Ryuk ransomware, with self-replicating worm-like features

In early 2021, a new version of Ryuk ransomware burst onto the scene. According to the French National Agency for the Security of Information Systems (ANSSI), the virus retains self-replicating worm-like capabilities. This compounds the criticality of infections.

The worm-like capabilities are achieved “through the use of scheduled tasks”, which enable the malware to self-replicate, “machine to machine- within the Windows domain,” reports CERT-FR, the French government’s cyber security agency. “Once launched, it will thus spread itself on every reachable machine on which Windows RPC accesses are possible”. Remote procedure calls (RPC) permit Windows processes to communicate with one another.

Ryuk ransomware worm containment

To launch the Ryuk ransomware worm, hackers first conduct manual reconnaissance, and determine how to launch an initial “dropper” malware. This is an executable that can be triggered at a later point in time. After this piece of malware is triggered, hackers determine how to escalate their privileges and move laterally through a network.

Once an organization experiences a compromise, it’s typically not possible to stop the attack by sequestering the initial infection point. What’s worse is that the ransomware lacks any exclusion mechanisms. So the ransomware can infect a single machine or organization over and over again. Eliminating this type of ransomware from a system is a challenge.

ANSSI recommends that organizations experiencing the Ryuk ransomware worm change the password or disable the account that the hackers used to enter the system. Admins can then pursue a domain password change through KRBTGT. Found in Active Directory, KRBTGT functions as a service account that operates in conjunction with the Key Distribution Center (KDC) service for Kerberos authentication.

“This would induce many disturbances on the domain- and most likely require many reboots- but would also immediately contain the propagation” says ANSSI. Preventing this type of ransomware from gaining an initial foothold in the ecosystem is key.

Ransomware and automation

The ability to quickly disseminate ransomware from an initial point of infection across an entire system reflects an interest in automating the ransomware propagation process. The hackers aim to reduce the “intrusion to infection” time. They also want to provide greater incentive for organizations to pay their ransomware fees.

Origins of the Ryuk ransomware worm?

Although forensics are under continued investigation, ANSSI suggests that it could be a manipulated version of the Hermes 2.1 source code. Deloitte’s researchers contend that Ryuk may be sold off-the-shelf via the dark web. Once sold, hackers added their own creative twist.

Ryuk first appeared in 2018. Research shows that Ryuk represents one of the most common types of ransomware. In 2020, multiple corporations suffered attacks “without the option to recover their data”. Healthcare groups represent common targets.

Healthcare groups should ensure that their security operations are capable of contending with this type of threat. Information about cyber viruses and healthcare is available here. Further information is available from the US’ National Institute of Standards and Technology (NIST), which you can also access here.

CERT-FR states that it’s unclear as to who is behind Ryuk, and some experts assert that more than one hacker ring may be responsible for its proliferation. Experts believe that Ryuk has generated more than $150 million in illicit gains for cyber attackers.

For more on Ryuk ransomware and ransomware attacks, visit Threatpost.