Ryuk Links to Russian Cybercrime

[Update January 2020: A new variant appears to target sensitive documents relating to military, law enforcement and government entities, as well as financial data such as banking statements.In addition to the Microsoft Word (docx) and Excel (xlsx) files scanned for by the previous variant, the new variant now adds C++ source code, PDF, JPG, Microsoft Word (doc) and Excel (xls) files, as well as cryptocurrency wallets. The contents of files found matching these file types are then checked against a list of 85 keywords and the filenames against a list of 55 keywords. These keywords include financial terms such as SWIFT, IBAN, 10-SB and EDGAR. Of greater concern, these keywords also include terms like NATO, attack, spy, tactical, radar, clandestine, investigation and victim. Clearly documents matching these terms would be considered highly confidential or classified.]

What Is It?

Ryuk ransomware is exclusively utilized by a Russian-based cybercrime organization known as Wizard Spider (also referred to as Grim Spider). This group also controls the Trickbot banking malware, often a precursor to a Ryuk infection.

Wizard Spider takes a pragmatic approach to deploying Ryuk, specifically targeting large organizations and government entities. They focus on compromising these networks directly, gaining control of as many systems as possible prior to executing Ryuk. They do this to provide the best potential for profit, a strategy that appears to work, as research suggests the average Ryuk ransom payment is ten times the ransomware average.

Due to the targeted nature of Ryuk attacks and the hands-on approach taken to compromising targets, there is no single attack vector. Malicious phishing emails and poorly secured, internet-facing RDP (Remote Desktop Protocol) servers are popular vectors for known Ryuk attacks. A favored modus operandi following a successful compromise of a target is to infect systems with both Emotet and Trickbot banking malware. Both of these are effectively bots and can of spread laterally through a network. This provides the attackers with an infrastructure to infect systems with Ryuk simultaneously, maximizing the number of systems encrypted, but also using their credential and file stealing capabilities,which allows for the theft of sensitive information prior to the ransomware attack.

Ryuk boasts a long list of victims including the cities of New Orleans, New Bedford and Lake City, healthcare managed services providers T-Systems, CorVel and PerCSoft, mass mailer Pitney Bowes, legal services provider Epiq Global, defense contractor EWA, manufacturers TECNOL and Pliz, IT services provider CloudJumper, Tribune Publishing and Spain’s largest radio station Cadena SER. One of Ryuk’s higher profile attacks impacted 23 local governments in Texas simultaneously in August 2019.

So far, Ryuk attacks continue unabated, with the attackers continuing to add to both their profits and their arsenal. First seen in September 2019 was Ryuk Stealer malware, used in conjunction with Ryuk ransomware attacks, is specifically designed to scan for and exfiltrate files that appear to contain sensitive information.

How Does It Propagate?

The Ryuk malware itself does not contain the necessary code to self-propagate, though it is usually deployed to compromised networks using the Emotet and Trickbot trojans, which are capable of propagation via poorly secured systems and network shares. Popular attack

vectors include malicious spam and compromise of RDP (Remote Desktop Protocol) servers.

When/How Did BluVector Detect It?

A publicly available Ryuk sample associated with the City of New Orleans was regression tested and BluVector’s patented Machine Learning Engine (MLE) would have detected it 36 months prior to its release, this is consistent with other Ryuk variants tested. The Ryuk Stealer variant released in January 2020 would have been detected 68 months before it was released.

All Threat Reports