{"id":86736,"date":"2018-08-28T18:37:23","date_gmt":"2018-08-28T13:07:23","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=86736"},"modified":"2018-08-28T18:37:23","modified_gmt":"2018-08-28T13:07:23","slug":"new-ransomware-campaign-wildryuk","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/new-ransomware-campaign-wildryuk\/","title":{"rendered":"A new ransomware campaign in the wild,Ryuk!!"},"content":{"rendered":"

Recently, Quick Heal Security Labs observed a new destructive ransomware named \u2018Ryuk.<\/strong> Ransomware\u2019. This ransomware campaign has already affected many users worldwide and seems to be a spear phishing attack. The compelling thing, it encrypts victim files without appending any extension but making files unreadable.<\/p>\n

Ryuk uses robust military algorithms such as \u2018RSA4096\u2019 and \u2018AES-256\u2019 to encrypt files. We have seen that the infection vector of this ransomware is exploit kits and spam emails. This ransomware demands a ransom ranging from 15 BTC to 50 BTC in the form of Bitcoin to decrypt the files.<\/p>\n

Technical Analysis:<\/strong><\/p>\n

After execution of the mother file, it dropped following files<\/p>\n\n\n\n\n\n
C:\\Users\\Public\\public<\/td>\nUsed to hold RSA public key.<\/td>\n<\/tr>\n
C:\\Users\\Public\\ UNIQUE_ID_DO_NOT_REMOVE<\/td>\nUsed to hold hardcoded key.<\/td>\n<\/tr>\n
C:\\Users\\Public\\windows.bat<\/td>\nUsed to delete shadow volumes and backup files.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\"\"<\/p>\n

Fig 1: Batch file containing the commands to delete the shadow copies and backup files.<\/p>\n

The next step is that it executes taskkill<\/em> and net<\/em> commands to kill more than 40 processes and terminates around 180 majorly required services in the machine. Following snippets shows the details<\/p>\n

\"\"<\/p>\n

Fig 2: Execution of taskkill to <\/em>kill processes<\/p>\n

\"\"<\/p>\n

Fig 3: Execution of net to <\/em>terminate services<\/p>\n

From further analysis, we have found that the terminated processes and services are mainly associated with the database, antivirus, backup and document editing software.<\/p>\n

Following snippet shows some of the processes and services it kills.<\/p>\n

\"\"<\/p>\n

Fig 4: List of killed processes and services<\/p>\n

The Ryuk Ransomware uses below command to create run registry to gain persistence even after the system is restarted as shown in the below snippet<\/p>\n

\"\"<\/p>\n

Fig 5: Registry entry created at Run<\/em><\/p>\n

From the analysis, Ryuk is found to be performing memory code injection. For this, it uses \u2018openprocess<\/em>\u2019 <\/em>to get the handle on target process and using \u2018VirtualAllocEx<\/a>\u2019, <\/em>it creates buffer inside its address space.<\/p>\n

The allocated memory size is of the same size of malware image. It then writes into the allocated memory using \u2018WriteProcessMemory\u2019 <\/em>API and creates a Remote thread into the targeted virtual address space using \u2018CreateRemoteThread<\/a><\/em>\u2019 API.<\/p>\n

Following IDA pro snippet shows us the code flow used to perform memory injection.<\/p>\n

\"\"<\/p>\n

Fig 6: code flow used to perform memory injection<\/p>\n

Ryuk ransomware encrypts each local drive except the locations which are hardcoded in it. this white list includes \u2018Windows\u2019, \u2018Mozilla\u2019, \u2018Chrome\u2019, \u2018RecycleBin\u2019 etc.<\/p>\n

It also tries to encrypt shared systems on the network.<\/p>\n

It had dropped two ransom notes, one is short and the other is in depth as shown below<\/p>\n

\"\"<\/p>\n

Fig 7: Ransom Note in depth<\/p>\n

How Quick Heal protects its users from the Ryuk Ransomware<\/strong><\/p>\n

Quick Heal successfully blocks Ryuk ransomware with the following protection layers:<\/p>\n

    \n
  1. Virus Protection<\/li>\n
  2. Behavior-based Detection<\/li>\n
  3. Anti-Ransomware<\/li>\n<\/ol>\n

    \"\"<\/p>\n

    Fig 8: Behavior Detection<\/p>\n

    \"\"<\/p>\n

    Fig 9: Anti-Ransomware Module<\/p>\n

    How to stay safe from ransomware attacks:<\/strong><\/p>\n

      \n
    • Always take a backup of your important data in external drives like HDD and pen drives. Consider using a reliable Cloud service to store the data.<\/li>\n
    • Do not install any freeware or cracked versions of any software.<\/li>\n
    • Do not open any advertisement pages shown on websites without knowing that they are genuine.<\/li>\n
    • Disable macros while using MS Office.<\/li>\n
    • Update your antivirus to protect your system from unknown threats.<\/li>\n
    • Do not click on links or download attachments in emails from unexpected, unknown or unwanted sources.<\/li>\n<\/ul>\n

      Indicators of compromise:<\/strong><\/p>\n

      8d3f68b16f0710f858d8c1d2c699260e6f43161a5510abb0e7ba567bd72c965b<\/p>\n

      Subject matter experts: –<\/strong><\/p>\n

      Shashikala Halagond, Priyanka Dhasade, Poonam Dongare | Quick Heal Security Labs<\/p>\n","protected":false},"excerpt":{"rendered":"

      Recently, Quick Heal Security Labs observed a new destructive ransomware named \u2018Ryuk. Ransomware\u2019. This ransomware campaign has already affected many users worldwide and seems to be a spear phishing attack. The compelling thing, it encrypts victim files without appending any extension but making files unreadable. Ryuk uses robust military algorithms such as \u2018RSA4096\u2019 and \u2018AES-256\u2019 […]<\/p>\n","protected":false},"author":39,"featured_media":86750,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[163,152,22,50,47],"class_list":["post-86736","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-cyber-crime","tag-cyberespionage","tag-email-malware","tag-ransomware","tag-security"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/86736"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/39"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=86736"}],"version-history":[{"count":4,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/86736\/revisions"}],"predecessor-version":[{"id":86749,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/86736\/revisions\/86749"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/86750"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=86736"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=86736"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=86736"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}