//Blogs - 9 Oct 2019

Ryuk Ransomware and Action – Summary Information


Welcome to my first blog post, today topic involves Ryuk Ransomware, which has had some press of late thought it might be useful to supply summary details about this ransomware variant to aid understanding and steps to aid mitigation.

Written for quick absorption, without further ado, please find ready for consumption a non-exhaustive, best effort ‘Ryuk Ransomware and Action – Summary Information’ below the fold (popcorn optional).


** Ryuk Ransomware and Action – Summary Information **

Meaning: “Gift of God”
Highly complex ransomware, constantly under development

Primary purpose: “Money Maker”
Secondary purpose: Potential sald for further exploit (compromised host marketplace)

Trojan Associations:
– Emotet (modular malware, emerged in 2014, primarily used as downloader for other malware, i.e., trickbot & IcedID)
– Trickbot (spyware, emerged 2016, mainly used to target banks, distributed via spam email or Emotet’s geo-based d/l function)

*Highlevel Process Flow – Ryuk Ransomware (quick simple flow)*
– Spam email /w malicious doc
– Emotet and/or Trickbot malware installed
– Credential theft
– Create new Admin User
– Lateral movement through network
– Recon Active Directory
– Attempts to disable host security protection and 3rd-party backup services
– Deletes Windows VSS shadow copies
– Ryuk ransomware deployed


Ryuk Stealth Aspect:
– Dropper is deleted by payload
– Encryption could occur days, weeks or year after infection
– Activation delay presumed to be surveillance related / actors performing reconnaisance on their ‘big game’
– Known Anti-forensics include PowerShell anti-logging scripts, anti-analysis infinite loop

Encrypted file extension: .RYK

Ransom note filename: “RyukReadMe.txt”
Ransom note includes:
– Two private email addresses
– In addition, variants observed, one includes payment related details, whilst another doesn’t and victim to make contact

Lateral movement:
– RDP Usage (via brute force and vulnerability exploit)
– SMB exploit (MS17-010)
– Continues until privileges recovered to reach DC.

Makes use of any or all of following tools:
– PsExec (free Microsoft sysinternals tool): To push Ryuk binary to individual hosts
– PowerShell Empire: D/L and installed as a service, PowerShell agents and keyloggers
– ‘pwgrab’ (Trickbot module) for recovering credentials
– Mimikatz: Steal admin credentials and create persistent backdoors

– Early variants had persistence,
– recent reports indicates newer variants do not persist after restart
– be prepared for either

– TrickBot is leveraged for lateral movement and to infect as many machines as possible
  (It then deploys Ryuk at a randomly determined time)
– When TrickBot compromises a machine, it is bundled with a library of modules, used to:
  – perform reconnaissance
  – harvest credentials
  – perform lateral movement
– Ryuk:
  – attempts to disable AV products and delete Windows VSS shadow copies before ransomware starts encryption procedure
  – operates with a whitelist of three file extension types: exe, dll and hrmlog
    (hrmlog believed to be a debug log filename created during development of Ryuk’s 2017 predecessor, Hermes ransomware)
  – disables several 3rd-party backup services, including Acronis, SQLSafe, VEEAM, and Zoolz
 – PowerShell Empire, a well-known penetration-testing tool, is no longer maintained by its creators (respected members of the infosec community)
   – its capabilities and behaviors closely resemble those used by current nation state advanced persistent threat actors
   – evades security solutions, operating in a covert manner, and enabling attackers’ total control over compromised systems
   – Empire’s use among cybercriminals grew exponentially and in 2018, the UK’s National Cyber Security Center included Empire on its shortlist of the five most dangerous publicly available hacking tools
   – However, development of Empire framework stopped after creators said “project reached its initial goal”
 – Ryuk victims may have a small chance of getting free decryption through Security firm Emisoft’s free decrypt tools

*Defending against Ryuk and other ransomware*
Considerations that usual methods for delivering ransomware are rarely complicated, simply relying on tried and tested techniques such as:
– exploiting vulnerabilities
– sending spam and phishing emails
– stealing user credentials (also consider obtained via credential stuffing)

User/staff awareness!
– enhance your user saviness and confidence in identifying and appropriately fielding suspicious emails
– encourage users to be avid first line reporters

ASD Essential 8 Mitigation Strategies:
– preventing malware delivery and execution
  – application whitelisting
  – configure MS Office Macro setting
  – patch Apps
  – user app hardening
– limiting the extent of cyber security incidents
  – restrict administrative privileges
  – MFA
  – patch operating systems
– recovering data and system availability
  – daily backups

Other Government produced advisories:
– Follow ACSC “Guidelines for System Management” (October 2019), ensuring networks and systems are patched or appropriate measures are in place
  – advice included under ‘When patches are not available’
– Review NCSC guidance publication named “Mitigating Malware”, specifically section four titled (see references for url):
  – “What to do if you (or your organisation) has been infected with malware”

Enterprise deployment or configuration considerations include…

Follow industry best practice wherever, or whenever possible, however specific recommendations as follows…

Following good practice, non-exhaustive:
– Restrict use of system administration tools, i.e., PsExec, do admins really need to use it?
– Disable unnecessary services, i.e., RDP/terminal services

Backups – you might have them, but recommend testing them during quiet times!

– goes without saying, but logs are essential
– ensure logging is enabled wherever possible (and you have capacity for it), inc PowerShell logging and security
– sysmon is also a handy tool,
  – free from MS sysinternals
  – offers valuable capabilities, event collection, processes, netcons, hashes, registry mods, file creations and more!
  – SIEM forwarding, i.e., a sysmon add-on for splunk exists

Software Restriction Policy (SRP):
– SRPs are a Group Policy-based feature that identifies software programs running on computers in a domain
– controls the ability of those programs to run, including specific file path locations, e.g., %APPDATA% directory in the user profile
– Software restriction policies are part of the Microsoft security and management strategy

Perform annual policy reviews and enforce compliance

Detecting Compromised Hosts:
– review available Indicators of Compromise (IoCs)
  – SIEM, security solution revews (searchable audit trail if not fed into SIEM), cloud analytic services (e.g., MS Defender ATP)
– Email Security / Gateway reviews
  – ID recipients of an identified phishing email, solutions such as Mimecast can track users interaction with rewritted urls, malware may not have activated yet
– undertake appropriate scanning / log reviews
  – outbound traffic f/w log reviews
  – vulnerability scan assets within specified IP ranges to detect assets and associated vulns, especially SMB related, e.g., eternalblue
    (shine your light in your network! did you know about all assets listed in results?)
  – SCCM review, are you offering all appropriate patches?
    – marry up what is listed vuln wise within your vulnerabilty scanning tool asset results, and what is offered by SCCM
    – use automatic deployment rules (ADRs) rather than adding new updates to an existing software update group
    – typically, you use ADRs to deploy monthly software updates

Configure alerting on detection of
– anomalous command execution, e.g., “vssadmin.exe Delete Shadows /All /Quiet”
– unusual administrative tool use within SIEM, e.g., PsExec, net commands
– privileged and service account monitoring
– obfuscated commands, see something obfucated? it can’t be good

PsExec spotlight:
– The service PSEXESVC will be installed on the remote system
  – 4697 and/or 7045 event log entry
    – Note, the 4697 event, if available, may also contain account information
  – may also have 4624 and/or 4625 Windows Event log entries, capturing the logon events of the tool usage.
– SIEM search

Application Compatibility Cache / RecentFileCache.bcf
– evidence of program execution in the Application Compatibility Cache (“AppCompat”) and/or Amcache,
  – replaces the RecentFileCache.bcf in newer Windows operating systems

Last note on the topic of ‘external providers’ or contractors, non-exhaustive considerations:
– their need to following org policy
– what access into Enterprise they have
– their skill level

*Reading List*
Emotet:   https://attack.mitre.org/software/S0367/
Trickbot: https://attack.mitre.org/software/S0266/
PsExec:   https://attack.mitre.org/software/S0029/

*Further reading*


AusCERT as a non-profit organisation aims to help all, and it is also my personal hope that this post will serve to empower Australians, even if in a small way.  Arriving during Stay Smart Online Week (7-13 October), it’s my pleasure to make this post to support the community, and their efforts in reversing or recovering from cybercrime.  For more information about Stay Smart Online week, please visit the dedicated Australian government website (see further reading).

This post has been formed from a wide range of articles, blogs and publications (see reading list) and curious readers are encouraged to dig further if interested.  I will also highlight the important and informative efforts that those varying industry author groups or organisations have made, and continue to make. All efforts are critical in understanding the specific and evolving threats, and research made towards mitigation steps, or methodology formation.  

Stay safe and stay smart!


Colin Chamberlain CISSP, GCFA, eCTHP
Senior Information Security Analyst