A new ransomware campaign in the wild,Ryuk!!
Credit to Author: Shriram Munde| Date: Tue, 28 Aug 2018 13:07:23 +0000
Estimated reading time: 4 minutesRecently, Quick Heal Security Labs observed a new destructive ransomware named ‘Ryuk. Ransomware’. This ransomware campaign has already affected many users worldwide and seems to be a spear phishing attack. The compelling thing, it encrypts victim files without appending any extension but making files unreadable. Ryuk uses robust military algorithms such as ‘RSA4096’ and ‘AES-256’ to encrypt files. We have seen that the infection vector of this ransomware is exploit kits and spam emails. This ransomware demands a ransom ranging from 15 BTC to 50 BTC in the form of Bitcoin to decrypt the files. Technical Analysis: After execution of the mother file, it dropped following files C:UsersPublicpublic Used to hold RSA public key. C:UsersPublic UNIQUE_ID_DO_NOT_REMOVE Used to hold hardcoded key. C:UsersPublicwindows.bat Used to delete shadow volumes and backup files. Fig 1: Batch file containing the commands to delete the shadow copies and backup files. The next step is that it executes taskkill and net commands to kill more than 40 processes and terminates around 180 majorly required services in the machine. Following snippets shows the details Fig 2: Execution of taskkill to kill processes Fig 3: Execution of net to terminate services From further analysis, we have found that the terminated processes and services are mainly associated with the database, antivirus, backup and document editing software. Following snippet shows some of the processes and services it kills. Fig 4: List of killed processes and services The Ryuk Ransomware uses below command to create run registry to gain persistence even after the system is restarted as shown in the below snippet Fig 5: Registry entry created at Run From the analysis, Ryuk is found to be performing memory code injection. For this, it uses ‘openprocess’ to get the handle on target process and using ‘VirtualAllocEx’, it creates buffer inside its address space. The allocated memory size is of the same size of malware image. It then writes into the allocated memory using ‘WriteProcessMemory’ API and creates a Remote thread into the targeted virtual address space using ‘CreateRemoteThread’ API. Following IDA pro snippet shows us the code flow used to perform memory injection. Fig 6: code flow used to perform memory injection Ryuk ransomware encrypts each local drive except the locations which are hardcoded in it. this white list includes ‘Windows’, ‘Mozilla’, ‘Chrome’, ‘RecycleBin’ etc. It also tries to encrypt shared systems on the network. It had dropped two ransom notes, one is short and the other is in depth as shown below Fig 7: Ransom Note in depth How Quick Heal protects its users from the Ryuk Ransomware Quick Heal successfully blocks Ryuk ransomware with the following protection layers: Virus Protection Behavior-based Detection Anti-Ransomware Fig 8: Behavior Detection Fig 9: Anti-Ransomware Module How to stay safe from ransomware attacks: Always take a backup of your important data in external drives like HDD and pen drives. Consider using a reliable Cloud service to store the data. Do not install any freeware or cracked versions of any software. Do not open any advertisement pages shown on websites without knowing that they are genuine. Disable macros while using MS Office. Update your antivirus to protect your system from unknown threats. Do not click on links or download attachments in emails from unexpected, unknown or unwanted sources. Indicators of compromise: 8d3f68b16f0710f858d8c1d2c699260e6f43161a5510abb0e7ba567bd72c965b Subject matter experts: – Shashikala Halagond, Priyanka Dhasade, Poonam Dongare | Quick Heal Security Labs The post A new ransomware campaign in the wild,Ryuk!! appeared first on Quick Heal Blog | Latest computer security news, tips, and advice.
http://blogs.quickheal.com/feed/