Monday, 9 December 2019

Analysis of Ryuk Ransomware

[Authors: Viktoria Taran, Alexander Adamov]

The Ryuk ransomware seen for the first time in August 2018 has been successfully used in targeted attacks encrypting data and asking for a ransom payment which differs from 10 BC to 50 BC. The recent attack was executed against DCH hospitals in Alabama on October 1st, 2019. As a result, DCH paid the ransom to recover the data stored on their servers. In this report, we analyze one of the recent versions of Ryuk ransomware discovering the installation process, networking details, and encryption model.

Static Analysis

The ransomware file is PE32 executable for MS Windows. It is 1232896 bytes in size. The ransomware code is written and compiled in Microsoft Visual C++. According to the compilation timestamp, the binary was created on September 2nd, 2019.
Company information:


SHA-256: dd0691992d947366f1b9caf2acc1fec951f761a39ca3863e81bc2c3fb5efd415

Obfuscation

Ryuk has encrypted strings hardcoded that contains encrypted Import Address Table.

 


Decrypted strings:

LoadLibraryA
VirtualFree
FindFirstFileW
FindNextFileW
GetModuleFileNameA
CreateFileA
Wow64RevertWow64FsRedirection
SetFilePointer
ShellExecuteW
VirtualAlloc
CloseHandle
GetWindowsDirectoryW
CreateDirectoryW
CreateFileW
WriteFile
CreateProcessW
GetModuleHandleA
CreateProcessA
CopyFileA
GetCommandLineW
FreeLibrary
GlobalAlloc
GetModuleFileNameW
CoInitialize
Wow64DisableWow64FsRedirection
SetFileAttributesA
CopyFileW
DeleteFileW
ReadFile
GetFileSize
GetVersionExW
GetFileAttributesW
GetFileAttributesA
FindClose
WinExec
Sleep
ExitProcess
GetCurrentProcess
GetLogicalDrives
SetFileAttributesW
GetStartupInfoW
GetTickCount
GetDriveTypeW
mpr.dll
WNetOpenEnumW
WNetEnumResourceW
WNetCloseEnum
advapi32.dll
CryptEncrypt
CryptDecrypt
CryptGenKey
Cryp&DestroyKey
CryptExportKey
CryptImportKey
CryptDeriveKey
CryptAcquireContextW
GetUserNameA
GetUserNameW
RegOpenKeyExA
RegOpenKeyExW
RegQueryValueExA
RegCloseKey
RegDeleteValueW
RegSetValueExW
ole32.dll
ShellExecuteA
CoCreateInstance
Shell32.dll

Attack vector

This version of Ryuk ransomware was being distributed like a rouge password manager software with the ‘LithuanianicMercy.exe’ filename. The whole infection chain can be seen at app.any.run sandbox.

Installation

Ryuk checks the following registry key [SYSTEM\CurrentControlSet\Control\Nls\Language] for a language code. If the system language is Russian, Belarusian, or Ukrainian, the ransomware exits.

To stay on the system, Ryuk sets the autorun registry key:
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


After that, it creates a blank ‘1.txt’ file supposedly to check the write permissions for the current folder.


Ryuk lanches numerous copies of itself with the ‘8 LAN’ string as a command-line argument and random name.

Before encryption starts, Ryuk generates a seven lettered random filename using GetTickCount() and srand() function and then copies itself to the new generated file.


After some time Ryuk overloads the system by calling a lot of similar processes. It will not stop until the system is fully encrypted.

The ransomware stops the following system services using ‘net.exe’ and ‘net1.exe’:
  • C:\Windows\System32\net.exe stop audioendpointbuilder /y
  • C:\Windows\System32\net.exe stop samss /y
It is not clear why Ryuk stops the Windows Audio Endpoint Builder that leads to audio services malfunctioning on a victim's computer. However, the second one stops the Security Accounts Manager. Disabling this service will prevent other services in the system from being notified when the SAM is ready, which may in turn cause those services to fail to start correctly. This techniques can be used to prevent sending alerts generated by suspicious activities on the affected system to SIEM system.

After the encryption has been completed, the cryptolocker creates and executes a batch script 'window.bat' to delete backups and shadow copies.

Encryption

Ryuk uses three-layer encryption with a conventional combination of symmetric AES for file encryption and asymmetric RSA for file keys encryption ciphers. However, the master public key, as well as the private key, is kept on the attacker’s side. Instead, the session key pair is hardcoded. The session private key is pre-encrypted by the master public key.

Network encryption


Ryuk avoids encrypting the files with the following extensions:
  • exe 
  • dll 
  • ini 
  • hrmlog 
  • lnk
The directory whitelist where the ransomware does not encrypt files is as follows:
  • Windows 
  • Mozilla 
  • Chrome
  • RecycleBin 
  • Ahnlab 


The keys used in the encryption process are as follows:
  1. The master RSA key pair owned by the attacker. 
  2. RSA-2048 session key pair is hardcoded with the private key pre-encrypted by the master key.
  3. AES-256 file keys.


The encryption process has the following steps:

1. Two files are created: 
  • ‘PUBLIC’ file that contains the public session key (RSA-2048) and 
  • ‘UNIQUE_ID_DO_NOT_REMOVE’ file that contains the private session key (RSA-2048) pre-encrypted with the master key. This file should be uploaded to the attacker to enable file decryption.
    The public session key looks as follows:
2. AES-256 file key is generated using CryptGenKey with Algorithm ID 0x6610 which corresponds to CALG_AES_256.

3. After that, a target file’s content is encrypted with AES key. 

4. Finally, magic 'HERMES' and the AES key encrypted with the embedded RSA public key are added to the end of the encrypted file.

Network encryption

The ransomware finds other computers in a local network. To do that, it calls GetIpNetTable() function that enumerates the ARP entries for IPv4 on a local system from the IPv4 to the physical address mapping table and returns a list of IP addresses. These IPs point to available subnets that the victim’s host is connected to.

If an IP address discovered in the ARP cache belongs to one of the following ranges of internal IP addresses, Ryuk starts findinŠæ potential victims in this subnet by enumerating all possible IP addresses:
  • 10.0.0.0 - 10.255.255.255
  • 172.16.0.0 - 172.31.255.255
  • 192.168.0.0 - 192.168.255.255
Ryuk checks if the discovered IP address belongs to the ranges above.



Finally, if a host in a local network responds, the ransomware tries to attach its disks as network drives and encrypt data on them.

Process injection

Ryuk uses SeDebugPrivilege() to elevate privileges to inject its payload into running processes.


The injection method is conventional. The ransomware allocates memory in a target process to write its payload code using WriteProcessMemory(). After that, Ryuk creates and starts the remote thread using CreateRemoteThread().


The ransomware avoids injecting into the Windows system processes such as 'lsaas.exe','explorer.exe', 'csrss.exe'.

Ransomware notes

After the encryption is completed, Ryuk leaves the ‘RyukReadMe.html’ with the following content:

Code Artefacts

The binary has the debugging information left in the code.


The PDB info includes the paths to the header and source files of third-party packages used in the project.

Also, the ransomware has ‘\PIPE\samr’ pipe name in the code that indicates the fact that it uses RPC over SMB protocol. This functionality can be used for user and group enumeration, which can be a part of lateral movement as well as for task scheduling on a remote computer.

Conclusion

Ruyk derives Hermes source code that can be found on numerous underground forums. It uses symmetric (AES) with asymmetric (RSA) encryption to prevent decrypting victim’s files without knowing the master private key. The ransomware deletes backup files and Windows shadow copies making it impossible to restore data from local backups. To avoid being detected by antiviruses, Ryuk employs obfuscation of its code. It has also the capabilities for hosts network discovery in a local network to encrypt network drives as well as for lateral movement using RPC over SMB. Thus, it can be effectively used by attackers in future targeted attacks to maximize the losses of a targeted organization.

IoCs

LithuanianicMercy.exe
SHA-256: dd0691992d947366f1b9caf2acc1fec951f761a39ca3863e81bc2c3fb5efd415

Read also

No comments:

Post a comment