LIFARS Incident Response Team (LISIRT) is observing a heavy increase in Ryuk Ransomware activity, mainly in the healthcare sector. It is very unsettling, that currently in the covid-19 era it has become the most targeted sector. During previous weeks and especially on weekends, LISIRT has responded numerous times to late night calls from several undisclosed hospitals in Tri-state area. We compiled this Ryuk Ransomware Removal Guide to assist you if you encounter this threat.
Wizard Spider is a financially motivated group closely focusing on large organizations asking them for a high ransom. The group started conducting its campaigns in 2018 and it often uses malware like Emotet or Trickbot in the first stages of an attack. Wizard Spider gained public attention in 2018 when a new threat attributed to this group emerged – Ryuk ransomware.
It has some new upgrades and modifications in comparison with the previous version and it is capable of taking over a network quickly. The ransom note has changed, too. Previously, there was a lenghty note starting with “Gentlemen! Your business is at serious risk. There is a significant hole in the security system of your company…” The ransom note of the new variant has been stripped down and now it only contains a protonmail.com email address, the name of the ransomware and the statement “balance of shadow universe”. The encrypted files have .RYK file extension appended and a text file “RyukReadMe.txt” is placed in every folder.
The ransom must be paid in bitcoin and the final price will be determined based on factors like solvency, industry, data sensitivity, ability to pay and other factors. We don’t recommend paying the ransom, as there is only a small chance that the descryptor will be provided. There is a considerable risk that the adversaries will ignore you once the payment is made. Other significant risk is that this kind of payment will be a violation of OFAC rules.
This ransomware is used in Ransomware-as-a-service business model, therefore anyone willing to buy it can use it in their own attacks.
Technical details (Encryption and Information Stealing)
Ryuk combines both symmetric (AES) and asymmetric (RSA) encryption. In each Ryuk sample, there is a unique RSA keypair, with private key already encrypted by the public one. To encrypt the data, Ryuk generates a separate AES key for every file, encrypts this key with RSA public key and appends the result to the end of the corresponding encrypted file. If Ryuk used the same RSA keypair in every sample, it would be easy to recover the encrypted files. However, it has a unique RSA keypair in each sample, therefore it is impossible to decrypt the files.
Ryuk ransomware does not only encrypt the data, but it also performs a vast exfiltration of internal documents. First versions from 2019 did not steal data, however 2020 versions began with stealing Word and Excel files. Another 2020 Ryuk update expanded the list of targeted data types and started to look for image files and cryptocurrency wallets.
The following list shows the targeted extensions:
However, it does not exfiltrate all files with these extensions, only the ones containing certain strings. It searches for strings related to cybersecurity, military, government and finance (for example: attack, explosive, traitor, NATO, cyber, IBAN, SWIFT, balance, saving, etc.). Therefore, it is important for your company not only to get rid of ransomware but also to check for data exfiltration. Stolen data can be used for blackmailing, but it can also be covertly sold to adversaries.
Ryuk Ransomware Removal Guide
The first phases of incident response are containment and eradication. Containment consists of mitigations that should prevent the threat from spreading and eradication means removing the malware from affected systems.
If you have been targeted with this ransomware, the following steps should help you with the mitigation. First four steps belong to the containment phase and it is crucial to perform them as soon as you find out about the infection. Please note, that an expert digital forensics and incident response company may be needed to make sure that you completely removed this threat from your environment and to prevent further attacks.
- Disconnect the computer from the Internet to prevent the threat from spreading. This ransomware spreads rapidly throughout the network. Thus, a complete isolation of infected machines from both wireless and cable connections is inevitable to stop new infections over the network.
- If you are sure it is Ryuk, disconnect your AD domain controllers from the network immediately.
- Unplug all external storage devices. Do not connect any additional external storage as it may get encrypted, too.
- Do not pay the ransom. You have a low chance of recovering your data even when you pay, and it will only encourage the attackers to conduct more campaigns.
- Contact an expert for assistance.
- If possible, create the image of the system, so you can provide it to security personnel in order to investigate the point of compromise.
- Reinstall your operating system.
- Before connecting it back to main network (you can keep it in isolated network in order to update virus signatures), scan the computer with an antivirus solution and remove any identified infection. Automated tools are advised – it is not recommended to rely only on manual removal of this sophisticated malware. Automated tools in combination with manual checking and additional removal of registry entries etc. are a good choice.
- Make sure the infection is not present on your backup, afterwards restore your data from clean backup.
Indicators of Compromise (IoCs)
Phishing sender email:
We published a case study of a recent engagement where RYUK ransomware coupled with the Zbot/Zloader embedded in an Excel macro made up for a deadly combo. Download the case study do see findings from our digital forensics analysis and additional IoCs.
If you suspect that your computer has been infected with Ryuk using Emotet, it is not sufficient to isolate, patch, and clean the infected system. Chances are that machines will get re-infected once plugged back into infected network. Therefore, you must clean all the computers in your network one-by-one before plugging them back in.
After getting rid of the ransomware, it is recommended to review your backup policies, conduct some security awareness training for your employees and perform penetration tests or audit in order to fix the weak spots in your infrastructure, that the attacker has used to exploit your company network.