LTS Secure Warning: Targeted Ransomware Attack using RYUK
Unlike the most ransomware, which are distributed via massive mail-spam campaigns and exploit kits, Ryuk is used exclusively for tailored attacks. Its encryption scheme is developed for small-scale operations, so that only the critical assets and resources are infected in each desired network with its distribution & infection carried out manually by the attackers.
Effected devices have their files encrypted & files are not appended with any extension making them unreadable. Ryuk makes use of Robust algorithms like AES – 256 & RSA – 4096 to encrypt its victims files.
Technical Details
The infection process starts with a malicious spam mail, which contains a downloader for TrickBot, which once downloaded, will propagate within the network of the victim via two methods:
- Through the SMB exploit of EternalBlue
- Harvested credentials combined with several modules.
Trickbot will then being communication with compromised Mikrotik router facing the internet, which acts as the C&C server, to transmit and receive instructions from an infected device. It then deploys the Ryuk ransomware at a randomly determined time.
Impact
- Downtime in Business Critical operations
- Loss in Productivity
- Damage of hostage devices, files & data
Recommended Actions
- Regularly update & perform malware scans
- Prohibit access to certain mapped drives based on the role requirements
- Make use of separate or third-party system for storing all of your shared files and folders, such as Dropbox or Box
- End-user awareness and education