Ryuk ransomware targeting organisations globally
The NCSC is investigating current Ryuk ransomware campaigns targeting organisations globally, including in the UK. In some cases, Emotet and Trickbot infections have also been identified on networks targeted by Ryuk.
Ryuk was first seen in August 2018 and has been responsible for multiple attacks globally. Ryuk is a targeted ransomware where demands are set according to the victim’s perceived ability to pay.
The Ryuk ransomware is often not observed until a period of time after the initial infection – ranging from days to months – which allows the actor time to carry out reconnaissance inside an infected network, identifying and targeting critical network systems and therefore maximising the impact of the attack, but it may also offer the potential to mitigate against a ransomware attack before it occurs, if the initial infection is detected and remedied.
Ryuk ransomware has been linked to other malware families, in particular the Emotet and Trickbot banking trojans, although it could also be dropped by other malware.
Emotet is a modular banking trojan first detected in 2014, and while it has its own capability, has been increasingly used as a dropper for other trojans, facilitating the deployment of other threats. ?
Trickbot, which has been targeting victims since late 2016, employs browser manipulation techniques to facilitate data theft with the aim of accessing the victims’ various online accounts in order to enable further fraud and generate financial revenue for the operators.
According to industry reporting, when a Ryuk infection occurs, Emotet is commonly observed distributing Trickbot as part of the infection chain. Trickbot subsequently deploys additional post-exploitation tooling to enable their operations, including Mimikatz and PowerShell Empire modules. These facilitate credential harvesting, remotely monitoring of the victim’s workstation, and performing lateral movement to other machines within a network.
This initial infection enables the attacker to assess whether the machine presents a ransomware opportunity, and if so, to deploy Ryuk.
The relationship between these threats is modular in nature: Emotet drops other implants; Trickbot has been distributed by other methods. It is however possible that Ryuk could be deployed through an infection chain other than that detailed here.
领英推荐
Access to compromised machines can be sold to other criminal operators at any stage in this process, either as a facilitated deployment, or through the sale of credentials for the compromised network (e.g. for RDP access).
Ryuk functionality Ryuk is a persistent infection. The malware’s installer will attempt to stop certain antimalware software and install the appropriate version of Ryuk depending on a system’s architecture.
The Ryuk ransomware itself does not contain the ability to move laterally within a network, hence the reliance on access via a primary infection, but it does however have the ability to enumerate network shares and encrypt those it can access. This, coupled with the ransomware’s use of anti-forensic recovery techniques (such as manipulating the virtual shadow copy), is a technique to make recovering from backups difficult.
All non-executable files across the system will be encrypted and will be renamed with the .ryk file extension. A ransom note will be dropped in each processed folder with the name RyukReadMe (.html or .txt).
Indicators of compromise Indicators of compromise (IOCs) for threats associated with Ryuk ransomware deployments can be found in the Appendix.
Source: The National Cyber Security Centre