{"id":88547,"date":"2020-02-13T15:27:14","date_gmt":"2020-02-13T09:57:14","guid":{"rendered":"https:\/\/blogs.quickheal.com\/?p=88547"},"modified":"2020-02-13T15:27:14","modified_gmt":"2020-02-13T09:57:14","slug":"deep-dive-wakeup-lan-wol-implementation-ryuk","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/deep-dive-wakeup-lan-wol-implementation-ryuk\/","title":{"rendered":"A Deep Dive Into Wakeup On Lan (WoL) Implementation of Ryuk"},"content":{"rendered":"

Quick Heal Security Labs recently came across a variant of Ryuk Ransomware which contains an additional feature of identifying and encrypting\u00a0systems\u00a0in a Local Area Network (LAN). This sample targets the systems which are present in sleep as well as the online state in the LAN. This sample is packed with a custom packer. The final unpack routine which extracts the payload of Ryuk Ransomware is as shown below.<\/p>\n

\"\"
Fig 1:Final Unpack Routine<\/figcaption><\/figure>\n

 <\/p>\n

The payload contains two stages of the decryption routine. Basically, 1st<\/sup> stage is the input to 2nd<\/sup> stage and starts with decrypt \u201cadvapi32.dll\u201d obfuscated string and its related function names such as CryptCreateHash, CryptHashData, CryptDestroyHash to reverse md5 hash of \u201c5d65e9cb5bc2a9b609299d8758d915ab\u201d which is hardcoded in the file.<\/p>\n

\"\"
Fig 2:De-obfuscation of 1st stage obfuscated string<\/figcaption><\/figure>\n
\"\"
Fig 3:After de-obfuscation<\/figcaption><\/figure>\n

The reverse md5 lookup of 5d65e9cb5bc2a9b609299d8758d915ab is 1560ddd.<\/span>During reverse md5 lookup process sample takes high processor utilization, as malware tries to calculate the md5 hash of each value from 0 to 1560ddd and compare it with 5d65e9cb5bc2a9b609299d8758d915ab.<\/span><\/p>\n

\u00a0<\/span>\u201c1560ddd\u201d as an input to the below mathematical function which will generate 2nd<\/sup>\u00a0stage key stack and is used to de-obfuscate all the strings used in payload, while 1st<\/sup>\u00a0stage key stack already presents in the file.<\/span><\/p>\n

\"\"
Fig 4:Generation of Stage-2 key stack<\/figcaption><\/figure>\n

We have used IDA python to decrypt all obfuscated strings and rename window APIs, function names for better static analysis of payload as shown in below fig.<\/p>\n

\"\"
Fig 5:Part of Obfuscated and De-Obfuscate strings<\/figcaption><\/figure>\n

 <\/p>\n

\"\"
Fig 6:After Renaming APIs and Obfuscate Strings<\/figcaption><\/figure>\n

 <\/p>\n

Execution Part:<\/strong><\/p>\n

After resolution of APIs and their related functions, it will check for the command line argument (CLA) to be \u201c8\u201d and \u201cLAN\u201d. If not, then it drops its self-copy in the current location with a random filename and executes it by invoking \u201cShellExecuteW\u201d.<\/p>\n

\"\"
Fig 7:Child Process Created with CLA \u201c8 LAN\u201d<\/figcaption><\/figure>\n

The above command-line arguments are an interesting part of the Ryuk variant i.e. Wake on Lan (WoL). It is a hardware feature that allows a computer to be turned ON or awakened by a network packet. The packet is usually sent to the target computer by a program executed on a device connected to the same LAN. This feature is used for administrative functions that want to push system updates or to execute some scheduled tasks when the system is awakened. For sending WoL Packets, it collects system ARP (Address Resolution Protocol) table by calling GetIpNetTable, then extract IPv4 address from ARP structure and then send WoL packets for each valid IP address entry.<\/p>\n

\"\"
Fig 8:Extracting ARP Table of System<\/figcaption><\/figure>\n

 <\/p>\n

\"\"
Fig 9:Structure Of ARP Table<\/figcaption><\/figure>\n

 <\/p>\n

We can get the ARP entry of a system by executing \u201cARP -A\u201d in cmd.After extracting a valid IPv4 address, it will send the magic packet to the target host. This packet is sent over the User Datagram Protocol (UDP) socket with socket option SO_BROADCAST using destination port 7. The WoL magic packet starts with FF FF FF FF FF FF followed by target\u2019s computer MAC address.<\/p>\n

\"\"
Fig 10:Magic Packet for WoL<\/figcaption><\/figure>\n
\"\"
Fig 11:Magic Packet for WoL Implemented by Ryuk<\/figcaption><\/figure>\n

After successful in WoL operation, it tries to mount the remote device c$\/administrative share \u2014 if it can mount the share, it will then proceed to encrypt remote host\u2019s drive. But before the start of encryption, it checks whether it is running inside VM or not by enumerating process and services.<\/p>\n

\"\"
Fig 12:Enumerate Process and Service for Checking Virtual Machines<\/figcaption><\/figure>\n

It will then proceed for importing the RSA 2048-bit Public key hardcoded in the file and deleting the shadow copy by invoking \u201cWMIC\u201d and \u201cvssadmin\u201d as shown in below fig.<\/p>\n

\"\"
Fig 13:Importing RSA Public Key and Deleting Shadow Copy<\/figcaption><\/figure>\n

It has also tried to move laterally to other hosts in the network by checking the IP address assigned to the system.Once the IPv4 Address belongs to the range of 172.16. or 192.168. (Private IPv4 addresses typically assigned in LAN environment), it will then send the \u201cIcmpEchoRequest\u201d packet using the \u201cIcmpSendEcho\u201d API to target IPv4 address, instead of using the native ping command.<\/p>\n

If it has access to that host\/system which is available online in LAN, it will encrypt those systems as well. For the encryption process, it has used a combination of RSA-2048 bit and AES-256-bit, it will generate different AES keys for each file using the \u201cCryptGenKey\u201d API.<\/p>\n

\"\"
Fig 14:Generating AES 256 bit Using CryptGenKey<\/figcaption><\/figure>\n

 <\/p>\n

After file encryption it will write marker \u201cHERMES\u201d in the file, to identify if the file has encrypted or not. Ryuk is the successor to Hermes Ransomware as they have a similarity in most of its implementation. It will append the encrypted AES key in Microsoft SIMPLEBLOB format to the footer of the file.<\/p>\n

\"\"
Fig 15:Encrypted File Structure<\/figcaption><\/figure>\n

Conclusion:<\/strong><\/p>\n

By using WoL and Ping scanning APIs to wake up the system and move laterally in-network, Ryuk has tried to encrypt the maximum number of systems. These features signify the focus of this ransomware to increase its monetization by infecting as many systems as possible.<\/p>\n

Ryuk was initially associated with the APT Group and remained undetected for months\u00a0\u00a0and one day it evolves\u00a0 to encrypt all network devices, and now with WoL, it wakes up the system in LAN to increase its success of encrypting a larger number of systems.<\/p>\n

How Quick Heal protects its users from such attacks:<\/strong><\/p>\n

Quick Heal products are built with the following multi-layered security that helps counter such attacks.<\/p>\n

\u00a0 \u00a0 1. Anti-Ransomware<\/strong><\/p>\n

Specially designed to counter ransomware attacks, this feature detects ransomware by tracking its execution sequence.<\/p>\n

\u00a0 \u00a0 2. Firewall<\/strong><\/p>\n

Blocks malicious attempts to breach network connections.<\/p>\n

\u00a0 \u00a0 3. IDS\/IPS<\/strong><\/p>\n

Detects RDP brute force attempts and blocks the remote attacker IP for a defined period.<\/p>\n

\u00a0 \u00a0 4.Virus Protection<\/strong><\/p>\n

Online virus protection service detects the known variants of the ransomware.<\/p>\n

\u00a0 \u00a0 5. Behaviour-based Detection System<\/strong><\/p>\n

Tracks the activity of executable files and blocks malicious files.<\/p>\n

\u00a0 \u00a0 6. Back-Up and Restore<\/strong><\/p>\n

Helps you take regular backups of your data and restore it whenever needed.<\/p>\n

IoC:<\/strong><\/p>\n

987336D00FDBEC3BCDB95B078F7DE46F<\/p>\n

Detection name:<\/strong><\/p>\n

Trojan.HermezRI.S10666632<\/p>\n

 <\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

Quick Heal Security Labs recently came across a variant of Ryuk Ransomware which contains an additional feature of identifying and encrypting\u00a0systems\u00a0in a Local Area Network (LAN). This sample targets the systems which are present in sleep as well as the online state in the LAN. This sample is packed with a custom packer. The final […]<\/p>\n","protected":false},"author":68,"featured_media":88548,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1671,171,910],"tags":[49,50],"class_list":["post-88547","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-encryption","category-enterprise","category-ransomware","tag-malware","tag-ransomware"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/88547"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=88547"}],"version-history":[{"count":20,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/88547\/revisions"}],"predecessor-version":[{"id":88586,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/88547\/revisions\/88586"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/88548"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=88547"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=88547"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=88547"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}