[Authors: Viktoria Taran, Alexander Adamov]
The Ryuk ransomware seen for the first time in August 2018 has been successfully used in targeted attacks encrypting data and asking for a ransom payment which differs from 10 BC to 50 BC. The recent attack was executed against DCH hospitals in Alabama on October 1st, 2019. As a result, DCH paid the ransom to recover the data stored on their servers. In this report, we analyze one of the recent versions of Ryuk ransomware discovering the installation process, networking details, and encryption model.
Static Analysis
The ransomware file is PE32 executable for MS Windows. It is 1232896 bytes in size. The ransomware code is written and compiled in Microsoft Visual C++. According to the compilation timestamp, the binary was created on September 2nd, 2019.
Company information:
SHA-256: dd0691992d947366f1b9caf2acc1fec951f761a39ca3863e81bc2c3fb5efd415
Obfuscation
Ryuk has encrypted strings hardcoded that contains encrypted Import Address Table.Decrypted strings:
Attack vector
This version of Ryuk ransomware was being distributed like a rouge password manager software with the ‘LithuanianicMercy.exe’ filename. The whole infection chain can be seen at app.any.run sandbox.
Ryuk checks the following registry key [SYSTEM\CurrentControlSet\Control\Nls\Language] for a language code. If the system language is Russian, Belarusian, or Ukrainian, the ransomware exits.Installation
To stay on the system, Ryuk sets the autorun registry key:
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
After that, it creates a blank ‘1.txt’ file supposedly to check the write permissions for the current folder.
Ryuk lanches numerous copies of itself with the ‘8 LAN’ string as a command-line argument and random name.
Before encryption starts, Ryuk generates a seven lettered random filename using GetTickCount() and srand() function and then copies itself to the new generated file.
Before encryption starts, Ryuk generates a seven lettered random filename using GetTickCount() and srand() function and then copies itself to the new generated file.
After some time Ryuk overloads the system by calling a lot of similar processes. It will not stop until the system is fully encrypted.
The ransomware stops the following system services using ‘net.exe’ and ‘net1.exe’:- C:\Windows\System32\net.exe stop audioendpointbuilder /y
- C:\Windows\System32\net.exe stop samss /y
After the encryption has been completed, the cryptolocker creates and executes a batch script 'window.bat' to delete backups and shadow copies.
Encryption
Ryuk uses three-layer encryption with a conventional combination of symmetric AES for file encryption and asymmetric RSA for file keys encryption ciphers. However, the master public key, as well as the private key, is kept on the attacker’s side. Instead, the session key pair is hardcoded. The session private key is pre-encrypted by the master public key.
Ryuk avoids encrypting the files with the following extensions: Network encryption
- exe
- dll
- ini
- hrmlog
- lnk
- Windows
- Mozilla
- Chrome
- RecycleBin
- Ahnlab
The keys used in the encryption process are as follows:
- The master RSA key pair owned by the attacker.
- RSA-2048 session key pair is hardcoded with the private key pre-encrypted by the master key.
- AES-256 file keys.
The encryption process has the following steps:
1. Two files are created:
- ‘PUBLIC’ file that contains the public session key (RSA-2048) and
- ‘UNIQUE_ID_DO_NOT_REMOVE’ file that contains the private session key (RSA-2048) pre-encrypted with the master key. This file should be uploaded to the attacker to enable file decryption.
3. After that, a target file’s content is encrypted with AES key.
4. Finally, magic 'HERMES' and the AES key encrypted with the embedded RSA public key are added to the end of the encrypted file.
Network encryption
The ransomware finds other computers in a local network. To do that, it calls GetIpNetTable() function that enumerates the ARP entries for IPv4 on a local system from the IPv4 to the physical address mapping table and returns a list of IP addresses. These IPs point to available subnets that the victim’s host is connected to.
If an IP address discovered in the ARP cache belongs to one of the following ranges of internal IP addresses, Ryuk starts findinп potential victims in this subnet by enumerating all possible IP addresses:
SHA-256: dd0691992d947366f1b9caf2acc1fec951f761a39ca3863e81bc2c3fb5efd415
- 10.0.0.0 - 10.255.255.255
- 172.16.0.0 - 172.31.255.255
- 192.168.0.0 - 192.168.255.255
Finally, if a host in a local network responds, the ransomware tries to attach its disks as network drives and encrypt data on them.
Process injection
Ryuk uses SeDebugPrivilege() to elevate privileges to inject its payload into running processes.
The injection method is conventional. The ransomware allocates memory in a target process to write its payload code using WriteProcessMemory(). After that, Ryuk creates and starts the remote thread using CreateRemoteThread().
The ransomware avoids injecting into the Windows system processes such as 'lsaas.exe','explorer.exe', 'csrss.exe'.
Ransomware notes
After the encryption is completed, Ryuk leaves the ‘RyukReadMe.html’ with the following content:
Code Artefacts
The binary has the debugging information left in the code.
The PDB info includes the paths to the header and source files of third-party packages used in the project.
Also, the ransomware has ‘\PIPE\samr’ pipe name in the code that indicates the fact that it uses RPC over SMB protocol. This functionality can be used for user and group enumeration, which can be a part of lateral movement as well as for task scheduling on a remote computer.
Also, the ransomware has ‘\PIPE\samr’ pipe name in the code that indicates the fact that it uses RPC over SMB protocol. This functionality can be used for user and group enumeration, which can be a part of lateral movement as well as for task scheduling on a remote computer.
Conclusion
Ruyk derives Hermes source code that can be found on numerous underground forums. It uses symmetric (AES) with asymmetric (RSA) encryption to prevent decrypting victim’s files without knowing the master private key. The ransomware deletes backup files and Windows shadow copies making it impossible to restore data from local backups. To avoid being detected by antiviruses, Ryuk employs obfuscation of its code. It has also the capabilities for hosts network discovery in a local network to encrypt network drives as well as for lateral movement using RPC over SMB. Thus, it can be effectively used by attackers in future targeted attacks to maximize the losses of a targeted organization.
LithuanianicMercy.exeIoCs
SHA-256: dd0691992d947366f1b9caf2acc1fec951f761a39ca3863e81bc2c3fb5efd415
Read also
- https://www.bleepingcomputer.com/news/security/dch-hospital-pays-ryuk-ransomware-for-decryption-key/
- https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/
- https://www.gdatasoftware.com/blog/2019/08/35046-whats-all-the-buzz-about-looking-at-the-ryuk-ransomware-as-an-example
- https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/
No comments:
Post a Comment