Ryuk: Cult Character to Ransomware Villain

If a fan of anime or manga is asked their thoughts on Ryuk, a long discussion about the character popularized in Death Note will undoubtedly follow. Ask someone in the InfoSec community about Ryuk and equally long discussion will ensue—this time an equally interesting lecture about the plot, villains and good-versus-bad will happen, but around the theme of ransomware and its less figurative effect on the number of victims unlucky enough to fill a book.

The Origin Story

Ryuk, the ransomware and subject of this article, was discovered in the wild in mid-August 2018. It made headlines when it was seen actively targeting businesses during the holiday period the same year, including a well-known publishing company. In that instance, it was initially believed the company had suffered an outage. Later research revealed that it was indeed the first active campaign deploying Ryuk. The ransomware had even managed to re-infect and spread to connected networks after it was quarantined—failed security patches couldn’t prevent re-infection when servers were brought back online.

For an incredibly young strain of ransomware, estimated to be only 15 months old, Ryuk has already made a big splash in underground hacker forums as well as with the companies it now calls victims. Ryuk and Sodinokibi are two ransomware families that have made targeting large corporations and government organizations their modus operandi.

Big Game Hunting

When ransomware began making its name for itself as a viable cyberthreat in 2010, those looking to infect and encrypt would try and infect as many users as possible in the shortest time frame. This “spray and pray” approach only relied on a few victims paying the ransom to be financially viable for the hackers behind the campaign. Then, when coin miners became the popular malware option, ransomware infections declined steeply. This decline was steep enough for some to suggest ransomware was dead; however, this premature declaration would come to haunt those who believed we had seen the end of ransomware.

Screenshot of files encrypted by Ryuk ransomware:

Ryuk ransomware encrypted files (.ryk extension)

Rather, cybercriminal organizations and hackers changed tactics. Instead of looking to infect as many users—often users on home PCs—tactics were modified to target larger corporations and government organizations. This targeted method of attack was called “big game hunting” and it was hoped larger ransoms could be demanded while providing a far more targeted, and customized, approach that would lead to more reliable infections. This approach also allowed Ryuk’s operators to demand more—anywhere from 15 to 50 Bitcoin, depending on the target. A security firm that specializes in ransomware believes that Ryuk demands the highest ransoms when compared to other ransomware operators.

The Wizard Behind the Curtain

Pinpointing the responsible party, or parties, behind malware campaigns has always been difficult. It is detective work in an area defined by anonymity. Through careful analysis, however, security researchers can uncover who might be behind the malicious code as well as learn how to defend against it in future encounters. Such analysis led one firm to discover similarities in the code between Ryuk and Hermes, another ransomware family. This led to a belief that whoever was behind Hermes is possibly behind Ryuk. Around this time another theory emerged that the ransomware may be linked to North Korean state-sponsored group Lazarus, due to the group’s use of Hermes in the past.

These similarities were not enough to provide conclusive evidence of Lazarus’ involvement in Ryuk. One reason for this is Hermes had long been distributed on the underground market, so it had been picked up by numerous threat actors who could develop new malware from the source code. New evidence emerged that Ryuk may be of Russian origin rather than North Korean. As the evidence grew, it became clear that Ryuk was being used by two criminal organizations: Wizard Spider and CrypoTech. Wizard Spider is perhaps most well-known for its work with distributing TrickBot. CryptoTech’s use of Ryuk netted the company an estimated $5 million USD in a campaign that ended in January 2019.

Attack Vector

Early on in Ryuk’s life cycle, it was distributed to clean systems as the only malware; latter versions formed part of a multi-attack pattern using Emotet and TrickBot as the initial infection. Once the initial malware infection occurs, Ryuk is dropped onto the compromised machine. This has sometimes been called a “triple threat” infection which starts with the victim receiving a malicious email containing a malicious Word document.

Once opened, the document will request the user to enable macros in one form or the other; once this is done a PowerShell execution script will run that will download Emotet. Once Emotet is executed it will retrieve and execute another payload, normally in the form of TrickBot. The second payload will then attempt to steal credentials and increase the attacker’s privileges on the network; this allows for lateral movement across a network. The increasing of privileges has a second function: to establish a remote desktop protocol (RDP) connection to the attacker’s command and control server. Once this is achieved the attacker can drop Ryuk.

List of Victims Grows

The most recent victim to fall afoul of Ryuk appears to be a company called T-Systems based in Dallas, which provides end-to-end solutions for care facilities in the U.S. The discovery was made by a security researcher while doing open source intelligence work and looking for Ryuk indicators. The researcher discovered that the above-mentioned company showed many of the same Ryuk indicators as seen in previous attacks, many of them targeting companies in Spain. The attack affecting the Dallas-based company could have occurred in November and the researcher discovered that many of the platforms used and operated by the company were down. This suggests that the company was aware of the infection and was in the process of remediation and recovery.

At the time of writing the company had not released a statement confirming or denying whether it did indeed fall victim to Ryuk. The researcher’s evidence—and one piece in particular—does strongly suggest machines had been infected with Ryuk: A screenshot of the company’s site index shows that the ransom note associated with Ryuk was present on the company’s network. The researcher also noted that the ransomware infection spread to public segments such as DMZ, extranet and helpdesk. T-Systems is not the only U.S. victim, however; the Lincoln School District also suffered an attack in early November.

To Pay or Not to Pay

For many companies struck by ransomware infections that have fallen afoul to big game hunting tactics, the question of whether to pay the ransom is never an easy one. Ransomware operators knew that the ransom they demand might pale in comparison to the loss of earnings large corporations could suffer during any prolonged downtime. A price point that seems excessive to an individual is not to a company, which stands to lose much more than a couple hundred thousand dollars. This provides an extra incentive to pay and it is clear that certain companies have and will continue to pay the ransom when required. If they didn’t, we wouldn’t be seeing the surge in infections targeting companies and other organizations.

A recent article warned that those infected with the latest version of Ryuk should not pay. The reason may surprise some but makes perfect sense: The decryptor on the latest version may have been a botched job. Researchers discovered that changes were made to the length of the footer and how it is calculated. As such, files encrypted have bytes removed during the decryption process. This means that the file cannot be decrypted. In summary, the files encrypted will not be decrypted by the decryptor provided by Ryuk operators. This makes paying a pointless exercise, as you are essentially paying for access to your files.

Sometimes files do not contain anything important in the last few bytes so decryption may be possible. However, researchers warned that files stored on Oracle databases do indeed store important file information on the last bytes, so decryption will not work. Researchers further warned that those responsible for the maintenance and security of such databases should be aware of the threat posed by Ryuk and take preventative steps.

Those already infected with the latest version of Ryuk have taken a double gut-punch, especially if improper backups were done (if they were done at all). Even if the ransom was paid, the cybercriminals would be incapable of providing a working decryptor. Paying the ransom would be throwing money away. Often the pay debate is answered in the negative because you are funding criminal organizations or rogue nations such as North Korea. This time, the answer is a definite “do not pay,” as there is no point.

Defending Against Ryuk

Ryuk is a particularly nasty ransomware family, as one of its features is to search for and encrypt not only the machine’s hard drive but also the network drives. This makes recovery from an attack all the trickier. Another nasty feature of Ryuk is that it will also search for Windows volume snapshots and delete them. This prevents users from using the Windows Restore feature to recover from the infection easily.

That being said, Ryuk can be defended against. One way is to never enable macros on Windows documents. As researchers are seeing Ryuk infections paired with first Emotet and then TrickBot, Emotet’s infection vector relies on enabling macros on the original malicious Word document. As this is also dependent on the receiving and opening of a malicious email, employees should be educated on how to spot malicious emails. Companies also should institute security policies covering how such emails are dealt with.

Further steps to take include limiting the users with escalated privileges on company networks. Escalated privileges should be only given to essential staff; namely those hired to secure the company network or administer it. This also applies to RDP use, and sessions should be terminated correctly and only used by staff deemed essential to such operations. These are simple measures to implement and can greatly shift a company’s security posture so that it actively defends against Ryuk as well as other malware strains.

Tomas Meskauskas

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now ... Read More
Security Boulevard

Tomas Meskauskas

Tomas Meskauskas - Internet security expert, editor of pcrisk.com website, co-founder of Mac anti-malware application Combo Cleaner.

tomas-meskauskas has 22 posts and counting.See all posts by tomas-meskauskas