Alert - Ryuk Ransomware Campaign

Number: AL19-202
Date: 04 October 2019


PURPOSE

An Alert is used to raise awareness of a recently identified cyber threat Cyber threatA threat actor, using the internet, who takes advantage of a known vulnerability in a product for the purposes of exploiting a network and the information the network carries. that may impact cyber information assets, and to provide additional detection DetectionThe monitoring and analyzing of system events in order to identify unauthorized attempts to access system resources. and mitigation advice to recipients.  The Canadian Centre for Cyber Security Cyber securityThe protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability. ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

Overview

The Cyber Centre is aware of multiple recently reported, high profile instances of the Ryuk ransomware RansomwareA type of malware that denies a user's access to a system or data until a sum of money is paid. affecting multiple entities, including municipal governments and public health and safety organizations in Canada and abroad. These compromises are assessed to be part of a larger, international campaign by the operators of Ryuk ransomware which may target additional sectors.

The Cyber Centre has assessed that the Ryuk ransomware is the final step in a possible three-stage process against of victim networks by an organized and prolific actor or group of actors. The deployment of the Ryuk ransomware appears to come after the victim has been compromised first by Emotet and Trickbot.

Assessment

An important element of the Ryuk ransomware campaign, and a factor that differentiates itself from other ransomware seen recently, is that Ryuk is not directly compromising the affected systems. Ryuk relies on an initial infection by the Emotet malware MalwareMalicious software designed to infiltrate or damage a computer system, without the owner's consent. Common forms of malware include computer viruses, worms, Trojans, spyware, and adware. , followed by a secondary deployment of Trickbot malware. This three-stage pattern of activity allows the actor to move laterally and infiltrate the entire victim network, determine the value of the data to the system owner and to set a ransom value accordingly. The use of Emotet and Trickbot, which were both originally designed to steal financial information and harvest credentials, suggests that the entity behind the compromise CompromiseThe intentional or unintentional disclosure of information, which adversely impacts its confidentiality, integrity, or availability. may also exfiltrate information they find valuable before deploying the Ryuk ransomware. The Cyber Centre has seen no direct evidence of data exfiltration ExfiltrationThe unauthorized removal of data or files from a system by an intruder. occurring, although it is aware of reports that compromises similar to the current Ryuk campaign have been used for data theft.

Media reporting indicates that, in some cases, there have been no ransom demands and therefore it is possible that the ransomware was deployed for the purpose of removing access to information rather than obtaining a payment. The Cyber Centre cannot verify this information and currently assesses that these compromises may be failed infections where the ransom note was not properly placed on the system.

Infection

The primary compromise vectors for the current Ryuk ransomware campaign are through malware spam containing malicious links or attachments. Exposed Remote Desktop Services (RDS), accessed using stolen or otherwise compromised credentials, may be an additional vector.

Upon the initial successful compromise, the Emotet Trojan TrojanA malicious program that is disguised as or embedded within legitimate software. is downloaded and installed on the infected system. This trojan was originally designed as a banking malware, but later versions of this malware saw the addition of spamming and malware delivery services. Emotet uses functionality that helps the software evade detection by anti-malware products and uses worm WormA malicious program that executes independently and self-replicates, usually through network connections, to cause damage (e.g. deleting files, sending documents via email, or taking up bandwidth). -like capabilities to move laterally and infect other connected computers and new areas of the network. Emotet may remain on an infected system for some time as the actor controlling the malware gains more access to the target network.

Following the use of Emotet to establish a foothold and maintain persistence on the victim network, Trickbot malware is downloaded and distributed to the compromised systems. Trickbot’s capabilities include harvesting emails and credentials using the Mimikatz tool, using the Eternal Blue exploit to move laterally across the network and using the PowerShell Empire modules for post exploitation.  These capabilities allow Trickbot to map out the network and give the malicious actor a better understanding of the target, including the value of the data.  This malware may also remain on an infected system for some time, usually until the actor is ready to deploy the final portion.

Finally, the Ryuk ransomware is downloaded and launched against strategically important systems in order to maximize interruptions.  The malware’s installer will attempt to stop anti-malware software and will install the appropriate version of Ryuk depending on a target system’s architecture.  The ransomware does not have the ability to move laterally within a network, but it can enumerate network shares and encrypt files across those it can access. Additionally, the ransomware will attempt to manipulate the volume shadow copies and delete backups to further cause disruption and to hinder attempts at restoring data without paying the ransom. At this stage, Ryuk will encrypt all non-executable files and place a ransom note on the encrypted systems.

Command and Control

The malware strains for Emotet and Trickbot communicate to the entity controlling the malware through command and control (C2) servers, but Ryuk itself shows no evidence of using C2 servers: once deployed it does not communicate further. The Ryuk ransomware appears to be tailored to each victim, even if modifications to the ransomware are minor. For this reason, hash values for known Ryuk infections will likely not be useful for detecting additional infections.

Detection

It is important to note that the presence of Emotet and/or Trickbot do not necessarily imply that a system is also infected with Ryuk, but the presence of either of these two (Emotet, Trickbot) should merit a search for Ryuk indicators.  Additionally, simply removing the Ryuk infection may not be enough to ensure that the infection chain is still not on a target system.  If Ryuk is detected, system owners should search for Emotet and Trickbot malware as well. These may be discovered on networked systems that were not initially affected by the ransomware.

Suggested Action

The Cyber Centre recommends that all system owners apply the latest security patches and operating system updates for computers and equipment on their systems immediately, maintain the latest anti-virus VirusA computer program that can spread by making copies of itself. Computer viruses spread from one computer to another, usually without the knowledge of the user. Viruses can have harmful effects, ranging from displaying irritating messages to stealing data or giving other users control over the infected computer. signatures and that system users are reminded to be vigilant when following unsolicited links and opening unexpected document attachments in emails, even if they come from known contacts. The Cyber Centre further recommends that all system owners consider the following mitigations and enact those that apply to their networks and systems. These mitigations will make infection more difficult but may not eliminate the risk completely. 

  • Disable Remote Desktop Services if not required. If required, closely monitor network traffic and the logs of any vulnerable systems for suspicious activity.
  • Block TCP port 3389 on the firewall, if possible. This will prevent unauthorized access from the Internet.
  • Scan all incoming and outgoing e-mails to detect threats and prevent executable files from reaching the end users.
  • Don’t open links or attachments in emails from untrusted or unknown sources. Inspect the sender address carefully as the address text may differ from the real address.
  • Implement architectural controls for network segregation.
  • Whitelist applications to prevent unauthorized applications from running.
  • Use anti-virus protection and ensure that it is diligently kept up to date.
  • Minimize the number of users with administrative privileges and ensure users do not have privileges to install software on their devices without the authorization of an administrator.
  • Execute daily backups of all critical systems, maintain offline and offsite copies of backup media and periodically execute a practice data restoration from backups, including key databases to ensure integrity of existing backups and processes.
  • Disable macros for documents received via email.
  • Follow the Government of Canada’s guidance to stay CyberSafe
    https://www.getcybersafe.gc.ca/index-en.aspx).


REFERENCES

US-CERT EMOTET Alert:
https://www.us-cert.gov/ncas/alerts/TA18-201A

US-MSISAC Security Primer – TrickBot:
https://www.cisecurity.org/white-papers/security-primer-trickbot/

UK-NCSC Ryuk ransomware targeting organisations globally:
https://www.ncsc.gov.uk/news/ryuk-advisory


NOTE TO READERS

The Canadian Centre for Cyber Security (Cyber Centre) operates as part of the Communications Security Establishment. We are Canada's national authority on cyber security and we lead the government's response to cyber security events. As Canada's national computer security incident response team, the Cyber Centre works in close collaboration with government departments, critical infrastructure Critical infrastructureProcesses, systems, facilities, technologies, networks, assets, and services essential to the health, safety, security, or economic well-being of Canadians and the effective functioning of government. Critical infrastructure can be stand-alone or interconnected and interdependent within and across provinces, territories, and national borders. Disruptions of critical infrastructure could result in catastrophic loss of life, adverse economic effects, and significant harm to public confidence. , Canadian businesses and international partners to prepare for, respond to, mitigate, and recover from cyber events. We do this by providing authoritative advice and support, and coordinating information sharing and incident response. The Cyber Centre is outward-facing, welcoming partnerships that help build a stronger, more resilient cyber space in Canada.

Date modified: