After SamSam, Ryuk shows targeted ransomware is still evolving

Thanks to Hajnalka Kope of SophosLabs for the research behind this article.

Last month the world learned that the FBI thinks it has identified the two people behind the notorious SamSam ransomware attacks.
SamSam, you may recall, gained notoriety for plundering ransoms from vulnerable targets like hospitals, and for devastating attacks like the one that embattled the City of Atlanta in early 2018.
As with other targeted attacks, SamSam was deployed manually after its operators had broken into a vulnerable network via a poorly-protected RDP port. The SamSam gang’s methodical and patient attacks put them in a position to extort enormous ransoms, and helped them accrue almost $7 million since December 2015.
As you might expect, things have been a bit quiet from SamSam since the FBI’s indictment. The Iranian suspects are beyond the agency’s reach, but they have been identified, their operation has been compromised and, for the time being at least, activities have ceased.
The unmasking followed a period of apparently diminishing returns for SamSam attacks. After the publication of extensive research by Sophos in August, SamSam’s monthly earnings began to decline, even while the frequency of attacks seemed to increase.
Now SamSam seems to have left the stage, but the brand of destructive, stealthy attacks it exemplified didn’t start with SamSam and they didn’t end with it either. In fact, while SamSam may have gained infamy, other kinds of targeted ransomware, like Dharma and BitPaymer, have been deployed more widely, and demanded higher ransoms.
The threat of targeted ransomware is undimmed, and continues to evolve. In August 2018, just as SamSam’s influence begun to diminish, a new strain of targeted ransomware appeared.

Ryuk

Ryuk, named after a character in the manga series Death Note, represents an evolution in ransomware that’s either learning from, building on, stealing from, or paying homage to the targeted malware that’s gone before.
Targeted ransomware of all stripes seems to have converged on a method that, sadly, just works and Ryuk follows it too.
The attackers:

1. Enter the victim’s network via a weak RDP (Remote Desktop Protocol) password.
2. Escalate their privileges until they’re an administrator.
3. Uses their privileged position to overcome security software.
4. Spread their ransomware as widely as possible before encrypting the victim’s files.
5. Leave notes demanding payment in return for decrypting the files.
6. Waits for the victim to contact them via email.

Hackers using targeted ransomware work hard to achieve administrator access because it allows their software to cause so much damage – enough that many victims have no option but to pay five- or six-figure ransoms.
Like its peers, the gang behind Ryuk appears to seek out targets who can pay those kind of eye-watering ransoms, and it has been reported in market sectors such as commodities, manufacturing, and according to some reports healthcare.
When it’s run, Ryuk drops and executes its payload before covering its tracks by deleting itself. The payload cloaks itself by injecting itself into processes run by NT AUTHORITY, taking care to avoid csrss.exe, explorer.exe, and lsass.exe.
To maximise the damage it can cause, the malware tries to shut down a long list of processes and services, such as those associated with security software, before it begins encrypting files.
Ryuk’s encryption seems to be based on code found in an older piece of ransomware, known as Hermes, which is thought by some to be a product of North Korea’s Lazarus hacking group.
According to SophosLabs, both ransomware families: use similar encryption logic; use the same file marker for encrypted files; use the same allowlist when deciding which directories should not be encrypted; and write a batch script file named window.bat.
And, like Hermes, when Ryuk has finished encrypting a computer’s files it attempts to delete any Shadow Copies, eliminating its ability to restore files to a point in time before the attack.
Another legacy of Hermes is that Ryuk writes the string HERMES into the encrypted files, so that it can identify which files it has already encrypted.

By excluding directories with names like Chrome, Mozilla and Windows, and files with .dll, .lnk, .hrmlog, .ini or .exe extensions, from its encryption, the malware leaves web browsers and basic operating system components untouched. Victims are left with just enough elbow room to read a ransom note, buy some cryptocurrency and pay a ransom, but not much else.
Ransom notes are left throughout the afflicted network in both a short and long form, the shorter of which bears a strong similarity to the ransom notes left by BitPaymer ransomware.

Ryuk ransom note (short)

Your network has been penetrated.
All files on each host in the network have been encrypted with a strong algorithm.
Backups were either encrypted or deleted or backup disks were formatted.
Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover.
We exclusively have decryption software for your situation
No decryption software is available in the public.
DO NOT RESET OR SHUTDOWN - files may be damaged.
DO NOT RENAME OR MOVE the encrypted and readme files.
DO NOT DELETE readme files.
This may lead to the impossibility of recovery of the certain files.
To get info (decrypt your files) contact us at
████████@protonmail.com
or
████████@tutanota.com
BTC wallet:
████████████████████████████████
Ryuk

BitPaymer ransom note

Your network has been penetrated.
All files on each host in the network have been encrypted with a strong algorythm.
Backups were either encrypted or deleted or backup disks were formatted.
We exclusively have decryption software for your situation
DO NOT RESET OR SHUTDOWN - files may be damaged.
DO NOT RENAME the encrypted and readme files.
DO NOT MOVE the encrypted and readme files.
DO NOT DELETE readme files.
This may lead to the impossibility of recovery of the certain files.
To get info(pay-to-decrypt your files) contact us at:
████████@protonmail.com
or
████████@tutanota.com
BTC wallet:
████████████████████████████████
To confirm our honest intentions.
Send 2 different random files and you will get it decrypted.
It can be from different computers on your network to be sure we decrypts everything
Files should have both .locked and .readme_txt extensions of each included.
2 files we unlock for free.
KEY:AQIAAAFoAAAApAAApiQdDD0QxLNwn]Vc26GOQ1RI/n8SwuHzWbXD]Ym3+TnvL69poNWPnnZVBNdo
ProXalFT4B0HvYRdf7T+UPqhISUdsqzsVMZhblWz57z7R5LkHAN]s3VY3wg63BIrl9UVCHOlAjcj
zIPm6B3uTFSNo2pe0OwYcir7yXz5qjMImVQw=

Ryuk demands ransoms of between 15 and 50 bitcoins (between $50,000 and $170,000), with the price escalating by 0.5 bitcoins every day the victim doesn’t pay.
Unlike SamSam, which arranged ransom payments using a Dark Web site visible to anyone who knew the address, each Ryuk attack has a unique email address and Bitcoin ID. This makes negotiations and payments harder to track, but Ryuk is known to have made more than $600,000 USD within two weeks in August.
Bitcoin payments are public so, in an apparent attempt to make following the money harder, Ryuk ransoms are sub-divided into new Bitcoin addresses over and over. Each subdivision sees an address’s contents split into portions of 25% and 75%, with each portion deposited into a new address until the funds at any one address are negligible.

What to do?

The similarities in approach taken by different targeted ransomware groups is a matter of convergence. They do the same things because that’s what delivers them the best balance of risk and reward.
That homogeneity gives defenders one advantage: the same diligence and precautions required to prevent an attack by one form of targeted ransomware are much the same as those required to stop any other. You can read more about those precautions in the article How to defend yourself against SamSam ransomware.
More information about how targeted ransomware attacks work, and how to defeat them, is available in the SophosLabs 2019 Threat Report.
Image of Ryuk cosplayer courtesy of Flickr user Roger Murmann under Creative Commons license.