LTS Secure Warning: Targeted Ransomware Attack using RYUK

Unlike the most ransomware, which are distributed via massive mail-spam campaigns and exploit kits, Ryuk is used exclusively for tailored attacks. Its encryption scheme is developed for small-scale operations, so that only the critical assets and resources are infected in each desired network with its distribution & infection carried out manually by the attackers.

Effected devices have their files encrypted & files are not appended with any extension making them unreadable. Ryuk makes use of Robust algorithms like AES – 256 & RSA – 4096 to encrypt its victims files.

 

Technical Details

The infection process starts with a malicious spam mail, which contains a downloader for TrickBot, which once downloaded, will propagate within the network of the victim via two methods:

  • Through the SMB exploit of EternalBlue
  • Harvested credentials combined with several modules.

Trickbot will then being communication with compromised Mikrotik router facing the internet, which acts as the C&C server, to transmit and receive instructions from an infected device. It then deploys the Ryuk ransomware at a randomly determined time.

 

Impact

  • Downtime in Business Critical operations
  • Loss in Productivity
  • Damage of hostage devices, files & data

 

Recommended Actions

  • Regularly update & perform malware scans
  • Prohibit access to certain mapped drives based on the role requirements
  • Make use of separate or third-party system for storing all of your shared files and folders, such as Dropbox or Box
  • End-user awareness and education