A brand new Ryuk ransomware variant with worm-like capabilities that enable it to unfold to different gadgets on victims’ native networks has been found by the French nationwide cyber-security company whereas investigating an assault in early 2021.
“By means of using scheduled duties, the malware propagates itself – machine to machine – throughout the Home windows area,” ANSSI (brief for Agence Nationale de la Sécurité des Systèmes d’Data) mentioned in a report printed at the moment.
“As soon as launched, it is going to thus unfold itself on each reachable machine on which Home windows RPC accesses are doable.”
Self-replication to different community gadgets
To propagate itself over the native community, the brand new Ryuk variant lists all of the IP addresses within the native ARP cache and sends what seems to be like Wake-on-LAN (WOL) packets to every of the found gadgets. It then mounts all sharing assets discovered for every gadget in order that it might probably encrypt the contents.
What makes this new Ryuk pattern completely different is its functionality to repeat itself to different Home windows gadgets on the victims’ native networks.
Moreover, it might probably execute itself remotely utilizing scheduled duties created on every subsequently compromised community host with the assistance of the professional schtasks.exe Home windows device.
The Ryuk variant analyzed on this doc does have self-replication capabilities. The propagation is achieved by copying the executable on recognized community shares. This step is adopted by the creation of a scheduled job on the distant machine. [..] Some filenames have been recognized for this copy: rep.exe and lan.exe. – ANSSI
Whereas it would not use an exclusion mechanism that may stop it from re-encrypting gadgets, ANSSI says that the brand new variant can nonetheless be blocked from infecting different hosts on the community by altering the password of the privileged area account it makes use of for propagation to different hosts.
“One strategy to sort out the issue might be to vary the password or disable the person account (in line with the used account) after which proceed to a double KRBTGT area password change,” ANSSI mentioned.
“This might induce many disturbances on the area – and almost certainly require many reboots however would additionally instantly comprise the propagation. Different propagation containment approaches is also thought of, particularly via the focusing on of the malware execution setting.”
Indicators of compromise (IOCs) related to this new Ryuk variant may be discovered here.
The Ryuk ransomware gang
Ryuk is a ransomware-as-a-service (RaaS) group first noticed in August 2018 that has left behind an extended listing of victims.
RaaS gangs are recognized for working private affiliate programs the place associates can submit functions and resumes to use for membership.
Ryuk is on the prime of the RaaS rankings, with its payloads being found in roughly one in three ransomware assaults all through the final yr.
Ryuk associates have been behind a massive wave of attacks on the US healthcare system beginning with November 2020. They generally ask for enormous ransoms, having collected $34 million from just one victim final yr.
After following the cash circuit from Ryuk ransomware victims, safety researchers from menace intelligence firms Superior Intelligence and HYAS estimate that the RaaS operation made at least $150 million.
In the course of the third quarter of 2020, Ryuk associates have been noticed hitting, on common, roughly 20 companies every week.