Inside the Ryuk ransomware
What is Ryuk?
Ryuk is a ransomware sample that has been making the rounds recently. It is designed to be used in targeted attacks and has no ability to move laterally through the network (though it can encrypt network drives from an infected computer).
Ryuk is commonly dropped by another malware sample and is often associated with Emotet and Trickbot. There’s typically a delay between the initial infection of the target machine and the beginning of Ryuk performing file encryption. This delay allows the attacker to perform other types of exploitation of the infected machine and reconnaissance to determine if the infected machine is a viable target for a ransomware infection.
Since a great deal of the Ryuk ransomware’s attack process is performed manually (direct exploitation, payment requests handled via email and so on), the attackers don’t want to waste time dealing with targets that are unlikely to provide an adequate payoff.
How does Ryuk work?
The Ryuk ransomware is based on the Hermes ransomware. This link is well-supported by a variety of different features of Ryuk. For example, Ryuk uses the same format to mark encrypted files as Hermes (using the string HERMES), has a similar structure in its encryption algorithm, and includes a whitelist value that only makes sense if Ryuk is derived from Hermes.
However, Ryuk also has several features that are different than Hermes. Over time, the malware has evolved to be more distinct from its parent.
The execution of the Ryuk ransomware can be broken up into three main stages: the dropper, setup of the ransomware binary and the file encryptor process.
A Ryuk malware infection starts with a malware dropper. The goal of this initial executable is to ensure that the malware running on the system is suited to it.
The filename and location of the dropped ransomware binary follow a set algorithm. The filename consists of five random characters generated by seeding _srand with GetTickCount and then calling _rand several times to produce the five-character filename.
The location where the file will be dropped depends on the operating system. If the machine is running Windows XP or earlier, the ransomware binary will be placed at Documents and SettingsDefault User within the current drive. Later Windows versions will place it at usersPublic. If this fails, the malware will be placed in the dropper’s own directory with V appended to the random filename.
Before creating the file, the dropper runs IsWow64Process to determine if it is executing in a 32-bit or 64-bit context. Based on the result, it drops the appropriate version of the malware and runs it using ShellExecuteW.
Ransomware binary setup
The Ryuk ransomware does not begin operations immediately but sleeps for a while. Once it begins, the first step is to determine if it was run with an argument. If so, this argument is the directory of the dropper, which it deletes.
Next, the ransomware binary uses taskkill to terminate several processes, including antiviruses, databases, backups and document editing programs. Originally, this functionality was embedded within the executable, but more recent versions have seen it moved to a standalone batch file called kill.bat.
Older variants of Ryuk would then add persistence using the command ‘reg add /C REG ADD “HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun” /v “svchos” /t REG_SZ /d’. However, this functionality has been dropped in more recent builds.
Finally, the malware tries to achieve SeDebugPrivilege and inject its malicious functionality into a more privileged process. This is accomplished by looking for appropriate processes running on the machine (ignoring “explorer.exe”, “csrss.exe” and “lsaas.exe” or anything without NT AUTHORITY perms) and using VirtualAllocEx with a set base address. This choice of a set base address makes the injection mechanism fragile since it is only possible if that address is available.
Once the injected code is executed, its first step is to decrypt a list of API function names and lengths and load them. It then tests if it has SYSTEM privileges by trying to write to the Windows directory. If so, it creates two files within a subfolder inside this directory:
- PUBLIC: RSA Public Key
- UNIQUE_ID_DO_NOT_REMOVE: Hardcoded Key
At this point, Ryuk is ready to begin the encryption process.
Ryuk key structure
Ryuk uses a combination of 2048 bit RSA and AES 256 keys for encryption. Ryuk is a bit unusual in how it uses a three-level model for encryption keys.
The top layer is the RSA keypair owned by the ransomware author. These keys manage all Ryuk infections, and the private key never leaves their possession. The public key comes embedded in the Ryuk binary.
The mid-level key is a per-infection RSA keypair. Typically, these keys are generated on the infected device and the private key is immediately encrypted with the top-layer private key. With Ryuk, these keys are precomputed, embedded in the binary, and the private key is already encrypted. This would only be possible with a targeted ransomware variant like Ryuk since any machines infected with the same binary could be decrypted with the same key (only requiring a single ransom payment).
Finally, each file that is encrypted by the malware has its own AES-256 encryption key. These keys are generated using CryptGenKey, exported using CryptExportKey, and appended to the encrypted file after being encrypted using the mid-level RSA public key. Again, this is unusual since the ransomware authors actually performed this step properly by passing in the key as a parameter to CryptExportKey rather than exporting in plaintext and then encrypting it in a separate step.
The file encryption module for Ryuk is fairly standard. It performs a recursive sweep through the file system, searches for other attached drives, and enumerates network resources for encryption using WNetOpenEnum and WNetEnumResource. Each file is encrypted with AES-256 and the encryption key is destroyed after use.
One unusual feature of Ryuk that is a bit unusual is the whitelist used to determine whether a file should be skipped during the encryption process. The use of a whitelist is common, but Ryuk’s is extremely short:
- Strings: “Windows”, “Mozilla”, “Chrome”, “RecycleBin” and “Ahnlab” (a legacy from HERMES)
- Filetypes: .exe, .dll and .hrmlog (a log filetype inherited from Hermes)
The list of whitelisted filetypes is extremely short and is inadequate to ensure system stability. Since it doesn’t explicitly protect the files needed to boot the machine, a Ryuk-infected machine may refuse to boot if restarted.
Ryuk is also unusual for its viciousness in cleaning up shadow copies of files. While this practice is common, Ryuk’s cleanup routine (contained in Windows.bat) is extensive and includes use of an undocumented features or vssadmin resize to delete shadow copies that the program should not have access to.
Impact of the Ryuk ransomware
The design of Ryuk means that it is unlikely to ever be used in wide-scale attacks. It is a targeted tool designed to exploit lucrative targets. While the malware is unusual in several ways, the design is effective and, in some ways, demonstrates a level of professionalism that is not reached by all ransomware samples, as demonstrated by the proper use of CryptExportKey and vssadmin. The malware is likely to continue to be effective as long as it is able to slip past organizations’ cyberdefenses.
- Special Security Advisory: ‘Ryuk Ransomware Targeting Organizations Globally’, Secure World Expo
- Ryuk Ransomware: A Targeted Campaign Break-Down, Check Point Research
- Ryuk ransomware targeting organisations globally, National Cyber Security Centre
- Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware, Crowdstrike