Threat Analysis Unit

VMware Carbon Black TAU: Ryuk Ransomware Technical Analysis

[vc_row][vc_column][vc_column_text]UPDATE (March 25th, 2020): VMware Carbon Black’s Managed Detection service and Threat Analysis Unit identified a new Ryuk sample that exhibited new artifacts which had not been previously identified in the original article.  This article has been updated with the new Ryuk sample artifacts.

Ryuk Ransomware has been crippling both the public and private sector recently with the ability to disrupt its target environment. The ransomware will typically be dropped by an already compromised system that has been infected by Trickbot or Emotet through a phishing email. Once the Ryuk payload has been successfully dropped and executed, it will encrypt the system’s files and then demand a ransom fee paid to decrypt the victim’s data. Ryuk Ransomware is known for targeting enterprise organizations with the intentions of demanding higher payments for the decryption key. An example of the Ryuk Ransom note can be seen in Figure 1.



Figure 1, Ryuk Ransom Note

Technical Analysis on Ryuk Ransomware 

The VMware Carbon Black’s Managed Detection service and Threat Analysis Unit have observed the following Ryuk Ransomware behaviors being executed in our client’s environments.

Data Encryption

Ryuk Ransomware uses either a RSA 4096-bit key or a AES 256-bit key to encrypt files using the extension ‘.ryk’. Ryuk avoids encrypting any ‘dll’, ‘lnk’, ‘hrmlog’, ‘ini’, or ‘exe’ file using hardcoded settings as seen in Figure 2. Ryuk Ransomware also does not encrypt the following locations:

  • Windows System32
  • Chrome
  • Mozilla
  • Internet Explorer
  • Recycle Bin

Figure 2,  Allowlisted Extensions

Inhibit System Recovery

It is not uncommon for ransomware to attempt to prevent data recovery by deleting or disabling shadow copies as this behavior was exhibited in the Ryuk sample in Figure 3. The first section of ‘vssadmin Delete Shadows /all /quiet’  instructs all shadow copies to be deleted unbeknownst to the user.  The section of ‘vssadmin resize shadowstorage’ forces the shadow copies to be deleted. In this case ‘vssadmin resize shadowstorage’ is set to delete all shadow copies with the maximum size of ‘401 MB’ using all available disk space as seen in Figure 3.

               Figure 3, Disassembly of Ryuk sample showing Vssadmin instructions

The following commands were exhibited in a new Ryuk sample which had not been seen in the previous samples. The first command leverages Windows Management Instrumentation Command-Line (WMIC.exe) to  delete the shadow copies. This behavior is not uncommon as malware authors use ‘Living off the Land’ tactics such as this to help in delivering malware. The second command leverages vssadmin.exe to delete the shadow copies. The third command utilities Boot Configuration Data command-line (BCDEdit) to disable automatic repairs to the system, which helps in preventing the malware from being able to run (Figure 4).

Figure 4, shadow copy commands exhibited in the new Ryuk sample

Process/Service Stop

Ryuk creates and leverages a batch file ‘kill.bat’ with the purpose to kill processes and stop, disable and uninstall services as seen in Figure 5. It should be noted that this batch file includes the commands to leverage PowerShell as a method to uninstall Windows Defender. VMware Carbon Black Endpoint Standard (formally known as CB Defense) alerts on such tactics as seen in Figure 6.

Figure 5, Sample of commands in the kill.bat

Figure 6, VMware Carbon Black Endpoint Standard redacted alert for ‘kill.bat’

When the Ryuk sample was disassembled it was observed that it contained both ‘/IM [process name] /F’ and ‘stop [process name] /y’ commands. When observing the functions the ‘/IM [process name] /F’ command listed a variety of processes related to: Backup, Browser, Database, Email, Gaming, Miscellaneous Services, Microsoft And Word Processing Applications, and Security Protection. Examples of seen ‘/IM [process name] /F’ is shown in Figure 7. The full list can be found at the end of the article.It was also observed when the Ryuk sample ran it utilized net.exe and net1.exe to execute the ‘/IM [process name] /F’ commands.

Figure 7, Seen/IM [process name] /F” and stop [process name] /y in Ryuk Sample 

Persistence

To remain persistent on the host, a Registry Run Key svchos is created with the key value being the path of the location of the Ryuk executable in the Registry location HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run’ as seen below in Figure 8.

Figure 8, Disassembly of Ryuk Sample showing Registry Run Key

Process Enumeration & DLL Injection

To inject the Ryuk payload into another process, it must write the path to its malicious DLL in the virtual address space of another process and create a remote thread in that process. To do this the malware must identify a target process for injection using the following API calls: ‘CreateToolhelp32Snapshot’ (used to create a snapshot of process, heap, threads, and modules), ‘Process32First’ (retrieves information about the first process in the snapshot) and ‘Process32Next’ (is a loop to go through the snapshots (shown in Figure 9). 

Figure 9, Disassembly of Process Enumeration

Once the malware obtains its target process for injection, it will use ‘OpenProcess’ to get the handle of the target. It will allocate space for injection using ‘VirtualAllocEx’ and then write the malicious payload using ‘WriteProcessMemory’ and finally start the remote thread using ‘CreateRemoteThread’ (shown in Figure 10).However, it avoids injecting into ‘explorer.exe’, ‘lsass.exe’, and ‘crss.exe’.

Figure 10, Disassembly of Process Injection

Other Artifacts

  • Ryuk is copied as an executable with the string ‘8 LAN’ with the command-line argument as seen in Figure 11 and Figure 12.This artifact demonstrates the malware attempts to use the ‘Wake-on-Lan’ feature to turn on powered off devices to spread the ransomware.

Figure 11,  VMware Carbon Black Endpoint Standard alert showing command-line argument

Figure 12, New Ryuk sample exhibiting similar command

  • Ryuk drops a copy of PsExec as a mechanism to gain remote access to copy Ryuk on other systems as seen in Figure 13 and Figure 14. PsExec is a portable tool that allows for process to be run remotely.

Figure 13,  VMware Carbon Black Endpoint Standard redacted alert showing PsExec being dropped

Figure 14,  VMware Carbon Black Endpoint Standard redacted alert showing PsExec being used to copying Ryuk to remote system

  • Ryuk leverages Microsoft Windows native command-line utility, icacls, as a ‘Living off the Land’ technique to grant full access to everyone for the “C:\” and “D:\*” locations (Figure 15). This allows the malware to gain access potential locations to encrypt and to spread the malware.

Figure 15, VMware Carbon Black Endpoint Standard alert showing icacls command

  • Ryuk leverages the BootStatusPolicy to ignore all boot failures when starting Windows in an attempt to avoid detection (Figure 16).                                           

Figure 16,  VMware Carbon Black Endpoint Standard alert showing BootStatusPolicy command

Future of Ryuk Ransomware 

There are no indications that the Ryuk Ransomware attacks will slow down. Companies must proactively enforce good security practices in both prevention and detection. Attention should also be made in preventing phishing emails from successfully executing. 

Customer Protection

VMware’s Carbon Black customers can find policy recommendations in this TAU-TIN article on Ryuk Ransomware attacks and prevention.

Indicators of Compromise (IOCS)

Indicator Type Context
e209429fe9c7ef4218c0e5ef46913031c201ae8e47b5784e3c8ff64b3ebab1c8 SHA256 Kill.bat
8d3f68b16f0710f858d8c1d2c699260e6f43161a5510abb0e7ba567bd72c965b SHA256 Ryuk Ransomware Sample
5cbbf37a1bdcb78f346e94ecca606a661bb49c5c9bb10c99a60ff415e118a482 SHA256 Ryuk Ransomware Sample
7b5ccdf2be802eddc3b62ddf2ec3d204e6ff936248b711a03c28c5c84c6c4e6f New Ryuk Ransomware Sample
https://fdspofsdrtert[.]best:443/aajhDIAHFIEHFI Domain Domain Associated with Ryuk Ransomware Sample

 

Seen “/IM [process name] /F” in Ryuk Sample [Processes are organized by type]

Backup  Browser Database Email Gaming  Miscellaneous Services Microsoft Office and Word Processing Applications Security Protection 
/IM sqbcoreservice.exe /F /IM firefoxconfig.exe /F /IM agntsvc.exe /F /IM thebat.exe /F /IM steam.exe /F /IM encsvc.exe /F /IM excel.exe /F /IM CNTAoSMgr.exe /F
/IM sqlwriter.exe /F /IM tbirdconfig.exe /F /IM dbeng50.exe /F /IM thebat64.exe /F /IM ocomm.exe /F /IM infopath.exe /F /IM mbamtray.exe /F
/IM zoolz.exe /F /IM thunderbird.exe /F /IM dbsnmp.exe /F /IM xfssvccon.exe /F /IM mspub.exe /F /IM Ntrtscan.exe /F
/IM isqlplussvc.exe /F /IM onenote.exe /F /IM PccNTMon.exe /F
/IM msaccess.exe /F /IM outlook.exe /F /IM tmlisten.exe /F
/IM msftesql.exe /F /IM powerpnt.exe /F
/IM mydesktopqos.exe /F /IM visio.exe /F
/IM mydesktopservice.exe /F /IM winword.exe /F
/IM mysqld-nt.exe /F /IM wordpad.exe /F
/IM mysqld-opt.exe /F
/IM mysqld.exe /F
/IM ocautoupds.exe /F
/IM ocssd.exe /F
/IM oracle.exe /F
/IM sqlagent.exe /F
/IM sqlbrowser.exe /F
/IM sqlservr.exe /F
/IM synctime.exe /F

 

Seen stop [process name] /y in Ryuk Sample [Processes are organized by type]

Backup Database Microsoft Miscellaneous Services Microsoft Office Applications  Security Protection  Suspicious/ Potential Malicious Unable to Confirm Application
stop “Acronis VSS Provider” /y stop MsDtsServer /y stop IISAdmin /y stop MSExchangeES /y stop “Sophos Agent” /y stop EraserSvc11710 /y stop “Enterprise Client Service” /y
stop “SQL Backups /y stop MsDtsServer100 /y stop NetMsmqActivator /y stop MSExchangeIS /y stop “Sophos AutoUpdate Service” /y stop SamSs /y stop ReportServer /y
stop “SQLsafe Backup Service” /y stop MsDtsServer110 /y stop POP3Svc /y stop MSExchangeMGMT /y stop “Sophos Clean Service” /y stop SMTPSvc /y stop ReportServer$SQL_2008 /y
stop “SQLsafe Filter Service” /y stop msftesql$PROD /y stop SstpSvc /y stop MSExchangeMTA /y stop “Sophos Device Control Service” /y stop ReportServer$SYSTEM_BGC /y
stop “Symantec System Recovery” /y stop MSOLAP$SQL_2008 /y stop UI0Detect /y stop MSExchangeSA /y stop “Sophos File Scanner Service” /y stop ReportServer$TPS /y
stop “Veeam Backup Catalog Data Service” /y stop MSOLAP$SYSTEM_BGC /y stop W3Svc /y stop MSExchangeSRS /y stop “Sophos Health Service” /y stop ReportServer$TPSAMA /y
stop “Zoolz 2 Service” /y stop MSOLAP$TPS /y  stop “aphidmonitorservice” /y  stop msexchangeadtopology /y stop “Sophos MCS Agent” /y
stop AcrSch2Svc /y stop MSOLAP$TPSAMA /y  stop “intel(r) proset monitoring service” /y  stop msexchangeimap4 /y stop “Sophos MCS Client” /y
stop ARSM /y stop MSSQL$BKUPEXEC /y stop unistoresvc_1af40a /y stop “Sophos Message Router” /y
stop BackupExecAgentAccelerator /y stop MSSQL$ECWDB2 /y  stop audioendpointbuilder /y stop “Sophos Safestore Service” /y
stop BackupExecAgentBrowser /y stop MSSQL$PRACTICEMGT /y stop “Sophos System Protection Service” /y
stop BackupExecDeviceMediaService /y stop MSSQL$PRACTTICEBGC /y stop “Sophos Web Control Service” /y
stop BackupExecJobEngine /y stop MSSQL$PROD /y stop AcronisAgent /y
stop BackupExecManagementService /y stop MSSQL$PROFXENGAGEMENT /y stop Antivirus /y’
stop BackupExecRPCService /y stop MSSQL$SBSMONITORING /y stop AVP /y
stop BackupExecVSSProvider /y stop MSSQL$SHAREPOINT /y stop DCAgent /y
stop bedbg /y stop MSSQL$SQL_2008 /y stop EhttpSrv /y
stop MMS /y stop MSSQL$SQLEXPRESS /y stop ekrn /y
stop mozyprobackup /y stop MSSQL$SYSTEM_BGC /y stop EPSecurityService /y
stop MSSQL$VEEAMSQL2008R2 /y stop MSSQL$TPS /y stop EPUpdateService /y
stop ntrtscan /y stop MSSQL$TPSAMA /y stop EsgShKernel /y
stop PDVFSService /y stop MSSQL$VEEAMSQL2008R2 /y stop ESHASRV /y
stop SDRSVC /y stop MSSQL$VEEAMSQL2012 /y stop FA_Scheduler /y
stop SNAC /y stop MSSQLFDLauncher /y stop IMAP4Svc /y
stop SQLAgent$VEEAMSQL2008R2 /y stop MSSQLFDLauncher$PROFXENGAGEMENT /y stop KAVFS /y
stop SQLWriter /y stop MSSQLFDLauncher$SBSMONITORING /y stop KAVFSGT /y
stop VeeamBackupSvc /y stop MSSQLFDLauncher$SHAREPOINT /y stop kavfsslp /y
stop VeeamBrokerSvc /y stop MSSQLFDLauncher$SQL_2008 /y stop klnagent /y
stop VeeamCatalogSvc /y stop MSSQLFDLauncher$SYSTEM_BGC /y stop macmnsvc /y
stop VeeamCloudSvc /y stop MSSQLFDLauncher$TPS /y stop masvc /y
stop VeeamDeploymentService /y stop MSSQLFDLauncher$TPSAMA /y stop MBAMService /y
stop VeeamDeploySvc /y stop MSSQLSERVER /y stop MBEndpointAgent /y
stop VeeamEnterpriseManagerSvc /y stop MSSQLServerADHelper /y stop McAfeeEngineService /y
stop VeeamHvIntegrationSvc /y stop MSSQLServerADHelper100 /y stop McAfeeFramework /y
stop VeeamMountSvc /y stop MSSQLServerOLAPService /y stop McAfeeFrameworkMcAfeeFramework /y
stop VeeamNFSSvc /y stop MySQL57 /y stop McShield /y
stop VeeamRESTSvc /y stop MySQL80 /y stop McTaskManager /y
stop VeeamTransportSvc /y stop OracleClientCache80 /y stop mfefire /y
stop wbengine /y stop ReportServer$SQL_2008 /y stop mfemms /y
stop wbengine /y stop RESvc /y stop mfevtp /y
 stop sms_site_sql_backup /y stop SQLAgent$BKUPEXEC /y stop MSSQL$SOPHOS /y
stop SQLAgent$CITRIX_METAFRAME /y stop sacsvr /y
stop SQLAgent$CXDB /y stop SAVAdminService /y
stop SQLAgent$ECWDB2 /y stop SAVService /y
stop SQLAgent$PRACTTICEBGC /y stop SepMasterService /y
stop SQLAgent$PRACTTICEMGT /y stop ShMonitor /y
stop SQLAgent$PROD /y stop Smcinst /y
stop SQLAgent$PROFXENGAGEMENT /y stop SmcService /y
stop SQLAgent$SBSMONITORING /y stop SntpService /y
stop SQLAgent$SHAREPOINT /y stop sophossps /y
stop SQLAgent$SQL_2008 /y stop SQLAgent$SOPHOS /y
stop SQLAgent$SQLEXPRESS /y stop svcGenericHost /y
stop SQLAgent$SYSTEM_BGC /y stop swi_filter /y
stop SQLAgent$TPS /y stop swi_service /y
stop SQLAgent$TPSAMA /y stop swi_update /y
stop SQLAgent$VEEAMSQL2008R2 /y stop swi_update_64 /y
stop SQLAgent$VEEAMSQL2012 /y stop TmCCSF /y
stop SQLBrowser /y stop tmlisten /y
stop SQLSafeOLRService /y stop TrueKey /y
stop SQLSERVERAGENT /y stop TrueKeyScheduler /y
stop SQLTELEMETRY /y stop TrueKeyServiceHelper /y
stop SQLTELEMETRY$ECWDB2 /y stop WRSVC /y
stop mssql$vim_sqlexp /y stop vapiendpoint /y

[/vc_column_text][/vc_column][/vc_row]