Ryuk Ransomware Uses Trickbot Trojan in U.S. Newspaper Attack
[Update Dec. 16, 2019: On December 13, the City of New Orleans was attacked by, what BleepingComputer indicated to be, a variant of Ryuk. We ran the related sample that was uploaded to VirusTotal against BluVector Cortex and found that its Machine Learning Engine would have detected the Ryuk variant 36 months ahead of its release. NOLA.com reports that the city’s traffic and municipal courts would be closed on Monday and Tuesday with other agencies such at its police department manually entering new incidents manually.]
With the recent news that Ryuk ransomware caused printing problems at the Los Angeles Times, as well as several other papers under Tribune Publishing, we decided to release part of our findings early.
Reports indicate that the attack was launched against the publishers from outside the U.S. and point towards the well-known North Korea-based Lazarus Group. Ryuk ransomware isn’t the only threat. It’s a single, powerful delivery that might have been used to cause destruction but wasn’t likely used to extract a ransomware fee.
Given Lazarus’ history of attacks, the group is known for delivering multilayered attacks with several threats. While the papers are understandably quiet in the details, it does appear that the papers had sufficient backup capabilities in place to bring the printing process back up to production. Yet there was some impact with missing production schedules and missing sections.
Rather than focus on the news, we wanted to stick to what we know, the threat most likely used the Trickbot trojan and Emotet malware to initiate the infection, which BluVector would have detected. The other infection vector, systems using RDP, also would have been detected if they were compromised.
Trickbot and Emotet
At the most basic level, Trickbot was developed as a banking Trojan, however it has undergone significant and more sophisticated development in the last 18 months – with adversaries releasing new modules on a near-monthly basis. While it currently includes modular malware with additional functions including an email spammer, its most notable function is lateral movement.
The malicious actors of this product additionally issue new versions of the malware’s XML configuration file an average of three to four times a week. This gives the malware the ability to pass through signature-matching antivirus solutions, in addition to extensive anti-malware and security solution evasion techniques.
While Trickbot has its own malspam-based distribution channel, a significant proportion of sophisticated Trickbot attacks use Emotet malware as part of its infection process. Recently, multiple well-resourced campaigns have been found to use where both types of malware during a single targeted attack.
The PCAP capture I used delivered itself through the perimeter as a ‘low and slow burn attack.’ It took a full two-week period for the two pieces of malware to reach an end-point in their entirety. This method of delivery, as well as the extensive anti-malware and security solution evasion techniques, negates any signature-based solutions and most IOC indicators purely because of the time limitations which security solution devices have built into them.
My intention was to apply the 1-10-60 rulesets against a complex attack cycle that has proven it can successfully bypass common security solutions and services. I set my success criteria as:
- Time to detect an intrusion – 1 minute (60 seconds) or less
- Time to investigate an incident – understanding the criticality and scope, and what response actions are necessary – 10 minutes or less, with artifact and auditable logs
- Time to respond to the intrusion – eradicate the adversary and implement containment measures to avoid any damage – 60 minutes or less, with record management logs maintained
I wished to establish what a single individual could achieve against the attack when using the BluVector Advanced Threat Detection™ solution. Content that I had quite the challenge on my hands, I settled in for an afternoon of malicious code “cat’n’mouse.”
Wanting to set some baselines of the PCAP behavior over the period of two weeks and I did not have the time to investment using PacketTotal, NetworkMiner or even PCAP Analyzer. I uploaded what appeared to be the first anomalous PCAP to the BluVector solution and 18 seconds later… game over!
BluVector returned high hunt score alerts of nine and eight (out of ten) on a single PCAP. A BluVector Hunt Score is a collaborative calculation that utilizes patented Artificial Intelligence and Machine Learning to predict the potential maliciousness of a file’s maliciousness.
In addition to having a clear fidelity of assurance regarding the PCAP’s maliciousness, in that same 18 seconds, I gained from a single PCAP:
- Correlated logs and binary material for forensic assessment, an action that generally that takes skilled staff valuable time to collect and analyze.
- Metadata and logs for analysis, in addition to the BluVector hunt score, this detail allowed me to adjudicate and mitigate further events connected to the original event PCAP.
- Logs and event data normally only used by threat hunters to ensure that there were no other infection vectors, eradicate the adversary, and implement containment measures to avoid any damage.
So, I started this game of malicious code ‘cat’n’mouse’, for a specific purpose. I was curious to examine how a single analyst with access to AI and ML would fare against a rule set originally developed for the assessment of skill, threat awareness and response to manufactured cyber events. All it took was 18 seconds! I expected to be able to meet the criteria – I had no idea just how far beyond best practice the outcome would be.
While I have no question that we will continue to see our ever-interconnected environments continue to come under ever increasing attacks, I know without question that BluVector will be at the lead of genuine AI and machine learning use, keeping us ahead of the threat.