Posted on March 1, 2021 at 10:50 AM
New Ryuk Trojan Now Propagates Itself Within Windows Domain
A recent report from the French cybersecurity agency ANSSI revealed that the Ryuk ransomware has started spreading independently in networks.
The report stated that the blackmail Trojan is now more devastating and potent, and has expanded its spread rapidly.
Malware self-replicates to other devices
The Trojan is now using new tricks and methods to infiltrate computer systems and cause havoc. The report also revealed that the threat actors behind the trojan have empowered Ryuk and given it worm-like capabilities, which means it is now able to attack and spread like the earlier version of the Emotet Trojan.
“Through the use of scheduled tasks, the malware propagates itself within the Windows domain,” ANSSI reports.
When the malware is launched, it spreads itself on any possible system that’s Windows RPC enabled.
The new malware variant also spreads itself to other networks by listing all the IP addresses in the local ARP cache and sending what resembles a Wake-on-LAN (WOL) packet to each of the discovered devices. Afterward, it takes on the resources on the devices to encrypt the contents.
New Ryuk sample is now more potent
Chief executive officer of Advanced Intelligence Vitali Kremez first discovered the mounting and encrypting ability of Ryuk last year.
But he observed that this Ryuk sample is a bit different from the one he discovered last year. The difference is that the ability to copy itself to other Windows devices on the local networks of the victim.
Besides, the malware has executable features, which it does remotely by utilizing tasks created on each compromised network via legitimate schtasks.exe Windows tools.
According to the report, the self-replicating abilities of Ryuk make it more potent and dangerous than the previously discovered version.
It does this by copying the executable on identified network shares. Following this process, it creates a scheduled task on the remote system.
The malware does not utilize any exclusion system that may have prevented it from re-encrypting a device. But ANSSI revealed that it’s possible to prevent the variant from infiltrating other hosts on the network. This can be doable by altering the password of the domain account it utilizes to propagate other hosts.
The user account can also be disabled before taking the double password change step. It may need several reboots of the system, but will also have the propagation. Other propagation methods can be considered as well, particularly while targeting the malware execution framework, according to ANSSI.
The first discovery of the Ryuk ransomware-as-a-service (RaaS) gangs was in August 2018. Since then, the group has been targeting systems ad caused a lot of commotions within the cybersecurity ecosystem.
RaaS has made about $150 million from victims
The RaaS group also has an affiliate program where intending affiliates can apply to become part of the group by submitting their resume.
But the Ryuk ransomware team is the most popular of the RaaS gang. It has a wider spread mechanism as its payload was seen in about 30% of all ransomware attacks last year.
The gang carries out multi-stage attacks by delivering payloads using TrickBot, BazarLoader, or Emolet infection vectors.
The U.S. healthcare system has suffered a fair share of attacks from Ryuk affiliates since they began operation. Their operational framework is similar to that of other ransomware attacks. After compromising systems, they usually send messages to the victim demanding a ransom payment and threatening to expose the files if the demand is not met.
Last year, they collected $34 million from a single victim. Security researchers who are monitoring the group and following money circuits from their victims show that the RaaS malware gang has made a combined total of roughly $150 million from their ransomware trade.
Ryuk affiliates were very busy last year, as they were observed averaging about 20 company targets every week.
