DISSECTING RYUK RANSOMWARE ATTACK AND DEFENSE TIPS

Current realities show that cybercrimes are on the rise.

Today, I want to dig deeper into one of the most destructive forms of attack – ransomware attacks.

Ransomware is not a new threat in the computer world. The first known ransomware was “AIDS Trojan” or “PC Cyborg.” The program’s creator was a biologist named Joseph Popp in 1989. He distributed to thousands of people floppy disks containing copies of the application claiming to hold a program to help fight AIDS. Once the program recipient executed the application, it encrypted the user’s files and demanded a ransom of $189 to be paid to a PO Box in Panama to decrypt them. I must mention that while Dr. Joseph Popp was a criminal, he was a very skilled, educated individual who graduated from Harvard.

Since then, ransomware attacks have gone through many changes and evolved into a massive problem at most, targeting not individuals with limited ability to pay but establishments. In addition, criminals design the malware using much stronger encryption algorithms, making decryption without a provided key nearly impossible and using advanced techniques to hide payload from detection. Since the early 2000s, the making of ransomware attacks has switched from individual malicious developers to well-organized and funded criminal syndicates.

At the beginning of the 2000s, Dark Web introduced RaaS (Ransomware as a Service). This service enables anyone with criminal intent to follow a simple wizard on the web interface, launch opportunistic ransomware attacks on many businesses, and wait for bitcoins to start rolling into his pocket. Let’s look at one of the most common and advanced in our day’s ransomware – Ruyk.

Ruyk was first detected in the cybercriminal arena in 2018 and is believed to be developed by North Korean state-sponsored hackers. It is a well-engineered malware that targets businesses, healthcare organizations, and government institutions. The architecture of Ryuk is a very complex and multi-modular ransomware attack. This malware uses Cobalt Strike and PowerShell Empire frameworks right after exploitation, making this application very powerful and challenging to detect.

So, how does Ryuk get into the network? Usually, exploitation happens trivially – opening an email with a malicious attachment (most likely MS Word with embedded macro) or initiating clicking on the link that promises something exciting to the potential victim. So what happens after the dropper is delivered to the victimized system? The first step in the invasion is reconnaissance; the downloaded beast learns your network, searching for domain controllers, file share servers, and data backups. Next, it tries to enumerate as many devices as possible, which is the process’s lengthiest step. Finally, when malware has enough information on the victim’s infrastructure, it starts lateral movement, spreading to domain controllers, file servers, and backup servers first. During sideways spread, the application uses various techniques, including credential theft, to move laterally and get access to as many computers as possible.

The next step is critical for any ransomware to succeed, and this is a privilege escalation. Assaulting software uses various tools to get elevated privileges and access the most sensitive data.

After completion of the privilege escalation, the application attempts to upload data to the Dark Web and encrypts all documents, including images, on the victimized system.

Note: Your data uploaded to the Dark Web might be used as a hostage when attackers threaten to release public data if the ransom is not paid.

The final step in this process is the encryption of the documents and placing (usually on the desktop of the computers) ransom-demanding notes with instructions on how to contact criminals and how much the organization has to pay for the decryption key. For the process visualization, I’m providing a bird’s-eye view of the process.

In conclusion, I’m providing behavior and prevention tips:

1. I strongly advise against paying the ransom, and here are my three reasons why:
2. By paying the ransom, you encourage cyber terrorists to continue spreading malware.
3. There is no guarantee that you will get the key or that the provided key will work.
4. Nobody writes perfect software, and I witnessed the situation when encryption was accidentally applied to system files, making use of the received key impossible.
5. Do not try to repair impacted computers in the network. Instead, they all should be reimaged and baselined to better, more robust security standards. Unfortunately, it is hard to identify what else is hiding on the affected computers after that type of intrusion. In addition, many antivirus vendors’ safelist software, like Cobalt Strike, and backdoors may remain open, awaiting another intrusion attempt.
6. Enforce a policy for hard-to-guess long passwords, and use multifactor authentication where possible. All unused accounts in your domain should be deleted or disabled. Passkeys are better than passwords.
7. Back up your data, and implement Airgap backups if possible. Have an offline copy of your backup.
8. Remember that defending against cybercrimes is the Information Technology department’s job; it is a shared responsibility between every organization member. Invest in employee training and enforce a cyber-threat-aware culture in your organization.
9. Ensure all appliances on your network are frequently updated with the latest security patches. Remember that devices that reached end-of-life are no longer supported and do not receive any updates. Therefore, organizations need to replace such devices as soon as possible.
10. Invest in the latest antivirus tools and make sure they are updated frequently.
11. Understandably, small businesses cannot afford a full-time cybersecurity professional on staff, but at least have one available on a per-need basis. Ensure the cybersecurity specialist audits your network after any new device deployment or configuration change.
12. Subscribe to the Security Update Guide Notification System News. By doing this, you can be aware of the latest threats and prepare to defend yourself.

Credits: Being graphically challenged, after a few attempts to visualize the RYUK process, I gave up and asked one of my former co-workers Ana Tineo, CBAP, to create a bird’s-eye view of the process.