Ryuk is coming
Written by Joseph Poppy on 05/07/2019
How does it spread?
Ryuk often slinks into environments as a hidden bonus to the Emotet or Trickbot banking trojans. Emotet is a veteran in the malware community being first detected as far back as 2014, which is positively ancient by technology standards. Whilst originally designed to steal sensitive information, it increasingly became used as a dropper to sneak in other malware, like a digital smuggler.
Of course, we must never forget the classic phishing email. As we’ve stated more than once, the easiest way to slip unnoticed into your environment is to just ask a member of staff to let us in. They’re often far more willing than you’d suspect. A well-crafted email with a dodgy link or a tainted attachment can undo all your security in an instant. Alternatively, a clever ‘your password is due to expire, please reset it,’ email could provide hackers with the means of logging into your environment to drop some ransomware themselves.
The tell-tale signs
Flippancy aside, if you’re doing some stringent monitoring, you will be able to spot some initial activity that suggests Emotet (or other dropper) activity, which can be acted upon before any real damage is done. Network traffic, IoCs and certain rules might indicate the presence of a dropper.
Ryuk and Bulletproof
Bulletproof conducted a forensics investigation on behalf of a customer who had been hit by a ransomware attack. After analysing their log files, we put together a timeline that showed a clear string of interlinked events, a chain of causation if you will, that told us the story of how they had been compromised.
Ryuk and S.W.A.T. Defence®
From the customer’s point of view, they’re now clear on where they went wrong. But this wasn’t enough for us. Our research division, Bulletproof SpecialOps®, is constantly looking for new ways to make sure our managed threat protection can safeguard against all attacks. They saw it as an opportunity to test S.W.A.T. Defence® (our 24/7 threat protection tool).
Next, we saw the dropper land, which also triggered alerts in our research team’s dashboards. Finally, we executed Ryuk, which promptly began eating through the filesystem. Again, this triggered more alerts. The conclusion? S.W.A.T. Defence® would have allowed us to isolate and block this ransomware infection at every stage of the kill chain.
Map your defences against the kill chain
If I had a pound for every time I mentioned the cyber kill chain, I’d have roughly £98.50 (I was once interrupted halfway through saying it). The cyber kill chain is important, and basically outlines the approach hackers take when compromising a business. It consists of seven stages: Reconnaissance, weaponisation, payload, exploitation, installation, command and control, and finally, action.
Threats can come at any time of the day and from anywhere in the world. Recon activity is largely automated, easily available to hackers and is happening continuously. Therefore, a decent monitoring service will be able to discriminate the serious stuff from the lazy botnet herders. That requires dedicated and experienced analysts armed with the latest threat intelligence. Ultimately, running this in-house is out-of-reach for many organisations. Outsourcing on the other hand, and I hope you don’t mind if I humbly suggest Bulletproof here, is a best-of-both-worlds approach.
ISO 27001 and 9001 certified
Tigerscheme qualified testers
PCI DSS v3.2 Level 1
24/7 on-site Security
Get a quote today
If you’re interested in our services, get a free, no obligation quote today by filling out the form below.