Recently, Quick Heal Security Labs observed a new destructive ransomware named ‘Ryuk. Ransomware’. This ransomware campaign has already affected many users worldwide and seems to be a spear phishing attack. The compelling thing, it encrypts victim files without appending any extension but making files unreadable.
Ryuk uses robust military algorithms such as ‘RSA4096’ and ‘AES-256’ to encrypt files. We have seen that the infection vector of this ransomware is exploit kits and spam emails. This ransomware demands a ransom ranging from 15 BTC to 50 BTC in the form of Bitcoin to decrypt the files.
After execution of the mother file, it dropped following files
|C:\Users\Public\public||Used to hold RSA public key.|
|C:\Users\Public\ UNIQUE_ID_DO_NOT_REMOVE||Used to hold hardcoded key.|
|C:\Users\Public\windows.bat||Used to delete shadow volumes and backup files.|
Fig 1: Batch file containing the commands to delete the shadow copies and backup files.
The next step is that it executes taskkill and net commands to kill more than 40 processes and terminates around 180 majorly required services in the machine. Following snippets shows the details
Fig 2: Execution of taskkill to kill processes
Fig 3: Execution of net to terminate services
From further analysis, we have found that the terminated processes and services are mainly associated with the database, antivirus, backup and document editing software.
Following snippet shows some of the processes and services it kills.
Fig 4: List of killed processes and services
The Ryuk Ransomware uses below command to create run registry to gain persistence even after the system is restarted as shown in the below snippet
Fig 5: Registry entry created at Run
From the analysis, Ryuk is found to be performing memory code injection. For this, it uses ‘openprocess’ to get the handle on target process and using ‘VirtualAllocEx’, it creates buffer inside its address space.
The allocated memory size is of the same size of malware image. It then writes into the allocated memory using ‘WriteProcessMemory’ API and creates a Remote thread into the targeted virtual address space using ‘CreateRemoteThread’ API.
Following IDA pro snippet shows us the code flow used to perform memory injection.
Fig 6: code flow used to perform memory injection
Ryuk ransomware encrypts each local drive except the locations which are hardcoded in it. this white list includes ‘Windows’, ‘Mozilla’, ‘Chrome’, ‘RecycleBin’ etc.
It also tries to encrypt shared systems on the network.
It had dropped two ransom notes, one is short and the other is in depth as shown below
Fig 7: Ransom Note in depth
How Quick Heal protects its users from the Ryuk Ransomware
Quick Heal successfully blocks Ryuk ransomware with the following protection layers:
Fig 8: Behavior Detection
Fig 9: Anti-Ransomware Module
How to stay safe from ransomware attacks:
Indicators of compromise:
Subject matter experts: –
Shashikala Halagond, Priyanka Dhasade, Poonam Dongare | Quick Heal Security Labs