Security firms claim that the recently discovered Ryuk ransomware, been active since at least December 2017, have proven to be highly successful at soliciting large ransom payments from victim organizations.
FireEye says that interactive deployment of ransomware, such as this, allows an attacker to perform valuable reconnaissance within the victim network and identify critical systems to maximize their disruption to business operations, ultimately increasing the likelihood an organization will pay the demanded ransom. These operations have reportedly netted about $3.7 million in current BTC value, according to FireEye.
Security firm CrowdStrike seperately confirms that Ryuk infects large enterprises as much as a year after they were initially infected by separate malware, which in most cases is a trojan known as Trickbot. TrickBot is typically distributed either via spam email or, through the use of the Emotet (developed and operated by MUMMY SPIDER) geo-based download function. Victims were identified in the U.K., the U.S., and Canada.
According to CrowdStrike, some of TrickBot’s modules (such as pwgrab) could aid in recovering the credentials needed to compromise environments — the SOCKS module in particular has been observed tunneling PowerShell Empire traffic to perform reconnaissance and lateral movement. Through CrowdStrike IR engagements, GRIM SPIDER, a sophisticated eCrime group, has been observed performing the following events on the victim’s network, with the end goal of pushing out the Ryuk binary:
- An obfuscated PowerShell script is executed and connects to a remote IP address.
- A reverse shell is downloaded and executed on the compromised host.
- PowerShell anti-logging scripts are executed on the host.
- Reconnaissance of the network is conducted using standard Windows command line tools along with external uploaded tools.
- Lateral movement throughout the network is enabled using Remote Desktop Protocol (RDP).
- Service User Accounts are created.
- PowerShell Empire is downloaded and installed as a service.
- Lateral movement is continued until privileges are recovered to obtain access to a domain controller.
- PSEXEC is used to push out the Ryuk binary to individual hosts.
- Batch scripts are executed to terminate processes/services and remove backups, followed by the Ryuk binary.
Hermes ransomware, the predecessor to Ryuk, was first distributed in February 2017. Only one month after its release, a decryptor was written for Hermes, followed by the release of version 2.0 in April 2017, which fixed vulnerabilities in its cryptographic implementation. Since this release, the only way for a victim to recover files is with the private encryption key, which is obtained by paying the ransom. In late August 2017, Hermes version 2.1 was released.
Hermes was originally sold on forums for $300 USD. When purchased, the buyer received a build that supported two email addresses, a decryptor and a unique RSA key pair. If the purchaser desired more email addresses, they were required to purchase another build for an additional $50. The seller of Hermes ransomware appears to have stopped or limited advertising on forums in 2017.
Early versions of Hermes were reportedly installed via internet-accessible RDP servers protected by weak credentials. In October 2017, Hermes was deployed as a destructive distraction for a Society for Worldwide Interbank Financial Telecommunication (SWIFT) compromise at the Far Eastern International Bank (FEIB) in Taiwan. In March 2018, Hermes was observed targeting users in South Korea via the GreenFlash Sundown exploit kit.
In mid-August 2018, a modified version of Hermes, dubbed Ryuk, started appearing in a public malware repository.
The security firms said that Ryuk is the product of North Korean actors. CrowdStrike claims that it has medium-high confidence that the attackers behind Ryuk operate out of Russia.
Throughout 2018, FireEye observed an increasing number of cases where ransomware was deployed after the attackers gained access to the victim organization through other methods, allowing them to traverse the network to identify critical systems and inflict maximum damage. SamSam operations, which date back to late 2015, were arguably the first to popularize this methodology. FireEye Intelligence expects that these operations will continue to gain traction throughout 2019 due the success these intrusion operators have had in extorting large sums from victim organizations.