Ryuk Crypto-Ransomware

Ryuk Crypto-Ransomware

Executive Summary

First identified in 2018, 'Ryuk' is a known malware often dropped on a system by other malware, most notably TrickBot and Bazaarloader by using a Spear Phishing lure or other systems access gains via Remote Desktop Services. Ryuk demands payment via Bitcoin cryptocurrency and directs victims to deposit the ransom in a specific Bitcoin wallet.

The ransom demand is typically between 15-50 Bitcoins, which is roughly $100,000-$500,000 depending on the price conversion. Once on a system, Ryuk will steal credentials in order to spread through the network using PsExec, WMI, Powershell or Group Policy trying to infect as many endpoints and servers as possible while evading from Endpoint Controls. The malware will then begin the encryption process, specifically targeting backups, and successfully encrypting them in most cases, and in most cases, install a Cobalt Strike beacon to further solidify the control on the affected resources.

Ryuk’s targets tend to be high-profile organizations where the attackers know they are likely to get paid their steep ransom demands, usually from the Health industry. Victims include EMCOR, UHS hospitals, and several newspapers. In targeting these organizations, Ryuk was estimated to have generated a revenue of $61 million for its operators between February 2018 and October 2019 [5].

Ryuk is often the last piece of malware dropped in an infection cycle that starts with either Emotet or TrickBot. Multiple malware infections may greatly complicate the process of remediation. There was an increase in cases where Emotet or TrickBot are the initial infections and multiple malware variants are dropped onto the system with the end result being a Ryuk infection. Since TrickBot is a banking trojan, it likely harvested and exfiltrated financial account information on the infected systems prior to dropping the Ryuk ransomware infection.

Ryuk is one of the first ransomware families to include the ability to identify and encrypt network drives and resources, including shadow copies deletion on the endpoint. This means the attackers can then disable Windows System Restore for users, making it impossible to recover from an attack without external backups or rollback technology.

The group behind Ryuk ransomware distribution, UNC1878 continues to target various industries including healthcare relying on BazarBackdoor. Currently, the healthcare and social services targeting comprises 13.36% of the total victim by industries.

Delivery

As with many malware attacks, the delivery method is malspam. These emails are often sent from a spoofed address, so the sender name does not raise suspicion. The payload sent to victims is hardcoded with unique and specific IP's, meaning every campaign is in fact unique and tailored per victim (either organization, sector or individual):

Ryuk Crypto-Ransomware_1

Figure 1: Lure sent to the victim

A typical Ryuk attack begins when a user opens a weaponized Microsoft Office document attached to a phishing email.

More potential subjects may include the following:

  • 9100091 Canada Inc.
  • {First Name} {Last Name}
  • {Company Name} SIGNS PAYMENT NOTIFICATION 10.14.2020
  • {Last Name}, {First Name} Payment Summary - Ref Id: D504336
  • RE: Title conditions
  • {Last Name}, {First Name}
  • my visit and call
  • RE: {Company Name}
  • upcoming commercials for approval- {Redacted}
  • RE: {Company Name} URGENT sept 19th if possible- please read email
  • Borrowing Base Certificate, A/R Aging, and Inventory listing from {Company Name}?
  • {Last Name}, {First Name}
  • Re: File # {Redacted}, Loan # {Redacted}, {Company Name}, {Address}
  • {Last Name}, {First Name}
  • {Last Name} {First Name}
  • {Last Name} and {Company Name} Back to Back 3-point games STAT
  • October Statement - {Company Name}
  • Payment Advice - ACH Transfer Notification - Ref:[Redacted] / ACH credits
  • Payroll - {Company Name}
  • Please approve - {Company Name}
  • Potential {First Name} {Last Name} Shutout STAT
  • Purchase Order - {Redacted} TSA from {Company Name}
  • RE: {First Name}, i'm waiting for a call
  • RE: {First Name}, office meeting
  • RE: {Last Name}
  • Re: Automatisch antwoord: {Redacted} {First Name} {Last Name} ---- BWA 03-2019
  • Re: {First Name} {Last Name}
  • RE: {Company Name}
  • RE: {Redacted} - {Company Name} du 30 mars au 2 avril 2020
  • RE: {Company Name} termination list
  • RE: {Company Name} - Bonus
  • RE: {First Name}, your task list
  • RE: {Company Name} URGENT sept 19th if possible- please read email
  • RE: {Redacted} Card, Monthly Payments
  • RE: Purchasing Card documents
  • RE: {Company Name} - {Redacted}
  • RE: Re: Brick for {First Name}
  • RE: RE: Enrollment Form for New Employee
  • Re: RE: EXTERNAL: Delivery 11-07-19
  • Re: RE: Loan Request
  • Re: RE: Local/Indy Radio Show
  • Re: RE: {Redacted} cARD
  • RE: RE: returned check NSF
  • RE: Report for {First Name}
  • RE: {Last Name}
  • RE: Securemail Payoff amounts needed
  • RE: {Company Name} Bank Employee Survey
  • revised commercial
  • {Company Name} Advisors Access Online
  • March Statement - {Company Name}
  • Please approve
  • {First Name} {Last Name} Online Payment - Ref Id: {Redacted}
  • RE: {First Name}, debit confirmation
  • Re: debit
  • RE: my call
  • Re: my visit and call




Infection

Couple of infection methods were observed:

  • External download of different types of binaries (Trickbot, Emotet).
  • Office file, embedded with a malicious macro.

In the case of the attached office file, opening the document causes a malicious macro to execute a PowerShell command that attempts to download the banking Trojan Emotet. This Trojan has the ability to download additional malware onto an infected machine that retrieves and executes Trickbot, of which the main payload is spyware. This collects credentials, performs privilege escalation, attempts to evade endpoint security controls, deleting shadow copies using "vssadmin", gains persistency using "Task Scheduler", and allows attackers to move laterally to critical assets connected to the network. The attack chain concludes when the attackers execute Ryuk on each of these assets, and in other instances observed, when a Cobalt Strike beacon is installed.

Ryuk Crypto-Ransomware_2

Figure 2: Ransom letter on the victim's desktop

Ryuk Crypto-Ransomware_3

Figure 3: Ransom letter on the victim's desktop

For encryption, Ryuk uses the RSA and AES encryption algorithms with three keys. The Threat Actors use a private global RSA key as the base of their model. The second RSA key is delivered to the system via the main payload. This RSA key is already encrypted with the TA's private global RSA key. Once the malware is ready for encryption, an AES key is created for the victim’s files and this key is encrypted with the second RSA key. Ryuk then begins scanning and encrypting every drive and network share on the system. Finally, it will create the ransom note, "RyukReadMe.txt" and place it in every folder on the system.

Based on the following sample d8ab0c6982ea7674ed4e53e4bfc7234a56b018090819b79f67a9cc6034fc98e2, the payload was signed by a uniquely revoked certificate:

Untitled 3-1

-----BEGIN CERTIFICATE-----
MIIFnzCCBIegAwIBAgIQDtGEeirl1x3vHoM/3dM9ODANBgkqhkiG9w0BAQsFADBsMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBFViBDb2RlIFNpZ25pbmcgQ0EgKFNIQTIpMB4XDTIwMDgyOTAwMDAwMFoXDTIxMDcyODEyMDAwMFowgbgxEzARBgsrBgEEAYI3PAIBAxMCUlUxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRYwFAYDVQQFEw0xMTc3MjMyMDMxMTI5MQswCQYDVQQGEwJSVTEWMBQGA1UECBMNVHl1bWVuIE9ibGFzdDEPMA0GA1UEBxMGVHl1bWVuMRkwFwYDVQQKExBTTkFCLVJFU1VSUywgT09PMRkwFwYDVQQDExBTTkFCLVJFU1VSUywgT09PMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2BROr8bWxOPUv9VIf/fup+h1wAsCes4UDudLptw4HImyB6MeXgJDp460CqaZeWy/0OHvQ2rxTJUqtM7yiJ4rG5p5YmW1tFFuc3cQ+qzypje4XXopLUbk1T22yrBg0wt4jsDN8boTacel254Q1gYDVzFSk0TeWzbYrJim5PeIkWoiNrj0jWaXtg2uAzKCz4Y6V0rfR5k5rYJKvT0ujhIPOnW+ALrlOQyNMTxlQ1Ws7ft1WeSATGxlG5yIoub62HynAsVix64o/bRE8b1/0Wg4Pv5UQHxxDJaqSMC8H7YgSCYMxqRIXp1YE2NPk3LqlItuP6TQQSFthsz6+8QHxhCa9QIDAQABo4IB7jCCAeowHwYDVR0jBBgwFoAUj+h+8G0yagAFI8dwl2o6kP9r6tQwHQYDVR0OBBYEFFTvvgC5Rbpqc3Fe/6iF+765o+IhMCsGA1UdEQQkMCKgIAYIKwYBBQUHCAOgFDASDBBSVS0xMTc3MjMyMDMxMTI5MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzB7BgNVHR8EdDByMDegNaAzhjFodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRVZDb2RlU2lnbmluZ1NIQTItZzEuY3JsMDegNaAzhjFodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRVZDb2RlU2lnbmluZ1NIQTItZzEuY3JsMEsGA1UdIAREMEIwNwYJYIZIAYb9bAMCMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwBwYFZ4EMAQMwfgYIKwYBBQUHAQEEcjBwMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wSAYIKwYBBQUHMAKGPGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEVWQ29kZVNpZ25pbmdDQS1TSEEyLmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQCEYFoK24Y3W/FljRd3XH6YOOAM6x8zu+zRp5jdWsBy4lor8dS/sQk6uLBaQCLw9QYDnMVRmI0yIUbeYFoOwlrPLu+MoKT7iNJg3Q3KQdxUkFZQ4Z+JKnt8TaUTRo6YFnoCZP/izPxVz+LL8BlIeH6jpY68eeAbAqkTwbzirusLZWVy/+lWrvq0Uz8+T9zJm+LsQk1aBNg8ysBnyNRlnMqyzlk5qnEzRWAdbqxSCdHpg6qob3HDzyi29EMNtlWGB7sdPHHmc1WuXz/7KlhDUM67jXV59lJBeRjxtHWe0xsiw4pMQ4wJfVbg6GvinvmWp/L46VOUr4y7vkfzRvMdKfIq
-----END CERTIFICATE-----

Common Name: SNAB-RESURS, OOO
Subject Alternative Names: othername:<unsupported>
Organization: SNAB-RESURS, OOO
Locality: Tyumen
State: Tyumen Oblast
Country: RU
Valid From: August 28, 2020
Valid To: July 28, 2021
Issuer: DigiCert EV Code Signing CA (SHA2), DigiCert Inc Write review of DigiCert
Serial Number: 0ed1847a2ae5d71def1e833fddd33d38
Fingerprint (SHA-1): E611A7D4CD6BB8650E1E670567AC99D0BF24B3E8
Fingerprint (MD5): 716771EFD0B8D4AD6B3DB6FDF4BA1DFC

Every file signed by this certificate is considered as a known malicious payload, linked to the Bazaarloader malware family.

Command & Control

Upon the successful infection of the targets, the malware keeps a command and control (C2) connection to a variety of different IP's and domains, including the Cobalt Strike beacon, that allows the attackers to maintain full control of the infected resources, using a specific set of User Agents communicating over HTTP\HTTPS protocols and to common paths (.css, .php, .js) in order to minimize potential exposure.

Cyberint's Research team was able to map out a potential list of C2 servers and domains used by UNC1878 and linked to Trickbot and Ryuk, using Cobalt Strike as a communication channel.

Based on the following sample d8ab0c6982ea7674ed4e53e4bfc7234a56b018090819b79f67a9cc6034fc98e2 that had hardcoded communication IP ( 45.147.229.44 and backup-helper.com), clearly indicated this specific sample was created to target a single victim.

This specific IP revealed a unique server metadata and a self-signed HTTPS certificate that were later used to pivot on:

Untitled 4-2

The specific server tag used, Server: golfe2 is a clear indication for the Cobalt Strike beacon C2 server.

The 443 HTTPS certificate contained a unique organization, lol including an interesting location - Taxsa instead of Texas. That is an original miss-type by the threat group.

Domains that uses the lol organization certificates were all registered by the following email addresses, making it easy to continue and map out the Ryuk C2 domains:

  • gaskinss@protonmail.com
  • hakunamatata222@protonmail.com
  • james4041238767@protonmail.com
  • highcicker@protonmail.com

The Cobalt Strike communication protocol mapping, being used by Ryuk and linked to these servers and domains, allowed to create a more recent and assured list of Cobalt Strike servers that are in fact part of the campaign.

As the services used as communication channels responds with empty responses when directly accessed, specific paths are used in order to mask communications. As can be seen below, paths are consisted of different .css files:

  • HostIP: 45.147.229.44
  • HostPort: 443
  • URIResponseArch: x86, x64
  • BeaconType: 8 (HTTPS)
  • Port: 443
  • Polling: 60283
  • Jitter: 39
  • Maxdns: 249
  • C2Server: mn.backup-helper.com,/template.css,nm.backup-helper.com,/fam_calendar.css,ws.backup-helper.com,/fam_calendar.css mn.backup-helper.com,/template.css,nm.backup-helper.com,/template.css,ws.backup-helper.com,/fam_calendar.css
  • UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246
  • HTTPMethodPath2: /gv /fam_newspaper
  • DNSIdle: \\\\x1E\\\\xBEI\\\\x86
  • DNSSleep: 0
  • Method1: GET
  • Method2: POST
  • Spawnto_x86: %windir%\\\\syswow64\\\\regsvr32.exe
  • Spawnto_x64: %windir%\\\\sysnative\\\\regsvr32.exe
  • ProxyAccessType: 2 (Use IE settings)

Recommendations

  • Create a dedicated backup plan for critical assets and resources.
  • Create and set up a Business Continuity Plan.
  • Sharpen Incident Response processes.
  • Deploy strong endpoint protection controls (AV and EDR).
  • Phishing awareness to be raised to all personnel.
  • In case of impact, Cyberint recommends not to pay the ransom.
  • Enable MFA on all personnel accounts.
  • Block the following lists of IOC's on the relevant network control used in your organization.

Indicators Of Compromise

Malware IOC's:

  • 0749bf91a4fb4a8d74096ea4d202e07f3dc72feb693008b1d0b1ee68c3f80281
  • 0856b3c06805d3935b1db325c4e9c9131572b4cf09f07d989911495807775cab
  • 093f2b5a9d4628d9331751d7e6d3582cf097ab3f4091463ec895052dee8d22c3
  • 0d6a7a2c2d9ae89bf54f199fb63c67424d6e242777060971ee53b62dedad4096
  • 1c6ac3c02428dadf42ff0cdbb9fd065187417b0cf9b94fce4c17325319b8417e
  • 1e35935ac6307baef04e92907b1afd15e1ee7f0ed990fa14cce8c01a9e45381e
  • 21cb81424dc1921344bd1cd9ad7c870fbcaadbe2e9f499d7863e9a06d7de6ee0
  • 3090242812c446fcdcd906f3580b9af0889e4efae53f86da291a24eaa547feed
  • 32e51accf5a30da12e43b3c7f83867577fcd6fb363d7773a743ab1bbb9653d06
  • 364a38d0c2456cc21bc0d248c1233a8d0e47b988a03be3896ad760544b231336
  • 37ebdaa9539ebdd7606e29dc66f048bb70042d03e75ddc01147cd8277ce0509b
  • 3bb2399020106bef03b8471a9e6af93540ff6b8d778802c9893ec7f7f526483c
  • 3f58610586c87bb8b9f2e93768c5f289fe39ca8570902165df5d340bedc62247
  • 4685e91b859b372b955c11d8d68fd562fad478520a2f4a05c46d1fe6fb991b61
  • 5b07ccbbf8f7b7a34bf03a254431fe36cc34cfac41bb8a72c55b9050fa8696c9
  • 60209d8d5fa136ccf63fef84d8a8242747ec46393dd5329d4433263e4af1dc9e
  • 6c7f43434e5db8703c0a47dedeeab976159d8704bfbe2e4ff65405f38d508e9d
  • 87693ec2a560055d9d03869ba60a3209ede4739dc48c9719982abf7ed2d5fc86
  • 8fbb33ae75d79566d8a3682d500be2668376e1a79b193ca0d1d6a280822cb0f6
  • 92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed
  • 9a11e1b2a6821857e1990a004447e35692d04e5b7d237697fbcc90b5198e3719
  • D7333223DCC1002AAE04E25E31D8C297EFA791A2C1E609D67AC6D9AF338EFBE8
  • a3b2528b5e31ab1b82e68247a90ddce9a1237b2994ec739beb096f71d58e3d5b
  • a4b5ccb2649742c9c1070f48b46957585830b0acda29a704b146632b46c99c9e
  • a8a5aa848cf8b1db1ca8b5ff827cb448d7bc34087369e6cbb621d6b9eadc4513
  • ba2a96dae66324df5bbb0751a04c538722ad49daa12d51625f8a1890608b1168
  • be876bc541afcde1fd4da7c1eb4ae2cfae6037854fbd3881ca652ed1cfd0d0c3
  • bfad59ad62d310c2f435c02e6e7621a3ff8779b15029e6f949efe4eeb539a709
  • c1f753047a0a5679aea0f675846364ea2f1fc4f9370f6caa89d0bfb1feb561f1
  • c8076d0aa251a8c767e5f4c32c29588d46ffbed1709acaf9ca38b9d02ef7e276
  • c9b06152ac1c851eaed84ee052c374341ed89d9a6e5a5d97bd0e4b941c01a274
  • ca5976f473e0daf3754f9b4edd90ad4b02a484968959b68c1df878e6b7315031
  • cc1c6834480497598c17952b72e93f4b71ce4670f33558857e7ca87b55135013
  • cf535eb0782fd0ee4c246fcca439c85b79f5854e80ae1128d6314b7d76fef110
  • d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe
  • dfd5e26b62d9731d93b2ce8ec87bbf70fd63e4cd4e04d44dad3d82ca2f5e90fa
  • e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173
  • e8f09ceb5ee129b9c8c6970f9013bc9cdc7458ca6a0d935a9f48518418052d06
  • edd0675e0fcce16ae7cbb1f10fbb8407ca5e0a188eab9682f43744c95e09f1c9
  • ff5e6fbf14c5eb35c1b4f24e4b08b30ba2e512a4b25ab7b652f0567edb94097e

Command & Control (C2) IP's:

  • 104.156.227.250
  • 104.156.245.0
  • 104.156.250.132
  • 104.238.190.126
  • 104.248.83.13
  • 107.173.58.175
  • 107.173.58.176
  • 107.173.58.179
  • 107.173.58.180
  • 107.173.58.182
  • 107.173.58.183
  • 107.173.58.184
  • 107.173.58.185
  • 108.177.235.53
  • 108.61.176.237
  • 108.61.209.121
  • 108.61.209.123
  • 108.61.242.184
  • 108.61.72.29
  • 108.61.90.90
  • 108.62.12.105
  • 108.62.12.114
  • 108.62.12.116
  • 108.62.12.119
  • 108.62.12.12
  • 108.62.12.121
  • 109.70.236.134
  • 134.122.116.114
  • 134.122.116.59
  • 134.122.118.46
  • 134.122.124.26
  • 134.122.20.117
  • 140.82.10.222
  • 140.82.27.146
  • 140.82.5.67
  • 140.82.60.155
  • 144.202.12.197
  • 144.202.83.4
  • 149.248.5.240
  • 149.248.56.113
  • 149.248.58.11
  • 149.28.122.130
  • 149.28.15.247
  • 149.28.246.25
  • 149.28.35.35
  • 149.28.50.31
  • 149.28.55.197
  • 155.138.135.182
  • 155.138.136.182
  • 155.138.214.247
  • 155.138.216.133
  • 159.203.36.61
  • 159.65.216.127
  • 165.22.125.178
  • 165.227.196.0
  • 172.241.27.65
  • 172.241.27.68
  • 172.241.27.70
  • 178.62.247.205
  • 178.79.132.82
  • 179.43.128.3
  • 179.43.128.5
  • 179.43.133.44
  • 179.43.158.171
  • 179.43.160.205
  • 185.184.223.194
  • 185.25.50.167
  • 188.166.52.176
  • 190.211.254.154
  • 192.241.143.121
  • 193.142.58.129
  • 194.26.29.201
  • 194.26.29.202
  • 194.26.29.219
  • 194.26.29.220
  • 194.26.29.225
  • 194.26.29.226
  • 194.26.29.227
  • 194.26.29.229
  • 194.26.29.230
  • 194.26.29.232
  • 194.26.29.234
  • 194.26.29.235
  • 194.26.29.236
  • 194.26.29.237
  • 194.26.29.239
  • 194.26.29.242
  • 194.26.29.243
  • 194.26.29.244
  • 194.26.29.247
  • 198.211.116.199
  • 199.247.13.144
  • 207.148.15.31
  • 207.148.21.17
  • 207.148.8.61
  • 207.246.67.70
  • 209.222.108.106
  • 209.97.130.197
  • 213.252.244.126
  • 213.252.244.170
  • 213.252.244.38
  • 213.252.244.62
  • 213.252.245.71
  • 213.252.246.144
  • 213.252.246.154
  • 216.155.157.249
  • 217.69.15.175
  • 31.7.59.141
  • 45.138.172.95
  • 45.141.86.155
  • 45.141.86.206
  • 45.141.86.84
  • 45.141.86.90
  • 45.141.86.91
  • 45.141.86.92
  • 45.141.86.93
  • 45.141.86.94
  • 45.141.86.95
  • 45.141.86.96
  • 45.141.86.97
  • 45.141.86.98
  • 45.147.229.180
  • 45.147.229.44
  • 45.147.229.52
  • 45.147.229.68
  • 45.147.229.92
  • 45.147.230.131
  • 45.147.230.132
  • 45.147.230.133
  • 45.147.230.140
  • 45.147.230.141
  • 45.147.230.159
  • 45.147.230.87
  • 45.147.231.222
  • 45.153.240.136
  • 45.153.240.138
  • 45.153.240.157
  • 45.153.240.178
  • 45.153.240.194
  • 45.153.240.220
  • 45.153.240.222
  • 45.153.240.240
  • 45.153.241.1
  • 45.153.241.134
  • 45.153.241.138
  • 45.153.241.139
  • 45.153.241.14
  • 45.153.241.141
  • 45.153.241.146
  • 45.153.241.153
  • 45.153.241.158
  • 45.153.241.167
  • 45.32.130.5
  • 45.32.170.9
  • 45.32.30.162
  • 45.34.6.221
  • 45.34.6.222
  • 45.34.6.223
  • 45.34.6.225
  • 45.34.6.226
  • 45.34.6.229
  • 45.63.95.187
  • 45.76.167.35
  • 45.76.20.140
  • 45.76.231.195
  • 45.76.45.162
  • 45.76.49.78
  • 45.77.119.212
  • 45.77.153.72
  • 45.77.206.105
  • 45.77.58.172
  • 45.77.89.31
  • 45.77.98.157
  • 46.19.142.154
  • 5.2.64.113
  • 5.2.64.133
  • 5.2.64.135
  • 5.2.64.144
  • 5.2.64.149
  • 5.2.64.167
  • 5.2.64.172
  • 5.2.64.174
  • 5.2.64.182
  • 5.2.72.200
  • 5.2.72.202
  • 5.2.79.10
  • 5.2.79.12
  • 5.2.79.121
  • 5.2.79.122
  • 63.209.33.131
  • 64.44.131.103
  • 66.42.118.123
  • 66.42.86.61
  • 69.55.60.140
  • 69.61.38.132
  • 69.61.38.155
  • 69.61.38.156
  • 69.61.38.157
  • 74.118.138.115
  • 74.118.138.137
  • 74.118.138.138
  • 74.118.138.139
  • 79.124.60.117
  • 80.240.18.106
  • 81.17.25.210
  • 81.17.28.105
  • 81.17.28.122
  • 81.17.28.70
  • 88.119.171.55
  • 88.119.171.67
  • 88.119.171.68
  • 88.119.171.69
  • 88.119.171.73
  • 88.119.171.74
  • 88.119.171.75
  • 88.119.171.76
  • 88.119.171.77
  • 88.119.171.78
  • 88.119.171.94
  • 88.119.171.96
  • 88.119.171.97
  • 88.119.174.107
  • 88.119.174.109
  • 88.119.174.110
  • 88.119.174.114
  • 88.119.174.116
  • 88.119.174.117
  • 88.119.174.118
  • 88.119.174.119
  • 88.119.174.120
  • 88.119.174.121
  • 88.119.174.125
  • 88.119.174.126
  • 88.119.174.127
  • 88.119.174.128
  • 88.119.174.133
  • 88.119.174.139
  • 88.119.175.153
  • 88.119.175.214
  • 95.179.147.215
  • 95.179.210.8
  • 95.179.215.228
  • 95.179.219.169
  • 96.30.192.141
  • 96.30.193.57
  • 96.9.209.216
  • 96.9.209.217
  • 96.9.225.143
  • 96.9.225.144

Command & Control (C2) domains:

  • 360footwears[.]com
  • 3bysybsybs54syb44by[.]xyz
  • aaatus[.]com
  • actionshunter[.]com
  • artappartberlin[.]com
  • avrenew[.]com
  • ayechecker[.]com
  • ayiyas[.]com
  • backup-helper[.]com
  • backup-leader[.]com
  • backup-simple[.]com
  • backup1helper[.]com
  • backup1master[.]com
  • backup1nas[.]com
  • backup1service[.]com
  • backup1services[.]com
  • backuphel[.]com
  • backupmaster-service[.]com
  • backupmasterservice[.]com
  • backupmastter[.]com
  • backupnas1[.]com
  • backups1helper[.]com
  • backupslive[.]com
  • bakcup-checker[.]com
  • bakcup-monster[.]com
  • beerpong101[.]com
  • best-backup[.]com
  • best-nas[.]com
  • bestservicehelper[.]com
  • besttus[.]com
  • bigtus[.]com
  • biliyilish[.]com
  • bithunterr[.]com
  • blackhoall[.]com
  • boost-helper[.]com
  • boost-servicess[.]com
  • boost-yourservice[.]com
  • boostsecuritys[.]com
  • boostyourservice[.]com
  • bouths[.]com
  • brainschampions[.]com
  • bugsbunnyy[.]com
  • cantliee[.]com
  • caonimas[.]com
  • chainnss[.]com
  • chalengges[.]com
  • cheapshhot[.]com
  • check1domains[.]com
  • check1drivers[.]com
  • check4list[.]com
  • checkhunterr[.]com
  • checksservice[.]com
  • checktodrivers[.]com
  • checkwinupdate[.]com
  • chekingking[.]com
  • ciscocheckapi[.]com
  • citylifedns[.]com
  • cleardefencewin[.]com
  • client-update[.]xyz
  • cmdupdatewin[.]com
  • comssite[.]com
  • conhostservice[.]com
  • cylenceprotect[.]com
  • daggerclip[.]com
  • debug-service[.]com
  • defenswin[.]com
  • developmasters[.]com
  • domnasemg[.]com
  • dotmaingame[.]com
  • drive-boost[.]com
  • drivegit[.]com
  • driver-boost[.]com
  • driver-boosters[.]com
  • driver-upd[.]com
  • driver1downloads[.]com
  • driver1master[.]com
  • driver1updater[.]com
  • driverdwl[.]com
  • driverjumper[.]com
  • driversna[.]com
  • driversupd[.]com
  • dwndrivers[.]com
  • easytus[.]com
  • eighteenthservicehelper[.]com
  • eighthservicehelper[.]com
  • eighthserviceupdater[.]com
  • eithtservice-developer[.]com
  • elephantdrrive[.]com
  • eleventhservicehelper[.]com
  • eleventhserviceupdater[.]com
  • errvghu[.]com
  • explore-me[.]xyz
  • fashionday[.]monster
  • fastbloodhunter[.]com
  • fifteenthservicehelper[.]com
  • fifthservice-developer[.]com
  • fifthservicehelper[.]com
  • fifthserviceupdater[.]com
  • find1drivers[.]com
  • find1service[.]com
  • findtus[.]com
  • firstservice-developer[.]com
  • firstserviceupdater[.]com
  • firstservisehelper[.]com
  • firsttus[.]com
  • fourservicehelper[.]com
  • fourteenthservicehelper[.]com
  • fourthservice-developer[.]com
  • fourthserviceupdater[.]com
  • freeallsafe[.]com
  • freeoldsafe[.]com
  • gameleaderr[.]com
  • getinformationss[.]com
  • giveasees[.]com
  • godofservice[.]com
  • greattus[.]com
  • growtancy[.]com
  • gtrsqer[.]com
  • gungameon[.]com
  • gunsdrag[.]com
  • hakunaman[.]com
  • hakunamatatata[.]com
  • harddagger[.]com
  • hashsystem[.]xyz
  • havemosts[.]com
  • havesetup[.]net
  • helpforyourservice[.]com
  • hotlable[.]com
  • htpdomrtx[.]com
  • hunbabe[.]com
  • hungrrybaby[.]com
  • huntersservice[.]com
  • hurrypotter[.]com
  • hustlerclubnewyork[.]com
  • hustlernewyorkstripclub[.]com
  • hustlernycstripclub[.]com
  • hustlernystripclub[.]com
  • hustlerstripclub[.]com
  • hybriqdjs[.]com
  • iamcrazy[.]lol
  • ibackupboost[.]com
  • ibackupupdate[.]com
  • ibackupview[.]com
  • idriveboost[.]com
  • idrivecheck[.]com
  • idrivedownload[.]com
  • idrivedwn[.]com
  • idrivefinder[.]com
  • idrivehepler[.]com
  • idriverrs[.]com
  • idriveupdate[.]com
  • idriveview[.]com
  • iexploreservice[.]com
  • imagodd[.]com
  • imasterupdate[.]com
  • info-develop[.]com
  • iservicec[.]com
  • it1booster[.]com
  • itopupdater[.]com
  • iupdatemaster[.]com
  • iupdaters[.]com
  • jomamba[.]best
  • jonsonsbabyy[.]com
  • kamitorishoji[.]com
  • kungfupandasa[.]com
  • lindasak[.]com
  • livecheckpointsrs[.]com
  • livehealths[.]com
  • livetus[.]com
  • loockfinderrs[.]com
  • loxliver[.]com
  • lsassupdate[.]com
  • lsasswininfo[.]com
  • luckyhunterrs[.]com
  • martahzz[.]com
  • maybebaybe[.]com
  • microsoftupdateswin[.]com
  • mixunderax[.]com
  • moonshardd[.]com
  • mountasd[.]com
  • myobtain[.]com
  • myservicebooster[.]com
  • myservicebooster[.]net
  • myserviceconnect[.]net
  • myserviceupdater[.]com
  • myyserviceupdater[.]com
  • nas-helper[.]com
  • nas-leader[.]com
  • nas-simple-helper[.]com
  • nasbooster[.]com
  • nashelper[.]com
  • nasmasterservice[.]com
  • nasmastrservice[.]com
  • nasupdater[.]com
  • ncedrive[.]com
  • newservicehelper[.]com
  • nidonya[.]pp[.]ua
  • nineteenthservicehelper[.]com
  • ninethservice-developer[.]com
  • ninethserviceupdater[.]com
  • ninthservicehelper[.]com
  • nomadfunclub[.]com
  • open1vpn[.]com
  • primeviref[.]com
  • puckhunterrr[.]com
  • pudgeee[.]com
  • qascker[.]com
  • quwasd[.]com
  • raaidboss[.]com
  • raidbossa[.]com
  • rapirasa[.]com
  • razorses[.]com
  • realgamess[.]com
  • regbed[.]com
  • reginds[.]com
  • remotessa[.]com
  • renovatesystem[.]com
  • rulemonster[.]com
  • run-tcp[.]com
  • run-tcp[.]info
  • run-tcp[.]me
  • run-tcp[.]net
  • run-upgrade[.]monster
  • run-upgrade[.]xyz
  • saynoforbubble[.]com
  • scrservallinst[.]info
  • secondlivve[.]com
  • secondservice-developer[.]com
  • secondservicehelper[.]com
  • secondserviceupdater[.]com
  • service-boost[.]com
  • service-booster[.]com
  • service-boosterr[.]com
  • service-boostter[.]com
  • service-checker[.]com
  • service-hel[.]com
  • service-hellper[.]com
  • service-helpes[.]com
  • service-hunter[.]com
  • service-leader[.]com
  • service-updateer[.]com
  • service-updater[.]com
  • service1boost[.]com
  • service1upd[.]com
  • service1update[.]com
  • service1updater[.]com
  • service1view[.]com
  • serviceboosterr[.]com
  • serviceboostnumberone[.]com
  • servicecheckerr[.]com
  • servicedbooster[.]com
  • servicedhunter[.]com
  • servicedpower[.]com
  • servicedupdater[.]com
  • servicegungster[.]com
  • servicehel[.]com
  • servicehellps[.]com
  • servicehunterr[.]com
  • servicemonsterr[.]com
  • servicemount[.]com
  • servicereader[.]com
  • servicesbooster[.]com
  • servicesbooster[.]org
  • servicesecurity[.]org
  • servicesen[.]com
  • servicesgit[.]com
  • serviceshelpers[.]com
  • serviceshelps[.]com
  • servicesupdater[.]com
  • servicesups[.]com
  • serviceswork[.]net
  • serviceupdates[.]net
  • serviceupdatter[.]com
  • serviceuphelper[.]com
  • servicewikii[.]com
  • seventeenthservicehelper[.]com
  • seventhservice-developer[.]com
  • seventhservicehelper[.]com
  • seventhserviceupdater[.]com
  • sexycservice[.]com
  • sexyservicee[.]com
  • shabihere[.]com
  • sibalsakie[.]com
  • simple-backupbooster[.]com
  • simpleservice-checker[.]com
  • sixteenthservicehelper[.]com
  • sixthservice-developer[.]com
  • sixthservicehelper[.]com
  • sixthserviceupdater[.]com
  • sobcase[.]com
  • sophosdefence[.]com
  • sunofgodd[.]com
  • supservupdate[.]com
  • sweetmonsterr[.]com
  • target-support[.]online
  • tarhungangster[.]com
  • taskshedulewin[.]com
  • tenthservice-developer[.]com
  • tenthservicehelper[.]com
  • tenthserviceupdater[.]com
  • thecheckupdater[.]com
  • thespunj[.]com
  • thirdservice-developer[.]com
  • thirdservicehelper[.]com
  • thirdserviceupdater[.]com
  • thirteenthservicehelper[.]com
  • tiancaii[.]com
  • timesshifts[.]com
  • top-backuphelper[.]com
  • top-backupservice[.]com
  • top-servicebooster[.]com
  • top-serviceupdater[.]com
  • top3-services[.]com
  • top3servicebooster[.]com
  • topbackup-helper[.]com
  • topbackupintheworld[.]com
  • topsecurityservice[.]net
  • topservice-masters[.]com
  • topservicebooster[.]com
  • topservicehelper[.]com
  • topservicesbooster[.]com
  • topservicesecurity[.]com
  • topservicesecurity[.]net
  • topservicesecurity[.]org
  • topservicesupdate[.]com
  • topservicesupdates[.]com
  • topserviceupdater[.]com
  • tukunavi[.]com
  • twelfthservicehelper[.]com
  • twelvethserviceupdater[.]com
  • twentiethservicehelper[.]com
  • u6ycrtduvb6d5rttvub6d5[.]com
  • uncheckhel[.]com
  • unlockwsa[.]com
  • update-chromeservices[.]com
  • update-wind[.]com
  • update-wins[.]com
  • updatemanagir[.]us
  • updatewinlsass[.]com
  • updatewinsoftr[.]com
  • upddrivers[.]com
  • updsql[.]me
  • view-backup[.]com
  • view1drive[.]com
  • view1drivers[.]com
  • viewdrivers[.]com
  • vloerplan[.]com
  • vnuret[.]com
  • voiddas[.]com
  • web-analysis[.]live
  • windefenceinfo[.]com
  • windefens[.]com
  • winsysteminfo[.]com
  • winsystemupdate[.]com
  • wodemayaa[.]com
  • wondergodst[.]com
  • worldtus[.]com
  • x3q24wxc54vd6b5f7[.]best
  • yourserviceupdater[.]com
  • yoursuperservice[.]com
  • zapored[.]com
  • zetrexx[.]com
  • zhameharden[.]com

Yara Rule

The following Yara rule, created by McAfee Advanced Threat Research can be use to detect new Ryuk samples:

rule Ransom_Ryuk_sept2020 {
meta:
description = "Detecting latest Ryuk samples"
author = "McAfee ATR"
date = "2020-10-13"
malware_type = "ransomware"
malware_family = "Ransom:W32/Ryuk"
actor_type = "Cybercrime"
actor_group = "Unknown"
hash1 = "cfdc2cb47ef3d2396307c487fc3c9fe55b3802b2e570bee9aea4ab1e4ed2ec28"
strings:
$x1 = "\" /TR \"C:\\Windows\\System32\\cmd.exe /c for /l %x in (1,1,50) do start wordpad.exe /p " fullword ascii
$x2 = "cmd.exe /c \"bcdedit /set {default} recoveryenabled No & bcdedit /set {default}\"" fullword ascii
$x3 = "cmd.exe /c \"bootstatuspolicy ignoreallfailures\"" fullword ascii
$x4 = "cmd.exe /c \"vssadmin.exe Delete Shadows /all /quiet\"" fullword ascii
$x5 = "C:\\Windows\\System32\\cmd.exe" fullword ascii
$x6 = "cmd.exe /c \"WMIC.exe shadowcopy delete\"" fullword ascii
$x7 = "/C REG ADD \"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"EV\" /t REG_SZ /d \"" fullword wide
$x8 = "W/C REG DELETE \"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"EV\" /f" fullword wide
$x9 = "\\System32\\cmd.exe" fullword wide
$s10 = "Ncsrss.exe" fullword wide
$s11 = "lsaas.exe" fullword wide
$s12 = "lan.exe" fullword wide
$s13 = "$WGetCurrentProcess" fullword ascii
$s14 = "\\Documents and Settings\\Default User\\sys" fullword wide
$s15 = "Ws2_32.dll" fullword ascii
$s16 = " explorer.exe" fullword wide
$s17 = "e\\Documents and Settings\\Default User\\" fullword wide
$s18 = "\\users\\Public\\" fullword ascii
$s19 = "\\users\\Public\\sys" fullword wide
$s20 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\" fullword ascii

$seq0 = { 2b c7 50 e8 30 d3 ff ff ff b6 8c }
$seq1 = { d1 e0 8b 4d fc 8b 14 01 89 95 34 ff ff ff c7 45 }
$seq2 = { d1 e0 8b 4d fc 8b 14 01 89 95 34 ff ff ff c7 45 }
condition:
( uint16(0) == 0x5a4d and
filesize < 400KB and
( 1 of ($x*) and 5 of them ) and
all of ($seq*)) or ( all of them )
}

MITRE ATT&CK

Technique Tactic
T1003 - OS Credential Dumping Credential Access
T1016 - System Network Configuration Discovery Discovery
T1021.001 - Remote Desktop Protocol Lateral Movement
T1036.005 - Masquerading: Match Legitimate Name or Location Defense Evasion
T1047 - Windows Management Instrumentation Execution
T1053 - Scheduled Task Persistence
T1055 - Process Injection Privilege Escalation
T1057 - Process Discovery Discovery
T1059.001 - Powershell Execution
T1059.003 - CMD Execution
T1083 - File and Directory Discovery Discovery
T1087 - Account Discovery Discovery
T1106 - Native API Execution
T1134 - Access Token Manipulation Privilege Escalation
T1204 - User Execution Execution
T1482 - Domain Trust Discovery Discovery
T1486 - Data Encrypted for Impact Impact
T1489 - Service Stop Impact
T1490 - Inhibit System Recovery Impact
T1562.001 - Impair Defenses: Disable or Modify Tools Defense Evasion
T1566 - Phishing Initial Access

References

[1] https://www.ncsc.gov.uk/files/RYUK Advisory draft CP June 2019.pdf

[2] https://github.com/sophoslabs/IoCs/blob/master/Ransomware-Ryuk.csv

[3] https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/

[4] https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike

[5] https://www.zdnet.com/article/fbi-ransomware-victims-have-paid-out-140-million-one-version-has-cost-them-the-most/

[6] https://www.malwarebytes.com/ryuk-ransomware/

[7] https://research.checkpoint.com/2018/ryuk-ransomware-targeted-campaign-break/

[8] https://github.com/advanced-threat-research/Yara-Rules/blob/master/ransomware/RANSOM_Ryuk.yar

[9] https://info.phishlabs.com/blog/ryuk-ransomware-targeting-healthcare

[10] https://us-cert.cisa.gov/ncas/alerts/aa20-302a

[11] https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456

[12] http://blacklists.cert.gov.ge/unc1878_domains.txt

[13] http://blacklists.cert.gov.ge/unc1878_ip.txt

[14] https://github.com/whickey-r7/grab_beacon_config

[15] https://feeds.alphasoc.net/ryuk.txt