A new variant of Ryuk ransomware has been detected with worm-like capabilities that allow it to spread laterally within an infected network with no human interaction. This is a notable change for a ransomware variant that has previously been deployed manually after access to a network has been gained. Previously, when network access is achieved, the threat actors performed reconnaissance and manually moved laterally within a network using living-off-the-land binaries and dropping their ransomware payload on all accessible devices. The update means this process can be largely automated, which will decrease the time from intrusion to infection and by freeing up time, more attacks could be conducted.
While it is unclear if Ryuk is a ransomware-as-a-service operation, there are believed to be multiple actors involved in conducting attacks and Ryuk is one of the most active ransomware variants. Ryuk accounted for around one third of all ransomware attacks in 2020, with attacks conducted at a rate of around 20 each week in 2020.
The latest Ryuk ransomware variant was discovered by the French cybersecurity agency ANSSI during an incident response it handled in January 2021. The latest version has a new attribute that allows it to self-replicate within a local network from machine to machine using scheduled tasks. Once launched, it will spread to all reachable machines on which Windows RPC accesses are possible.
A previous update gave Ryuk the ability to access address resolution protocol (ARP) tables on an infected system to obtain a list of systems’ IP and MAC addresses. The ransomware was programmed to sent wake-on-LAN packets to a device’s MAC address, to wake up devices that had been powered down to allow them to be mounted and have their contents encrypted.
While network defenders could hamper the ability of the malware to spread by limiting the use of wake-on-LAN to administrative accounts and workstations, that would not be effective if administrative accounts and devices are compromised, as is often the case with Ryuk ransomware attacks.
The malware propagates using a privileged account on the domain. For network defenders that have identified an attack in progress, simply changing the password on the account or disabling the account will not work, as replication will continue as long as the Kerberos tickets are not expired. ANSSI suggests “One way to tackle the problem could be to change the password or disable the user account (according to the used account) and then proceed to a double KRBTGT domain password change. This would induce many disturbances on the domain – and most likely require many reboots but would also immediately contain the propagation.” ANSSI notes that this method would not be able to stop encryption on an already infected machine, only limit the ability of the malware to spread to other non-infected devices. ANSSI has not found any mechanism that would stop a machine that has already been infected from being infected again, so no simple system object creation could prevent infection.
The Ryuk gang is known to use several different infection chains, including accessing unprotected RDP ports, but the most common method of delivery is phishing attacks, which account for over 80% of infections according to Coveware. The Ryuk gang is known to use multiple malware-as-a-service offerings to gain access to networks, including Emotet and Trickbot. These have been used to deliver BazarLoader, which in turn delivers Ryuk ransomware. Ryuk has also used the Buer Loader MaaS tool as an alternative to Emotet and TrickBot, insulating the operation from takedowns, as occurred with both Emotet and Trickbot recently.