Ryuk Ransomware | Intel 471 Skip to content

Ryuk Ransomware

Apr 02, 2021
Homepage Hero

OVERVIEW

Ryuk is a prolific and dangerous ransomware strain that was first observed in mid-August 2018. Ryuk is known to be a derivative of the commercially available HERMES ransomware.

The ransomware uses the WindowsCrypto API for encryption, and encrypts files with AES256 encryption algorithm.

The ransomware avoids encrypting files with the following file extensions:

.dll, .lnk, .hrmlog, .ini, *.exe.

The ransomware will also attempt to encrypt any attached Network Shares.

TARGETING

Ryuk operations are suspected to be carried out by an actor that Crowdstrike refers to as WIZARD SPIDER. The actor is known for employing a tactic referred to as "Big Game Hunting" or the routine targeting of very large enterprise organizations.

DELIVERY

Ryuk has been observed being delivered using the following methods:

  • Malicious Spam (malspam) - this is extremely widely distributed spam with malicious links or attachments. These messages often feature un-targeted, highly generalized lure content. Malspam is often generated by various botnets or other malware infections as a means of further propagating itself.
  • Phishing - this is broadly distributed, though often with target(s) in mind, and containing lure content that has malicious links or attachments. Targeting will likely be based on broad characteristics (e.g. a country, region, or users of a specific online service).
  • Secondary Infection - this is when another malware, upon successful compromise of a system, downloads the indicated payload and executes it. This may be done on a commercial basis (e.g. an actor pays to have their payload deployed) or it may be done to enable freedom of movement for the initial actor (such as deploying a keylogger in order to gather credentials).

INSTALLATION

The Ryuk dropper has been observed performing a validation against the operating system's MajorVersion.

If the Operating System matches Windows 2000, Windows XP, or Windows Server 2003, then the ransomware drops the payload into C:\Documents and Settings\Default User.

If the operating system matches anything other than the above, it drops the executable in C:\Users\Public.

The file will be named using 5 random characters.

Once the dropper has successfully downloaded the dropper will use the command line to delete itself after it successfully executes the ransomware payload.

PERSISTENCE

Ryuk has been observed achieving persistence using HKCU CurrentVersion\Run

*HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

The value for the key is set to the executable file dropped and detailed in the Installation section.