What is Ryuk Ransomware? (How it Spreads, How to Detect)

Cyber SecurityAnti VirusSafe & Security

Ryuk, pronounced "ree-yook", is a ransomware family that initially surfaced in the middle to late part of 2018. In Los Angeles, the New York Times and the Wall Street Journal shared a printing plant. The attack had an impact on them as well, causing distribution problems for the Saturday editions of the publications.

  • Ryuk starts by shutting down 180 services and 40 processes when it infects a system. These services and processes may obstruct Ryuk's operations, or they may be required to carry out the assault.

  • The encryption can then take place. Ryuk uses AES-256 encryption to encrypt data, including images, movies, databases, and documents — everything the stuff you care about.

  • After that, asymmetric RSA-4096 is used to encode the symmetric encryption keys. Ryuk can encrypt files from afar, even administrative shares. It can also do Wake-On-Lan, which wakes machines for encryption. These skills add to the encryption's efficacy and reach, as well as the harm it may inflict.

How Does a Ryuk Ransomware Spread?

Ryuk ransomware has a dynamic approach to dissemination, with instances frequently employing one-of-a-kind strategies designed exclusively for its victims. While most ransomware operations cast a wide net and attempt to infect a large number of people and organizations in the hopes of succeeding in one or two, Ryuk ransomware deployments are tailored to the network attackers are attempting to penetrate.

One of the following first assaults is used to spread Ryuk ransomware −

  • By connecting to an unprotected RDP port directly

  • Using phishing emails to get remote access

  • Using email attachments and downloads to gain network access

Emotet or TrickBot viruses are widely used to spread Ryuk ransomware. Only the most important files are encrypted, making them more difficult to discover. These, in turn, allow them to access and transfer vital assets throughout the network. To prevent the infected system from recovering, Ryuk employs a ".BAT" file. Ryuk tries to remove Windows VSS shadow copies before starting the encryption procedure.

Ryuk also tries to terminate programs associated with some older antivirus software, such as the Sophos and Symantec System Recovery processes. Ryuk generates AES keys for the victim's files, which are subsequently encrypted with another RSA key.

Before the virus writes a text file titled "RyukReadMe.txt" in every folder on the system, it infects every disc and network share on the system. This is where the ransom letter is kept.

How to Detect a Ryuk Ransomware?

Even well-prepared institutions can be devastated by a Ryuk breakout. Although recovering sensitive material from backups or purchasing a decryptor may be possible, unplanned downtime will still cost money since numerous endpoints may be left in an unstable condition, requiring a complete rebuild to restart functioning.

  • The greatest protection is to have a detection strategy in place, as well as some level of automation, to immediately halt malware and prevent it from spreading to key infrastructure.

  • It's critical for you as an MSP and your clients to have ransomware detection and mitigation in place. Ransomware detection is a feature of backup systems that can help mitigate the effects of a ransomware attack.

  • Systems can be rapidly isolated and recovered if an attack is detected early enough, avoiding paying the attacker a ransom for decryption.

To detect a Ryuk Ransomware, the security personnel should keep an eye out for the following symptoms −

  • Binaries that are statistically infrequent or new are developing persistence through Registry run keys. Ryuk uses Microsoft's Console Registry Tool (reg.exe) to generate a registry entry called svchos in several of its demos.

  • Security services have changed. Ryuk uses Microsoft's Net Command tool (net.exe) to disable the Security Account Manager service in particular (samss)

  • Binaries running under the public user profile (for example, C: Userspublic)

  • Microsoft's Discretionary Access Control List tool is granting excessive access to the root of network-attached devices (icacls.exe)

  • The Volume Shadow Service Administration Utility or the Windows Management Instrumentation Command Line Interpreter (wmic.exe) are used to erase shadow copies (vssadmin.exe)

Updated on 09-Jun-2022 12:56:30