Ryuk Ransomware: The Dangers & How to Protect Yourself

Michelle Wilson - February 13, 2022

Since 2018, this sophisticated ransomware has targeted government institutions, hospitals, businesses, and other organizations. The group sitting behind the malware often uses manual hacking techniques and open-source tools, moving laterally throughout private networks to gain administrative access to as many systems as possible before launching file encryption.

Attackers demand significant ransom payments from victims compared to the majority of ransomware gangs. Most ransom payments average between fifteen and fifty Bitcoins, approximately $100,000 and $500,000. There are reports indicating victims have paid significantly more than these averages.

Understanding Ryuk’s History and Success

First appearing in August of 2018, Ryuk bases their attack on previous ransomware called Hermes. Criminals sold the older ransomware in cybercrime forums in 2017. The North Korean state-sponsored Lazarus Group used Hermes in an attack against FEIB in 2017, leading to reports of North Korean development. Multiple security companies have disproved this theory, leading professionals to believe developers were Russian-speaking cybercriminal groups. Wizard Spider or Grim Spider is likely the targeted group, operating other credential theft operations (like TrickBot).

As attackers go after organizations with crucial assets, their targets are more likely to pay. This tactic is commonly called “Big Game Hunting” within the industry, making the Ryuk gang very successful in monetizing their campaigns. There are estimates of $61.26 million in bitcoin paid (not including other payment methods) to the Ryuk gang between 2013 and 2019, making it a lucrative industry for hackers.

The Ryuk Distribution and Attack Chain

Ryuk almost always uses TrickBot or a trojan infection to distribute the attack. Although, not all TrickBot infections lead to Ryuk. Ryuk’s deployment occurs weeks after TrickBot shows on a network during an attack. The delay is likely from the data collection efforts of TrickBot; attackers use this information to identify potentially valuable networks for Ryuk, improving their attack overall.

Manual hacking activities involving network reconnaissance and lateral movements aim to compromise domain controllers while gaining access to as many systems as possible. Ryuk’s goal is to cause swift and widespread damage across the network, forcing an organization’s decision.

The Master Plan of Ryuk

Microsoft identifies Ryuk as a human-operated ransomware attack as part of a more significant trend of attacks adopting stealthy and highly targeted methodology previously associated with APT (advanced persistent threat) groups. This definition includes reliance on existing system administration utilities and open-source tools to prevent detection.

After the TrickBot infection, the Ryuk gang deploys frameworks like PowerShell Empire or Cobalt Strike to complete malicious actions on computers without security issues. Criminals also use BloodHound to allow penetration testers to analyze and highlight exploitable relationships in Active Directory environments. Ryuk attackers also use LaZagne, an open-source tool that steals credentials on compromised computers. Ultimately, the Ryuk attackers identify domain controllers and gain all administrative access, giving them power over their victim’s network.

TrickBot Infections

As one of the most prevalent Trojans, this infection spreads through malicious emails and a program called Emotet. The connection between TrickBot, Ryuk, and Emotet isn’t entirely clear, but many cybercriminals flock to the distribution platform. Industry experts believe that TrickBot follows a similar malware-as-a-service (MaaS) model but remains available to a relatively small number of top-level cybercriminals.

Understanding Emotet

Cybercriminals responsible for Ryuk used to deploy ransomware payloads manually. Still, more recent variants now contain code that automatically spreads to other computers on a local network (once attackers obtain a privileged account on the domain). First, the program generates a list of all IP address possibilities within the local network, sending an ICMP ping to discover which are reachable from the list. From there, it lists file-sharing resources to online machines, mounting to those resources and encrypting their contents. It copies itself simultaneously to those file shares and holds the privileged domain account credentials, setting up a scheduled task to execute the copied version on the remote computers.

Inside the Ryuk Encryption Routine

Since the initial split from the Hermes code base, many features and mechanisms have been simplified, removed, or reimplemented. For example, Ryuk isn’t as selective with file encryption as other ransomware. Additionally, a ransomware program manually deployed inside a system where attackers hold complete control may not need self-protection features like automated propagation.

Once the Ryuk deploys, it decrypts all files except ini, exe, lnk, hrmlog, and dll. The exclusion rules help preserve system stability and allow the victim to use a browser to make the ransom payment. It also avoids files stored in Recycling Bin directories, Windows System32, and internet browsers.

Encryption Implementation

The Ryuk attack uses powerful file encryption based on AES-256. All encrypted files will show an extension of .ryk. The Ryuk executable is custom-made for each victim, even across multiple systems, using a private key generated by the attackers. Unfortunately, this means that a key published for a Ryuk attack won’t decrypt another infected network. Ryuk also tries to delete volume shadow copies, preventing recovery through alternative methods. The ransomware also disables various services, including Windows Defender antivirus and network backups.

Currently, no publicly available tool can decrypt Ryuk files without paying the ransom. Even paying the ransom doesn’t ensure the files will restore. Researchers warn that the Ryuk decryptor can occasionally corrupt files, particularly large files with only partial encryption. On top of that, Ryuk occasionally encrypts files critical for the system’s regular operation, resulting in unbootable systems after a restart. These issues complicate recovery efforts and increase costs incurred by victims.

Protecting Against Ryuk Attacks

Although organizations can put specific controls into place to reduce the likelihood of Ryuk infections, defending against human-operated ransomware attacks require fundamental IT administration improvement. Most successful human-operated ransomware campaigns were against servers with security and antivirus intentionally disabled, often as a tactic to improve performance. Ryuk attacks leverage malware and tools to prevent detection by antivirus. It also works to disable basic security measures. For example, weak domain credentials, lack of firewall protection, and overall security.

All security teams should also place a higher priority on seemingly rare and isolated infections. Many common threats like TrickBot and Emotet come alone but can trigger a more significant problem. By removing common malware without performing deeper investigation, networks potentially face disastrous consequences later. Finally, addressing any infrastructure weaknesses that allowed malware to propagate is crucial to overall security. This includes hardening the network against lateral movement and resolving credential issues. Restricting any unnecessary SMB traffic among endpoints can improve safety against human-operated attacks.

Conclusion

While Ryuk deliberately targets significant businesses, government, and hospitals for most attacks, it’s essential to understand the threat it poses when under attack. By remaining informed, you’ll minimize the potential danger of this human-operated attack. The impact a Ryuk attack holds on an organization is significant, with many ransoms costing $100,000 to $500,000 to victims. Unlike other malicious attacks, the Ryuk offers no outside solution to decrypt the files lost. As such, criminals force victims to pay the ransom or suffer a significant and devastating loss.