Arrival
Ryuk ransomware is typically delivered by human-operated ransomware campaigns. Some of these attacks also leverage existing infections of Trickbot or Emotet malware. Campaign operators have been observed to deploy this ransomware as an email attachment or try to exploit vulnerabilities in web browsers and other services exposed to the internet. Once in the network, campaign operators steal credentials, move laterally to other devices, and obtain privileged credentials before installing this ransomware on multiple target devices.
Initial execution
When launched, this ransomware checks for the following conditions:
- If the device is located in Russia by enumerating the following registry key changes:
- In subkey- HKLM\SYSTEM\CurrentControlSet\Control\Nls\Language\InstallLanguage
- Sets value - Language
- With data -InstallLanguage
- If the following are not user names:
- If the firewall allows the following subnet addresses:
- 10.30.4
- 10.30.5
- 10.30.6
- 10.31.32
If any of these checks fail, this ransomware exits without infecting the device. Additionally, this ransomware delivers a customized payload for 32-bit environments and 64-bit environments. This ransomware then proceeds to decrypt internal strings and resolve APIs to perform its malicious activities. When executed, this ransomware also controls the Microsoft AES Cryptographic Provider to import a hard-coded public key that it uses to generate pseudo-random encryption keys for the files on the device.
Deletes backups and shadow copies
After identifying files to encrypt, this ransomware deletes backups and shadow copies of files and system volumes to prevent recovery of encrypted files. It uses the following commands to delete shadow copies:
- Vssadmin resize shadowstorage
- vssadmin Delete Shadows /all /quiet
This ransomware deletes all the files with the following extensions:
Stops processes and services
This ransomware stops various processes and services to ensure they don’t lock the files targeted for encryption. It enumerates and stops the following services running on the device:
Acronis VSS Provider, AcrSch2Svc, AcronisAgent, Antivirus, BackupExecAgentAccelerator, BackupExecDeviceMediaService, BackupExecManagementService, BackupExecRPCService, BackupExecVSSProvider, DCAgent, EPSecurityService, EraserSvc11710, FA_Scheduler,IISAdmin, IMAP4Svc, klnagent, KAVFSGT, mfefire, msftesql$PROD, MSSQL$SOPHOS, MSSQLSERVER, MSSQL$VEEAMSQL2012, NetMsmqActivator, Smcinst, Sophos MCS Agent, Sophos Device Control Service, Sophos AutoUpdate Service, SQLAgent$VEEAMSQL2012, Symantec System Recovery, ReportServer$SQL_2008, RESvc, TmCCSF, TrueKeyServiceHelper, UI0Detect, VeeamMountSvc, VeeamEnterpriseManagerSvc, VeeamTransportSvc, W3Svc, wbengine, Zoolz 2 Service
agntsvc, CNTAoSMgr, dbeng50, dbsnmp, encsvc, Excel, firefoxconfig, infopath.exe, isqlplussvc, mbamtray, mspub, msaccess, msftesql, mspub, mydesktopqos, mydesktopservice, mysqld, mysqld-nt, mysqld-opt, Ntrtscan, ocautoupds, ocomm, ocssd, onenote, oracle, outlook, PccNTMon, powerpnt, sqbcoreservice, sqlagent, sqlbrowser, sqlservr, sqlwriter, steam, synctime, tbirdconfig, thebat, thebat64, tmlisten, thunderbird, visio, winword, wordpad, xfssvccon, zoolz
Establishes persistence
To maintain persistence on the target device, this ransomware modifies the following registry entry so it can continue its activities even after the device shuts down or restarts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
name = "svchos", type = “REG_SZ”, data = "<path to malware file location>"
Encrypts files
Ryuk encrypts files using the AES and RSA algorithms.
Displays ransom note
After encrypting the files, this ransomware drops a ransom note named RyukReadMe.txt on the desktop.
Sample used in this analysis
This ransomware has multiple variants that exhibit varying behaviors. This analysis is based on the following samples:
- d663562d90061e0cc93253a508d1595a2cae1e17b9826aae7b5a2be66424df90(SHA-256)
- 23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2(SHA-256)
