LTS Secure Warning: Targeted Ransomware Attack using RYUK

Unlike the most ransomware, which are distributed via massive mail-spam campaigns and exploit kits, Ryuk is used exclusively for tailored attacks. Its encryption scheme is developed for small-scale operations, so that only the critical assets and resources are infected in each desired network with its distribution & infection carried out manually by the attackers.

Effected devices have their files encrypted & files are not appended with any extension making them unreadable. Ryuk makes use of Robust algorithms like AES – 256 & RSA – 4096 to encrypt its victims files.

Technical Details

The infection process starts with a malicious spam mail, which contains a downloader for TrickBot, which once downloaded, will propagate within the network of the victim via two methods:

• Through the SMB exploit of EternalBlue
• Harvested credentials combined with several modules.

Trickbot will then being communication with compromised Mikrotik router facing the internet, which acts as the C&C server, to transmit and receive instructions from an infected device. It then deploys the Ryuk ransomware at a randomly determined time.

Impact

• Downtime in Business Critical operations
• Loss in Productivity
• Damage of hostage devices, files & data

Recommended Actions

• Regularly update & perform malware scans
• Prohibit access to certain mapped drives based on the role requirements
• Make use of separate or third-party system for storing all of your shared files and folders, such as Dropbox or Box
• End-user awareness and education