudzwa, ayo aakambowana achishandisa CreateToolhelp32Snapshot.
Mupunga. 36: Embed kodhi
Pano isu tinogona kuona zvine simba mashandisiro aanoita maitiro ePID kudana basa VirtualAllocEx.
Mupunga. 37: Fonera VirtualAllocEx
5.4 Encryption
Muchikamu chino, tichatarisa chikamu che encryption chemuenzaniso uyu. Mumufananidzo unotevera unogona kuona maviri subroutines anonzi "LoadLibrary_EncodeString"Uye"Encode_Func", ayo ane basa rekuita iyo encryption maitiro.
Mupunga. 38: Encryption maitiro
Pakutanga tinogona kuona kuti inoremedza sei tambo inozoshandiswa kurerutsa zvese zvinodiwa: kunze kwenyika, maDLL, mirairo, mafaera uye maCSP.
Mupunga. 39: Deobfuscation dunhu
Nhamba inotevera inoratidza yekutanga kupinza iyo inodeedzera murejista R4. Raibhurari. Izvi zvichashandiswa gare gare kurodha maDLL anodiwa. Isu tinogona zvakare kuona imwe mutsara mukunyoresa R12, iyo inoshandiswa pamwe neyakapfuura mutsara kuita deobfuscation.
Mupunga. 40: Dynamic deobfuscation
Inoenderera mberi kurodha mirairo iyo ichamhanya gare gare kudzima backups, kudzoreredza mapoinzi, uye akachengeteka boot modes.
Mupunga. 41: Kurodha mirairo
Zvadaro inotakura nzvimbo iyo ichadonhedza mafaira matatu: Windows.bat, run.sc ΠΈ tanga.bat.
Mupunga. 42: Nzvimbo dzeFaira
Aya mafaera matatu anoshandiswa kutarisa ropafadzo dzine nzvimbo yega yega. Kana ropafadzo dzinodiwa dzisipo, Ryuk anomisa kuurayiwa.
Inoramba ichiisa mitsetse inoenderana nemafaira matatu. Chekutanga, DECRYPT_INFORMATION.html, ine ruzivo rwakakosha kuti udzore mafaira. Chepiri, MABHUKU, ine RSA public key.
Mupunga. 43: Mutsetse DECRYPT INFORMATION.html
Chetatu, UNIQUE_ID_DO_NOT_REMOVE, ine kiyi yakavharidzirwa iyo ichashandiswa mune inotevera routine kuita encryption.
Mupunga. 44: Mutsetse UNIQUE ID USABvisa
Pakupedzisira, inodhawunirodha maraibhurari anodiwa pamwe chete nezvinodiwa kunze kwenyika uye CSPs (Microsoft Enhanced RSA ΠΈ AES Cryptographic Provider).
Mupunga. 45: Kuisa maraibhurari
Mushure mekunge deobfuscation yapera, inoenderera mberi nekuita zviito zvinodiwa pakunyorera: kuverenga zvese zvine musoro madhiraivha, kuita izvo zvaive zvakatakurwa mumaitiro apfuura, kusimbisa kuvepo muhurongwa, kukanda RyukReadMe.html faira, encryption, kuverenga ese madhiraivha etiweki. , shanduko kumidziyo yakaonekwa uye encryption yavo.
Zvese zvinotanga nekurodha"cmd.exe" uye RSA public key rekodhi.
Mupunga. 46: Kugadzirira encryption
Ipapo inowana zvese zvine musoro madhiraivha uchishandisa GetLogicalDrives uye inodzima zvese backups, dzosera mapoinzi uye yakachengeteka boot modes.
Mupunga. 47: Kudzima maturusi ekudzoreredza
Mushure meizvozvo, inosimbisa kuvepo kwayo muhurongwa, sezvataona pamusoro, uye inonyora faira yekutanga RyukReadMe.html Π² Temp.
Mupunga. 48: Kubudisa chiziviso chorudzikinuro
Mumufananidzo unotevera unogona kuona magadzirirwo ainoita faira, kudhawunirodha zvirimo uye kuzvinyora:
Mupunga. 49: Kurodha nekunyora zvirimo mufaira
Kuti akwanise kuita zviito zvakafanana pamidziyo yese, anoshandisa
"icacls.exe", sezvataratidza pamusoro.
Mupunga. 50: Kushandisa icalcls.exe
Uye pakupedzisira, inotanga kunyora mafaira kunze kwe "*.exe", "* .dll" mafaira, mafaira ehurongwa nedzimwe nzvimbo dzakatsanangurwa nenzira yezvinyorwa zvichena zvakavharidzirwa. Kuti uite izvi, inoshandisa kunze kwenyika: CryptAcquireContextW (uko kushandiswa kweAES neRSA kunotsanangurwa), CryptDeriveKey, CryptGenKey, CryptDestroyKey etc. Inoedzawo kuwedzera kusvika kwayo kune yakawanikwa network zvishandiso uchishandisa WNetEnumResourceW uye wobva wazvivharira.
Mupunga. 51: Encrypting system mafaira
6. Inopinza uye inowirirana mireza
Pazasi pane tafura inodudza zvinonyanya kukosha kunze kwenyika uye mireza inoshandiswa nemuenzaniso:
7. IOC
nezvakanyorwa
- vashandisiPublicrun.sc
- Tanga MenuProgramsStartupstart.bat AppDataRoamingMicrosoftWindowsStart
- MenuProgramsStartupstart.bat
Chirevo chehunyanzvi nezveRyuk ransomware chakaumbwa nenyanzvi kubva kune antivirus murabhoritari PandaLabs.
8. Zvisungo
1. "Everis y Prisa Radio sufren un grave ciberataque que secuestra sus sistemas."https://www. elconfidencial.com/tecnologia/2019-11-04/everis-la-ser-ciberataque-ransomware-15_2312019/, Publicada el 04/11/2019.
2. "Un virus de origen ruso ataca a importantes empresas espaΓ±olas." https://elpais.com/tecnologia/2019/11/04/actualidad/1572897654_ 251312.html, Publicada el 04/11/2019.
3. "VB2019 bepa: kutsiva kwaShinigami: muswe wakareba weRyuk malware." https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/, Publicada el 11 /12/2019
4. "Kuvhima Kukuru Kwemutambo neRyuk: Imwe InobhadharabTargeted Ransomware."https://www. crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/, Publicada el 10/01/2019.
5. "VB2019 bepa: kutsiva kwaShinigami: muswe wakareba weRyuk malware." https://www. virusbulletin.com/virusbulletin/2019/10/ vb2019-paper-shinigamis-revenge-long-tail-r
Source: www.habr.com