Ryuk ransomware has spelled doom on organizations since its discovery in August 2018. At the end of 2020, Ryuk operators carried out a series of Ryuk ransomware attacks against multiple hospitals in the U.S. The success of their operations can be gauged from the fact that the Ryuk ransomware gang collected a ransom of more than $150 million in Bitcoins.
Owing to their success, Ryuk operators seem to have further evolved the ransomware rendering its new and unique capabilities. Its new variant, which self-replicates over the local network, can cause unimaginable devastation, reported the French national cybersecurity agency, Agence Nationale de la Sécurité des Systèmes d’Information (better known as ANSSI). The self-spreading capabilities were found to work only on machines based on the Windows domain and through specific tasks.
- Ryuk ransomware’s new variant has self-replication capability over a local network.
- It makes use of a Privileged account and machines based on Windows domain only for propagation.
- The ransomware contains lines of code allowing files and subfolders encryption.
- No mechanism (like MUTEX) for blocking the execution of the ransomware has been identified.
- The files are encrypted using Microsoft CryptoAPI with AES256 algorithm.
Ryuk Ransomware’s New Capabilities
ANSSI said that Ryuk’s new variant uses scheduled tasks of the Windows operating system to propagate itself over the local network. It then lists all the IP addresses in the local ARP cache and disguises them as Wake-on-LAN (WOL) packets while sending them to all the discovered devices. Further, it adds all sharing resources found for each device so that it can encrypt maximum content.
ANSSI’s analysis found that the legitimate schtasks.exe Windows tool is being used to execute scheduled tasks on each subsequently compromised network host. The analysis also suggested the absence of an exclusion mechanism that is generally present to prevent the ransomware from re-encrypting devices.
Ryuk officially does not use the Ransomware as a Service (RaaS) model. However, it is observed that several different attackers are involved in designing multiple infection chains leading to the deployment of Ryuk. Thus, having common remediation steps for all deployment methods is practically impossible. But in the case of this new variant, ANSSI says that infection can be contained by stopping the spread to other hosts on the network. It suggests “One way to tackle the problem could be to change the password or disable the user account (according to the used account) and then proceed to a double KRBTGT domain password change. This would induce many disturbances on the domain – and most likely require many reboots but would also immediately contain the propagation. Other propagation containment approaches could also be considered, especially through the targeting of the malware execution environment.”
With the amount of success that Ryuk ransomware operators garnered through 2020, its latest variant could be one to beware of in the year 2021.