Ryuk is coming

Joseph Poppy Headshot
Joseph Poppy
Security Blogger
05th July 2019

Ransomware death note?

According to Google, Ryuk is ‘a fictional character in the manga series Death Note’. I have no idea what this is, but I imagine it’s significantly less interesting than the Ryuk ransomware campaign that’s currently hitting businesses right across the world.

The UK’s NSCS is investigating such campaigns and has recently published an advisory on it, and we’re no strangers to Ryuk at Bulletproof either. I should clarify that’s because we’ve conducted several forensics investigations and our managed SIEM service blocks ransomware attacks like Ryuk for a variety of customers, not because we keep installing it ourselves. Not even Chaz the intern is that incompetent.

What is Ryuk? How does it work its way into environments? What has the impact been thus far? How can you defend against it? Well, I’m glad you asked...

Ryuk is a strain of ransomware, a piece of malware that encrypts files and demands a monetary sum, usually in the form of Bitcoin.

What is Ryuk?

Ryuk is a strain of ransomware, a piece of malware that encrypts files and demands a monetary sum, usually in the form of Bitcoin, for their restoration. It evolved from a strain of malware called Hermes, which was allegedly used by North Korea in a nation state campaign. Ryuk itself was allegedly (again) mainly used by the hacking group GRIM SPIDER, proving once and for all that hacking groups are terrible at names. This uninviting arachnid would target large organisations and attempt to extort sizable sums from them in the form of Bitcoin.

The prevalence of ransomware became such that as early as 2017, it was common to find companies stockpiling bitcoin for fear of being targets themselves. Hoarding currency in preparation to give in to the demands of hackers is not the sort of security strategy we recommend. The Ryuk strain first made itself known in August 2018 and, over the course of two months, managed to extort over £500,000 in ransom. That is quite a good haul for two months’ work, so it’s no wonder it’s still alive today.

Ryuk also has the interesting ability to delete shadow copies (back up ‘snapshots’) and disable Windows System Restore, taking backups out of the equation. Unless, of course, you backup to secure offline storage.

A Physically locked up hard drive next to a laptop with ransomware
Think of ransomware as your hard drive being locked-up and you don’t have the key.

A scam alert on a desktop email client
Not all phishing emails are as easily detected as this one.

How is Ryuk spread?

Ryuk often slinks into environments as a hidden bonus to the Emotet or Trickbot banking trojans. Emotet is a veteran in the malware community being first detected as far back as 2014, which is positively ancient by technology standards. Whilst originally designed to steal sensitive information, it increasingly became used as a dropper to sneak in other malware, like a digital smuggler.

Of course, we must never forget the classic phishing email. As we’ve stated more than once, the easiest way to slip unnoticed into your environment is to just ask a member of staff to let us in. They’re often far more willing than you’d suspect. A well-crafted email with a dodgy link or a tainted attachment can undo all your security in an instant. Alternatively, a clever ‘your password is due to expire, please reset it,’ email could provide hackers with the means of logging into your environment to drop some ransomware themselves.

A well-crafted email with a dodgy link or a tainted attachment can undo all your security in an instant.

Detecting the ransomware

The most obvious sign that you have been affected by ransomware can be seen in a sudden inability to read any of your files. You may notice files that previously held the extension .docx, for example, suddenly change to .RYK. Another sign will be the helpful ‘RyukReadMe.txt’, which politely informs you that all your files are belong to them, along with the non-negotiable price to have them returned and a BTC wallet address. The worst thing about the file is it will often be littered with spelling and grammar issues.

A text file example of a Ryuk ransom
Laid out like an obscure poem.

Flippancy aside, if you’re doing some stringent monitoring, you will be able to spot some initial activity that suggests Emotet (or other dropper) activity, which can be acted upon before any real damage is done. Network traffic, IoCs and certain rules might indicate the presence of a dropper.

Ryuk and Bulletproof

Bulletproof conducted a forensics investigation on behalf of a customer who had been hit by a ransomware attack. After analysing their log files, we put together a timeline that showed a clear string of interlinked events, a chain of causation if you will, that told us the story of how they had been compromised.

Our forensics timeline showed that a dropper landed on the customer’s environment a full two days before it was executed. The catalyst for this disaster seemed to be a curious user accessing the dropped file. Minutes later, the machine had been totally encrypted with military-grade encryption.

A Forensic timeline of a the ryuk ransomware
Ideally, you want to start reacting at stage one.
Minutes later, the machine had been completely encrypted with military-grade encryption.

Ryuk and Managed SIEM

From the customer’s point of view, they’re now clear on where they went wrong. But this wasn’t enough for us. Our research division, Bulletproof SpecialOps®, is constantly looking for new ways to make sure our managed threat protection can safeguard against all attacks. They saw it as an opportunity to test managed SIEM (our 24/7 threat protection tool).

So, in the interest of science, we fired up a test environment that was configured to be almost identical to the customer’s original environment and re-created the attack timeline. This time, we had managed SIEM running. We slipped in the dropper via a phishing email, as per the original attack, and straight away saw alerts for a suspicious email. This told us that we could’ve stopped the attack dead in its tracks at stage one, before it had even got going. However, we ignored this and let things run their course in this test environment.

The Bulletproof managed SIEM dropper tool in action

Next, we saw the dropper land, which also triggered alerts in our research team’s dashboards. Finally, we executed Ryuk, which promptly began eating through the filesystem. Again, this triggered more alerts. The conclusion? managed SIEM would have allowed us to isolate and block this ransomware infection at every stage of the kill chain.

Mapping defences against the cyber kill chain

If I had a pound for every time I mentioned the cyber kill chain, I’d have roughly £98.50 (I was once interrupted halfway through saying it). The cyber kill chain is important, and basically outlines the approach hackers take when compromising a business. It consists of seven stages: Reconnaissance, weaponisation, payload, exploitation, installation, command and control, and finally, action.

In the context of Ryuk, GRIM SPIDER would start by conducting some recon. They’d research their target, probe their environment for weaknesses, find out what they can about staff and suppliers (for phishing purposes) etc. Then they’d move onto weaponisation and put together their malware packages. The payload is where they drop the malware, whereas exploitation will be where they take advantage of some weakness found during reconnaissance. The rest is fairly self-explanatory.

An example of the cyber kill chain
In order to defend effectively against these sorts of attacks, you need to map your security strategy against the kill chain.

Defending against Ryuk

In order to defend effectively against these sorts of attacks, you need to map your security strategy against the kill chain. This means being able to spot activity at each stage, from recon to action (although if you let it get that far, you’re talking more remediation than defence). The only real way to do this is to have some 24/7 managed SIEM monitoring – ideally with proactive threat hunting. Even something as elementary as daily log reviews could’ve helped here, thanks to the two-day dwell time between drop and infection.

However, avoiding the hard sell, constant monitoring really is the key to a robust cyber defence. In the case of our customer, had they been regularly checking their logs, they’d have been able to see the dropper landing on their environment. They’d have been able to isolate this and remove it and potentially even see how it got on there and patch up that weakness. If that weakness is a staff member, they can tut disapprovingly, and invest in security awareness training.

An employee working in front of monitoring screens
A Bulletproof employee in the wild, proactively hunting threats.

A secuity officer making a phone call from a security centre
“I’m seeing malware in sector four. Let’s get that stopped."

Protecting your security

Threats can come at any time of the day and from anywhere in the world. Recon activity is largely automated, easily available to hackers and is happening continuously. Therefore, a decent monitoring service will be able to discriminate the serious stuff from the lazy botnet herders. That requires dedicated and experienced analysts armed with the latest threat intelligence. Ultimately, running this in-house is out-of-reach for many organisations. Outsourcing on the other hand, and I hope you don’t mind if I humbly suggest Bulletproof here, is a best-of-both-worlds approach.

Joseph Poppy Headshot

Meet the author

Joseph Poppy Security Blogger

Joseph is a Communications Executive and Security Blogger who has contributed articles covering a range of topics including staying ahead of cyber threats.

10 Steps to Cyber Security

Find out how to secure your business in 10 steps with our free best practice infographic.

Download now

Related resources

Trusted cyber security & compliance services from a certified provider

Get a quote today

If you are interested in our services, get a free, no obligation quote today by filling out the form below.

(1,500 characters limit)

For more information about how we collect, process and retain your personal data, please see our privacy policy.