Alert - Ryuk Ransomware Campaign

Number: AL19-202
Date: 04 October 2019


PURPOSE

An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients.  The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

Overview

The Cyber Centre is aware of multiple recently reported, high profile instances of the Ryuk ransomware affecting multiple entities, including municipal governments and public health and safety organizations in Canada and abroad. These compromises are assessed to be part of a larger, international campaign by the operators of Ryuk ransomware which may target additional sectors.

The Cyber Centre has assessed that the Ryuk ransomware is the final step in a possible three-stage process against of victim networks by an organized and prolific actor or group of actors. The deployment of the Ryuk ransomware appears to come after the victim has been compromised first by Emotet and Trickbot.

Assessment

An important element of the Ryuk ransomware campaign, and a factor that differentiates itself from other ransomware seen recently, is that Ryuk is not directly compromising the affected systems. Ryuk relies on an initial infection by the Emotet malware, followed by a secondary deployment of Trickbot malware. This three-stage pattern of activity allows the actor to move laterally and infiltrate the entire victim network, determine the value of the data to the system owner and to set a ransom value accordingly. The use of Emotet and Trickbot, which were both originally designed to steal financial information and harvest credentials, suggests that the entity behind the compromise may also exfiltrate information they find valuable before deploying the Ryuk ransomware. The Cyber Centre has seen no direct evidence of data exfiltration occurring, although it is aware of reports that compromises similar to the current Ryuk campaign have been used for data theft.

Media reporting indicates that, in some cases, there have been no ransom demands and therefore it is possible that the ransomware was deployed for the purpose of removing access to information rather than obtaining a payment. The Cyber Centre cannot verify this information and currently assesses that these compromises may be failed infections where the ransom note was not properly placed on the system.

Infection

The primary compromise vectors for the current Ryuk ransomware campaign are through malware spam containing malicious links or attachments. Exposed Remote Desktop Services (RDS), accessed using stolen or otherwise compromised credentials, may be an additional vector.

Upon the initial successful compromise, the Emotet Trojan is downloaded and installed on the infected system. This trojan was originally designed as a banking malware, but later versions of this malware saw the addition of spamming and malware delivery services. Emotet uses functionality that helps the software evade detection by anti-malware products and uses worm-like capabilities to move laterally and infect other connected computers and new areas of the network. Emotet may remain on an infected system for some time as the actor controlling the malware gains more access to the target network.

Following the use of Emotet to establish a foothold and maintain persistence on the victim network, Trickbot malware is downloaded and distributed to the compromised systems. Trickbot’s capabilities include harvesting emails and credentials using the Mimikatz tool, using the Eternal Blue exploit to move laterally across the network and using the PowerShell Empire modules for post exploitation.  These capabilities allow Trickbot to map out the network and give the malicious actor a better understanding of the target, including the value of the data.  This malware may also remain on an infected system for some time, usually until the actor is ready to deploy the final portion.

Finally, the Ryuk ransomware is downloaded and launched against strategically important systems in order to maximize interruptions.  The malware’s installer will attempt to stop anti-malware software and will install the appropriate version of Ryuk depending on a target system’s architecture.  The ransomware does not have the ability to move laterally within a network, but it can enumerate network shares and encrypt files across those it can access. Additionally, the ransomware will attempt to manipulate the volume shadow copies and delete backups to further cause disruption and to hinder attempts at restoring data without paying the ransom. At this stage, Ryuk will encrypt all non-executable files and place a ransom note on the encrypted systems.

Command and Control

The malware strains for Emotet and Trickbot communicate to the entity controlling the malware through command and control (C2) servers, but Ryuk itself shows no evidence of using C2 servers: once deployed it does not communicate further. The Ryuk ransomware appears to be tailored to each victim, even if modifications to the ransomware are minor. For this reason, hash values for known Ryuk infections will likely not be useful for detecting additional infections.

Detection

It is important to note that the presence of Emotet and/or Trickbot do not necessarily imply that a system is also infected with Ryuk, but the presence of either of these two (Emotet, Trickbot) should merit a search for Ryuk indicators.  Additionally, simply removing the Ryuk infection may not be enough to ensure that the infection chain is still not on a target system.  If Ryuk is detected, system owners should search for Emotet and Trickbot malware as well. These may be discovered on networked systems that were not initially affected by the ransomware.

Suggested Action

The Cyber Centre recommends that all system owners apply the latest security patches and operating system updates for computers and equipment on their systems immediately, maintain the latest anti-virus signatures and that system users are reminded to be vigilant when following unsolicited links and opening unexpected document attachments in emails, even if they come from known contacts. The Cyber Centre further recommends that all system owners consider the following mitigations and enact those that apply to their networks and systems. These mitigations will make infection more difficult but may not eliminate the risk completely. 

  • Disable Remote Desktop Services if not required. If required, closely monitor network traffic and the logs of any vulnerable systems for suspicious activity.
  • Block TCP port 3389 on the firewall, if possible. This will prevent unauthorized access from the Internet.
  • Scan all incoming and outgoing e-mails to detect threats and prevent executable files from reaching the end users.
  • Don’t open links or attachments in emails from untrusted or unknown sources. Inspect the sender address carefully as the address text may differ from the real address.
  • Implement architectural controls for network segregation.
  • Whitelist applications to prevent unauthorized applications from running.
  • Use anti-virus protection and ensure that it is diligently kept up to date.
  • Minimize the number of users with administrative privileges and ensure users do not have privileges to install software on their devices without the authorization of an administrator.
  • Execute daily backups of all critical systems, maintain offline and offsite copies of backup media and periodically execute a practice data restoration from backups, including key databases to ensure integrity of existing backups and processes.
  • Disable macros for documents received via email.
  • Follow the Government of Canada’s guidance to stay CyberSafe
    https://www.getcybersafe.gc.ca/index-en.aspx).


REFERENCES

US-CERT EMOTET Alert:
https://www.us-cert.gov/ncas/alerts/TA18-201A

US-MSISAC Security Primer – TrickBot:
https://www.cisecurity.org/white-papers/security-primer-trickbot/

UK-NCSC Ryuk ransomware targeting organisations globally:
https://www.ncsc.gov.uk/news/ryuk-advisory


NOTE TO READERS

The Canadian Centre for Cyber Security (Cyber Centre) operates as part of the Communications Security Establishment. We are Canada's national authority on cyber security and we lead the government's response to cyber security events. As Canada's national computer security incident response team, the Cyber Centre works in close collaboration with government departments, critical infrastructure, Canadian businesses and international partners to prepare for, respond to, mitigate, and recover from cyber events. We do this by providing authoritative advice and support, and coordinating information sharing and incident response. The Cyber Centre is outward-facing, welcoming partnerships that help build a stronger, more resilient cyber space in Canada.

Date modified: