Defending Against Malware with EPM: Ryuk, Emotet, TrickBot

What is RYUK – Why is it new?

Ryuk is a type of ransomware, encrypting all data on an infected system, rendering it inaccessible until a ransom is paid. First reported in 2018, it is particularly (in)famous for targeting large enterprise environments.

Disassembly of the malware has proven that Ryuk derives from another type of ransomware called Hermes, which is known to be publicly available on the deep web in source code format and is even still maintained to this day. The authors of Ryuk deviate the target to large, public-entity organizations, as opposed to the existing Hermes derivatives detected as of today.

Ryuk itself is also under constant development; in recent months there have been many reports of different samples of the same family of malware. As more samples were retrieved, more functionalities were presumably added to the different binaries. Among such functionalities are anti-analysis mechanisms, virtualization detection, and different ping-like requests at different stages of the infection.

How does Ryuk malware work?

Identifying Ryuk’s infection vectors has always been difficult as the ransomware will typically delete all evidence of its dropper as part of its routine. Over time, many reports have shown evidence that it can be dropped by other malware such as Emotet or TrickBot. However, other vulnerabilities or weak points in enterprise systems cannot be ruled out as potential infection points.

In the case of the bigger “triple threat” attack methodology involving Emotet and TrickBot, the first step starts with a phishing email. This seemingly innocuous email contains an attached Microsoft Office document file with malicious macro code inside (a very common infection technique). This malicious code will attempt to download and run Emotet using a single PowerShell command, without the use of script files. Thus the Ryuk infection and encryption process begins.

But what is Emotet?

Emotet itself is a trojan, which was first reported to function as a banking credentials collector from infected hosts. Over the years it’s been active, however, it has been updated to also act as a loader. In this case, it is used by the authors to download an additional payload after successfully gaining access to a system. This payload is where TrickBot comes into action.

How are TrickBot and Ryuk connected?

TrickBot started off as a trojan too, designed to steal banking details and other credentials, but the authors have extended its capabilities to create a complete modular framework, providing other malwares access to the infected system. In this case, once the victim system is infected, TrickBot will collect information and provide it to the authors so they can check if the system comes from the sector that they are targeting and decide whether to continue or not.

Then (possibly using yet another payload), it will use the information taken earlier to perform lateral movement with admin credentials and with a list of reachable addresses to access other systems in the same network. After a successful connection to a server (possibly a domain controller), the Ryuk payload is copied to the Windows administrative shares (Admin$, C$, etc.), along with some other legitimate tools, like PsExec. From here, the authors spread and run Ryuk wherever possible to individual hosts.

Image Source: Cybereason

The objective of an Endpoint Privilege Management solution such as WALLIX BestSafe is to apply the Principle of Least Privilege to stop the infection in the earliest phases. That is, implementing solutions and processes which effectively prevent Emotet – or any other malware – from carrying out their necessary steps and blocking any potential infection.

Ryuk Ransomware Explained

Ryuk consists of two main payloads; one is a dropper, and the other is the executable itself. The dropper is difficult to find because the executable makes sure that it is erased upon execution.

When run, the dropper checks the Windows version and whether it is 32 or 64 bit. Then, it constructs a common folder path. If it is Windows XP or Windows Server 2003, it drops the Ryuk executable at “C:\Documents and Settings\Default User\”, and if it’s Windows Vista or greater, it drops it at “C:\users\Public\”. Then, the newly written executable is run, and the dropper is deleted.

The dropper has also been known to stop multiple antimalware product services, and processes related to them, furthering its cause to exploit systems undetected.

The executable part of Ryuk uses the key “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” to achieve persistence. The executable creates a new value under the name “svchos”, thus running the Ryuk executable ever time the current user logs on.

Ryuk does not perform encryption within its own process memory space, but rather uses a currently running process that is already trusted by the system to avoid detection. To do so, Ryuk first needs to adjust its process token privileges to enable the “SeDebugPrivilege” specifically, which according to Microsoft is “required to debug and adjust the memory of a process owned by another account. With this privilege, the user can attach a debugger to any process or to the kernel.”

To perform such an action, the process needs to have the privilege in its token beforehand. This privilege is only granted to administrator users, meaning that if the user running the Ryuk were not an administrator, Ryuk would fail to enable this privilege and all subsequent operations would fail.

Before injecting into an existing process, Ryuk enumerates all processes that are running on the system. Then, it will inject into a single process, as long as it is not named “csrss.exe”, “lsaas.exe”, “explorer.exe”, or is running under NT_AUTHORITY system account.

To do so, Ryuk uses a common process injection technique that consists of allocating memory in a host process, writing malicious code to it, and ensure the remote process loads it by creating a remote thread in the target process. This is why the “SeDebugPrivilege” is so important. Without it, this technique will not work.

The injected process ends up running a batch file that has been dropped at an earlier step. This file contains multiple uses of “vssadmin” and “delete” commands with the goal of changing configuration and deleting restore points or backups. This is a common action found in ransomware carried out before encrypting, ensuring that the victim is forced to pay to recover valuable files that cannot be recovered from backup.

“vssadmin.exe” is a command-line tool that manages the Volume Shadow Copy Service (VSS), which captures and copies stable images for backup on running systems. Many backup solutions use it, like Microsoft Restore Point or Microsoft Windows Server Backup, but third-party vendors can also rely on this technology.

Furthermore, some samples of Ryuk have been known to modify discretionary access control lists of the original documents to “full” for “everyone”, via the Windows application “icacls.exe”.

So, Ryuk injects into a remote process and creates a thread to delegate the encryption to other running processes with the goal of avoiding detection. The encryption process creates a new thread for each file it encrypts, which makes it very fast. A thread is created for the encryption of each file and each file is encrypted with its own AES key.

After the file has been encrypted, a file extension of “.RYK” is appended to the file. All directories will have a ransom note of (RyukReadMe.txt) written to them. Ryuk uses a combination of symmetric (AES) and asymmetric (RSA) encryption to encrypt files. Without the private key provided by the authors, the files cannot be decrypted and are unrecoverable.

Ryuk has two public RSA keys embedded in the executable, and the private key is encrypted and embedded in the executable because Ryuk does not generate a victim-specific RSA key pair, rather it has a unique key for each executable. This means that all hosts can be decrypted with the same decryption key if they were encrypted with the same executable. Therefore, it is highly likely that Ryuk pre-generates the RSA key pairs for each victim. This could be intentional as the unencrypted RSA key pair parameters will never be in the system at any time.

Ryuk utilizes the Windows CryptoAPI for the encryption phase. Before Ryuk can delegate the encryption phase to other processes, it needs to import the embedded keys, among other operations.

Stopping Ryuk with WALLIX BestSafe EPM

Traditional antivirus software and scanners are no match for Ryuk and other modern ransomware. This is the unfortunate truth, if for no other reason than the simple fact that these tools require advance knowledge of threats in order to detect them. With new malware coming all the time, with new techniques and subtle methodologies, there’s no way for antivirus solutions to keep up.

Defending against ransomware, malware, and cryptoviruses requires a proactive, innovative approach to security. WALLIX BestSafe delivers game-changing endpoint security that can stop these infections in their tracks.

Given that Ryuk does not perform encryption directly, but rather hijacks existing and trusted processes to perform the encryption, it’s critical that a security solution be able to detect this unusual behavior even from known applications. WALLIX BestSafe enables application and process-level security to define, at a granular level, which programs are allowed to carry out which actions and, more critically, which they are not. Thus, when Ryuk attempts to force a trusted program to encrypt corporate data, WALLIX BestSafe detects the suspicious process and prevents the action from being carried out.

How does WALLIX  BestSafe Endpoint Privilege Management stop ransomware like Ryuk?

Step 1: Stop infection from the beginning
  • WALLIX BestSafe blocks the execution of the dropper file in the first place, preventing the entire process from even starting. For example, it assumes that the Principle of Least Privilege has been applied, and therefore the user does not have access to system files and folders. BestSafe can also check the modified date of the file at the filesystem level. Normally, malware functions by downloading a payload and running it, so it’s safe to assume that a process whose executable file has just been created is potentially dangerous.
  • If, hypothetically speaking, the dropper does somehow successfully execute, the executions of the dropped executable files would also be blocked by this rule. The Ryuk malware is signed by a code signing certificate issued by a trusted CA. Therefore, the rule must apply even if the process is signed and trusted.
  • Under this BestSafe rule, the registry key that Ryuk uses to persist upon reboot does not exist, so the malware is unable to progress and will not be executed automatically again upon next log on.
  • BestSafe can prevent any process from performing privilege escalation regardless of user privilege level, and therefore all subsequent operations would fail, including the sophisticated process injection technique.
Step 2: Prevent further suspicious actions

If for some reason BestSafe is not configured to stop all the previous steps, we can still rely on more key features to protect against malicious actions.

  • Rule configurations can further restrict activity, for example by blocking any process run as a child of a parent process that has been executed from the profile of the user, and whose executable file has been modified in less than 5 minutes.
  • Furthermore, a BestSafe ransomware rule can be configured to block any process run from the profile of the user that tries to run any one of the processes in a list, and whose executable file has been modified within a defined time period. When the process of the ransomware rule tries to launch any of them, the process will be killed by BestSafe. This list is populated with processes commonly used by all malware and especially ransomware, including Ryuk (deleting backups, restore points, granting itself privileges, etc.).
Step 3: Block encryption

In one step further, if by some chance BestSafe was not configured to stop all the previous steps and the ransomware reaches the encryption phase, yet more key features come into play.

  • BestSafe will detect ransomware calls to the Windows CryptoAPI and will stop the execution of the process tree (i.e., the process that started it all as well as all the processes that it ran). It accomplishes this by using the same ransomware rule and flags as previous steps and a few strategic conditions aimed at detecting behavior that only ransomware would do, or in other words, behavior that a human would never do (5 encryption operations in less than a second is eternity for a machine).

Stop Ransomware with Endpoint Privilege Management (EPM)

Ryuk is one of the most advanced ransomwares that we have ever seen, mostly due to its combination of three different types of malware, and the communication between the victims and the hackers. However, such sophistication comes at a price, and the process injection technique requires the malware to have administrator privileges (at least for the encryption phase). This makes it one of the few ransomware to require them, when the main reason  ransomware has always been difficult to detect was that they didn’t require them by design.

This means that, if the user that runs this malware is a standard user and has no privileged credentials of any kind, the ransomware will not get very far and most definitely not encrypt the files. Applying the Principle of Least Privilege through strong endpoint management is therefore critical.

And in the event that Least Privilege is not enough or any phase of an attack is not stopped for some reason, BestSafe can still address – and prevent – the rest of the phases.

For organizations that have not yet successfully applied a real least-privilege model, WALLIX BestSafe offers the ability to de-escalate applications even if the users running them are administrator users. By applying generic rules to the user profile, and de-escalating every application, Ryuk would have attempted to run without privileges and failed. All this while the user is still a full administrator with full admin rights.

Stop Ryuk, and other ransomware, malware, and cryptoviruses, in their tracks with WALLIX BestSafe Endpoint Privilege Management.

Request your free 30-day trial of WALLIX BestSafe