Summary
Ryuk is a ransomware which gained notoriety last December 2018 when it disrupted the operations of several major U.S. newspapers. Earlier analysis from Checkpoint in August 2018 noted that Ryuk was being used exclusively for targeted attacks, with its main targets being the critical assets of its victims. A few months before the December attack, the Ryuk attack managed to extort over US$600,000 worth of bitcoins from various large enterprises.
Ryuk Ransomware is operated by a Russia-based criminal group, WIZARD SPIDER, since August 2018. Targeting large organizations for a high-ransom return (big game hunting). This group is known for the operation of Trickbot banking malware. Identifying Ryuk’s infection vectors is difficult given the ransomware will typically delete all evidence of its dropper as part of its routine.
A recent flash update from the FBI revealed that over 100 organizations around the world have been beset by Ryuk attacks since August 2018. The victims come from different industries, with the most common ones being logistics and technology companies, as well as small municipalities. The update also mentioned that identifying Ryuk’s infection vectors is difficult given the ransomware will typically delete all evidence of its dropper as part of its routine. However, given previous incidents, delivery methods for Ryuk can be highly varied — for example, it can be dropped by other malware such as Emotet or Trickbot. Attackers can also take advantage of flaws or weak points in the system to gain access to an organization’s network.
Behaviors
- Bypasses anti-virus products
- Maintains persistence on the targeted machine
- Runs as legitimate process by injecting to Windows process
- Terminates processes
- Stops services
Capabilities
- Information Theft
- File Encryption
- Disabling usage capability
Infection Routine
Impact
- Data loss - loss of important files, documents and other data upon encryption
- Financial loss - users are asked to pay in order to decrypt files that were affected
File Reputation
Detection/Policy/Rules | Pattern Branch/Version | Release Date |
---|
Ransom.Win32.RYUK.SM (One-to-Many Pattern) | ENT OPR 14.797 | First Release: 2019-02-06 |
Ransom.Win64.RYUK.SM (One-to-Many Pattern) | ENT OPR 14.463 | First Release: 2018-08-24 |
Ransom.Win32.RYUK.SMTH (One-to-Many Pattern) | ENT OPR 14.871 | First Release: 2019-03-14 |
Ransom.Win32.RYUK.SMTH1 (One-to-Many Pattern) | ENT OPR 15.209 | First Release: 2019-07-01 |
Ransom.Win32.RYUK.THIABAI | ENT OPR 15.363 | 2019-09-13 |
Ransom.Win32.RYUK.HTW | ENT OPR 15.343 | 2019-09-03 |
Ransom_RYUK.THHBAAH | ENT OPR 14.457 | 2018-08-21 |
Ransom_RYUK.THHBAAO | ENT OPR 14.459 | 2018-08-2 |
Ransom.Win32.RYUK.HUG | ENT OPR 15.543.00 |
2019-12-07
|
Predictive Machine Learning
Detection | Pattern Branch/Version |
---|
Troj.Win32.TRX.XXPE50FFF028 | In-the-Cloud |
Troj.Win32.TRX.XXPE50FFF031 | In-the-Cloud |
Behavior Monitoring
Policy ID | Pattern Branch/Version | Release Date |
---|
RAN2455T | TMTD OPR 1675 |
2017-06-28
|
RAN2194S | TMTD OPR 1939 |
2019-09-17
|
RAN2200T | TMTD OPR 1939 |
2019-09-17
|
RAN2203T | TMTD OPR 1943 |
2019-09-30
|
Web Reputation
Detection/Policy/Rules | Pattern Branch/Version |
---|
URL Protection | In-the-cloud |
Anti-Spam
Detection/Policy/Rules | Pattern Branch/Version |
---|
Email Protection | AS Pattern 5092 |
Network Patterns
Rules/Detections/Patterns |
---|
Cloud One - Workload Security, Deep Security and Vulnerability Protection (IPS) | 1008228 - Microsoft Windows SMB Remote Code Execution Vulnerability (CVE-2017-0148) |
1008306 - Microsoft Windows SMB Remote Code Execution Vulnerability (MS17-010) |
1008328 - Identified Client Suspicious SMB Session |
1008327 - Identified Server Suspicious SMB Session |
1008227 - Microsoft Windows SMB Information Disclosure Vulnerability (CVE-2017-0147) |
1008225 - Microsoft Windows SMB Remote Code Execution Vulnerability (CVE-2017-0145) |
1008224 - Microsoft Windows SMB Remote Code Execution Vulnerabilities (CVE-2017-0144 and CVE-2017-0146) |
Deep Discovery Inspector | Rule 2435 - MS17-010 - Remote Code Execution - SMB (Request) |
Rule 2528 - MS17-010 - Remote Code Execution - SMB (Request) - Variant 2 |
Relevance Rules | MS17-010-SMB_REMOTE_CODE_EXECUTION_EXPLOIT_NC_ |
MS17-010-SMB_REMOTE_CODE_EXECUTION_EXPLOIT-2_NC_ |
MS17-010-SMB_REMOTE_CODE_EXECUTION_EXPLOIT-3_NC_ |
SMB_EQUATED_RESPONSE_NC |
Solution Map - What should customers do?
Trend Micro Solution | Major Product | Latest Version | Virus Pattern | Anti-Spam Pattern | Network Pattern | Behavior Monitoring | Predictive Machine Learning | Web Reputation |
---|
Endpoint Security | ApexOne | 2019 | Update pattern via web console | Not Applicable | Update pattern via web console | Enable Behavior Monitoring and update pattern via web console | Enable Predictive Machine Learning | Enable Web Reputation Service and update pattern via web console |
OfficeScan | XG (12.0) | Not Applicable |
Worry-Free Business Security | Standard (10.0) |
Advanced (10.0) | Update pattern via web console |
Hybrid Cloud Security | Deep Security | Manager and Agent 12.0 and above | Update pattern via web console | Not Applicable | Update pattern (DSRU rules) via web console | Enable Behavior Monitoring and update pattern via web console | Enable Predictive Machine Learning | Enable Web Reputation Service and update pattern via web console |
Cloud One - Workload Security | Agent 12.0 and above |
Email and Gateway Security | Deep Discovery Email Inspector | 3.5 | Update pattern via web console | Update pattern via web console | Update pattern via web console | Not Applicable | Not Applicable | Enable Web Reputation Service and update pattern via web console |
InterScan Messaging Security | 9.1 | Not Applicable |
InterScan Web Security | 6.5 |
ScanMail for Microsoft Exchange | 14.0 |
Network Security | Deep Discovery Inspector | 5.5 | Update pattern via web console | Not Applicable | Update pattern via web console | Not Applicable | Not Applicable | Enable Web Reputation Service and update pattern via web console |
Recommendation
Threat Report
Blogs