Home
Forums
New posts
Search forums
What's new
New posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Log in
Register
What's new
Search
Search
Search titles only
By:
New posts
Search forums
Menu
Log in
Register
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Home
Forums
CARDING & HACKING
Hacking Tools
How to protect against ransomware?
Message
<blockquote data-quote="Geniu" data-source="post: 367" data-attributes="member: 13"><p><em>Ryuk is a ransomware code that encrypts files and requires victims to pay in bitcoins in order to provide decryption keys. Used exclusively for targeted attacks. This ransomware was first detected in August 2018 as part of a campaign targeting multiple companies. Our specialists analyzed the initial versions of the malware and identified similarities and common fragments of the source code with the Hermes ransomware. Hermes is a mass distribution ransomware that is sold on underground forums and is used by several hacker groups. So how will Ryuk protect itself against ransomware?</em></p><p></p><p><strong>Ryuk</strong> uses a combination of <strong>AES</strong> symmetric encryption <strong>(256 bits)</strong> and <strong>RSA</strong> asymmetric encryption <strong>(2048 or 4096 bits)</strong> for his own deliberate moves. The symmetric key is used <strong>to encrypt the contents of the files</strong>, and the asymmetric public key is used <strong>to encrypt the symmetric key.</strong> After paying the ransom, the attackers provide the corresponding asymmetric private key that can be used to decrypt the files.</p><p></p><p>Since Ryuk is used for <strong>targeted attacks</strong>, the primary infection vectors are selected based on the victim's data. These vectors are often targeted phishing emails, remote access to systems using stolen accounts, and the use of well-known mass malware. In the latter case, a combination of <strong>Emotet</strong> and <strong>TrickBot is</strong> often used to <strong>infect Ryuk</strong>; The use of <strong>BazarLoader</strong> has also recently been reported.</p><p></p><p>Ryuk infections often come from <strong>spear phishing emails</strong> containing a malicious link or <strong>MS Office document</strong>. With their help, hackers can penetrate the victim's information environment. In some cases, computers with a <strong>compromised RDP protocol</strong> become such an access point.</p><p></p><p><strong><em>Spear phishing</em></strong> <em>is a subtype of phishing that targets the most limited group of people (a company, a group of its employees, or an individual)</em></p><p></p><p>The first scenario uses <strong>TrickBot</strong> or <strong>BazarLoader</strong> as the malware loader. As a result of its execution, other hackers can gain access to compromised machines. After that, computers are usually loaded with <strong>a Cobalt Strike beacon</strong> to steal usernames and passwords and move horizontally across the network to hijack domain controllers. As a result, the Ryuk binary is propagated to all machines through these controllers. How does this code work? Let's find out.</p><p></p><p><strong>Aggregate data</strong></p><p><strong>The file being analyzed</strong> is a sample of an unpacked ransomware from the Ryuk family. This pattern can be identified using <strong>checksums (hashes).</strong></p><p><strong></strong></p><p><strong>Hash typeValue</strong> <em>SHA-11EFC175983A17BD6C562FE7B054045D6DCB341E5SHA-2568F368B029A3A5517CB133529274834585D087A2D3A 5875D03EA38E5774019C8A</em></p><p>The final payload of 30 April was compiled</p><p></p><p><strong>Anti-debugging</strong></p><p>Ryuk repeatedly uses decompilation protection techniques to make static analysis of program code difficult.</p><p></p><p><img src="https://cryptoworld.su/wp-content/uploads/2021/08/image1.jpg" alt="image1.jpg" class="fr-fic fr-dii fr-draggable " style="" /></p><p>Disassembly protection technique How to protect yourself from Ryuk ransomware</p><p></p><p><em>Disassembly protection method</em></p><p></p><p>In addition, the malicious code supports methods of protection against debugging using <strong>APIs</strong> <strong><em>ZwQueryInformationProcess</em></strong> and various functions (flags), such as [B<em>ProcessDebugFlags</em>[/B], <strong><em>ProcessDebugPort</em></strong> and <strong><em>ProcessDebugObjectHandle</em></strong>. With their help, ransomware can detect the presence of a debugger and <strong>forcefully close it.</strong></p><p></p><p><img src="https://cryptoworld.su/wp-content/uploads/2021/08/image2.jpg" alt="image2.jpg" class="fr-fic fr-dii fr-draggable " style="" /></p><p>Request ProcessHow to Protect Against Ryuk Ransomware.</p><p></p><p><em>Request process</em></p><p></p><p>In addition, the ransomware checks an attribute in the <strong>PEB</strong> structure of a <strong>process</strong> for the same purpose.</p><p></p><p><strong><em>BeingDebugged</em></strong></p><p></p><p><img src="https://cryptoworld.su/wp-content/uploads/2021/08/image-006.jpg" alt="image-006.jpg" class="fr-fic fr-dii fr-draggable " style="" /></p><p>Check for Process Debug Signs How to Protect Against Ryuk Ransomware.</p><p></p><p><em>Controlling the symptoms of debugging a process</em></p><p></p><p><strong>Performance</strong></p><p>Ryuk reproduces itself three times into the current folder with different names and runs these new binaries with different command line options. Each such execution <strong>maintains a separate fun-ktsiyu</strong>. The file name for the first copy of the malware is generated as <strong>a checksum of the current username,</strong> to which is appended <strong><em>r.exe.</em></strong></p><p></p><p>If the malware cannot get the username, the default name is used - When this file is run, the malware uses the <strong>command line. </strong>This process is responsible for Ryuk's self-replication on other machines on the network.</p><p></p><p><strong><em>rep.exe.</em></strong> <strong><em>9 REP.</em></strong></p><p></p><p><img src="https://cryptoworld.su/wp-content/uploads/2021/08/image3.jpg" alt="image3.jpg" class="fr-fic fr-dii fr-draggable " style="" /></p><p>First Execution How to Protect Against Ryuk Ransomware</p><p></p><p><em>First performance</em></p><p></p><p>The name of the further copy of the Trojan is generated in a random manner and <strong>has the suffix <em>lan.exe.</em></strong> This copy corresponds to command line <strong>8 LAN. </strong>This process is responsible for sending <strong>Wake-On-Lan</strong> packets to other computers on the network.</p><p></p><p><img src="https://cryptoworld.su/wp-content/uploads/2021/08/image-010.jpg" alt="image-010.jpg" class="fr-fic fr-dii fr-draggable " style="" /></p><p>Second Execution How to Protect Against Ryuk Ransomware.</p><p></p><p><em>Second execution</em></p><p></p><p>The name of the third copy is formed in the same way as the second, using the same command line.</p><p></p><p><img src="https://cryptoworld.su/wp-content/uploads/2021/08/image4.jpg" alt="image4.jpg" class="fr-fic fr-dii fr-draggable " style="" /></p><p>Executing the third copy How to protect yourself from Ryuk ransomware</p><p></p><p><em>Execution of a third copy</em></p><p></p><p><strong>Foreclosure Notice</strong></p><p>To inform the user that the <strong>files are encrypted</strong>, Ryuk uploads <strong>an HTML</strong> ransom message to each encrypted folder. This message is roughly the same for all Ryuk variants. The main difference in this example is the presence of a link button and <strong>instructions for installing the Tor browser.</strong></p><p></p><p><img src="https://cryptoworld.su/wp-content/uploads/2021/08/image-012.png" alt="image-012.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p>Ransom message in HTML format How to protect yourself from Ryuk ransomware</p><p></p><p><em>Ransom notice in HTML format</em></p><p></p><p>When you click the <strong>Connect</strong> button, a pop-up window appears with instructions on how to contact the authors of the ransomware.</p><p></p><p><img src="https://cryptoworld.su/wp-content/uploads/2021/08/image-016.png" alt="image-016.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p>Browser message with instructions</p><p></p><p><em>Message with instructions</em></p><p></p><p>Specified in the instructions <strong>the onion-lin-ka</strong> leads the user to a communication portal. There is a special form where you have to leave your email address, password, organization name and hacker message (in a separate field).</p><p></p><p><img src="https://cryptoworld.su/wp-content/uploads/2021/08/image5.jpg" alt="image5.jpg" class="fr-fic fr-dii fr-draggable " style="" /></p><p>How to protect yourself from Ryuk ransomware.</p><p></p><p><em>Login to contact hackers using Ryuk</em></p><p></p><p><strong>Diversification of disk resolutions</strong></p><p>The Trojan recognizes mapped local drives using an <strong>API <em>GetLogicalDrives</em></strong> call and uses the <strong>Windows icacls tool</strong> to change the permissions of each drive in order to gain full access to it.</p><p></p><p><img src="https://cryptoworld.su/wp-content/uploads/2021/08/image-024.jpg" alt="image-024.jpg" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><em>Executing the Icacls command</em></p><p></p><p>Here's an example of a command that Ryuk will execute:</p><p></p><p><strong><em>icacls "C:\*" /grant Everyone: F /T /C /Q</em></strong></p><p><strong></strong></p><p><strong>Force termination of processes and services</strong></p><p>Before encrypting files, the Trojan creates a new thread to terminate a number of processes and stop some services.</p><p></p><p><img src="https://cryptoworld.su/wp-content/uploads/2021/08/image6.jpg" alt="image6.jpg" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><em>Flow formation</em></p><p></p><p>In this new thread, Ryuk creates a list of running processes and services and compares it to a list <strong>of 41 processes and 64 services</strong> hardcoded into its code. Some of these processes and services are related to antivirus and backup tools, while others may use files encrypted as part of an attack.</p><p></p><p><img src="https://cryptoworld.su/wp-content/uploads/2021/08/image7.jpg" alt="image7.jpg" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><em>Stream functions</em></p><p></p><p>The encoder uses the following command to complete the process:</p><p>Code:</p><p>C:\Windows\System32\taskkill.exe /IM /F</p><p>The command to stop the services targeted by the ransomware:</p><p>Code:</p><p>C:\Windows\System32\net.exe stop /y</p><p>Since such services as well as processes are checked by a function <strong><em>strstr </em></strong>that returns partial matches of strings, the malware also terminates other non-target processes, such as <strong><em>audioendpointbuilder</em></strong>because it contains a string of endpoints.</p><p></p><p><img src="https://cryptoworld.su/wp-content/uploads/2021/08/image8.jpg" alt="image8.jpg" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><em>Force shutdown of a service</em></p><p></p><p><strong>File encryption</strong></p><p>The Trojan tries to encrypt <strong>local and network drives by</strong> scanning all files on them and checking the path and name of each file. Ryuk does not encrypt files whose full paths include the following names:</p><p></p><p><strong><em>\Windows\</em></strong></p><p><strong><em>Windows</em></strong></p><p><strong><em>boot</em></strong></p><p><strong><em>WINDOWS\</em></strong></p><p><strong><em>Chrome</em></strong></p><p><strong><em>Mozilla</em></strong></p><p><strong><em>SYSVOL</em></strong></p><p><strong><em>NTDS</em></strong></p><p><strong><em>netlogon</em></strong></p><p><strong><em>sysvol</em></strong></p><p></p><p>The malware also does not encrypt files with any of the following strings in their names:</p><p></p><p>RyukReadMe.html</p><p></p><p><strong><em>boot</em></strong></p><p><strong><em>dll</em></strong></p><p><strong><em>ntldr</em></strong></p><p><strong><em>exe</em></strong></p><p><strong><em>.ini</em></strong></p><p><strong><em>.lnk</em></strong></p><p><strong><em>bootmgr</em></strong></p><p><strong><em>boot</em></strong></p><p><strong><em>NTDETECT</em></strong></p><p></p><p>In addition, Ryuk checks the filenames for the presence of the <strong>index</strong>. If present, the program will call the <strong>function <em>RyukDropRansomNoteInIndexFile.</em></strong></p><p></p><p><img src="https://cryptoworld.su/wp-content/uploads/2021/08/image-026.png" alt="image-026.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><em>Tracking files with the string index in the name</em></p><p></p><p>If the file has an extension <strong><em>.php</em>,</strong> the ransomware will generate <strong>PHP code </strong>to create an <strong>HTML</strong> ransom <strong>message</strong>. Otherwise, it will overwrite the contents of the file using the HTML code of the ransom claim message. Thus, when trying to access the site, the user <strong>will see Ryuk's message with the demands of the cybercriminals.</strong></p><p></p><p><img src="https://cryptoworld.su/wp-content/uploads/2021/08/image-028.png" alt="image-028.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><em>Embedding Ryuk ransom notification text into files named index</em></p><p></p><p>This feature is believed to have been added in newer versions of malware to attack web servers and hack public websites, replacing their home pages with ransom messages from Ryuk. This tactic has never been used in ransomware before, the ultimate goal of which is to force the victim to pay a ransom.</p><p></p><p>The coding technique in the latest version of Ryuk is the same as before. For each file, the program uses <strong>random AES-256 keys</strong> generated using the <strong>API </strong>and then encrypts these keys using <strong>the RSA public key</strong> embedded in the malicious code. With this scheme, cybercriminals guarantee secure encryption as well as reliable key management.<strong><em>CryptGenKey</em></strong></p><p></p><p><img src="https://cryptoworld.su/wp-content/uploads/2021/08/image-034.png" alt="image-034.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><em>AES-256 key generation</em></p><p></p><p>On the eve of processing a file, the Trojan checks whether the file has already been encrypted. To do this, a keyword search is carried out: for old versions of <strong>Ryuk</strong> and for new ones. If such keywords are found, the file will not be used and will not be encrypted.</p><p></p><p><strong><em>HERMES</em></strong> <strong><em>RYUKTM</em></strong></p><p></p><p><img src="https://cryptoworld.su/wp-content/uploads/2021/08/image9.jpg" alt="image9.jpg" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><em>Checking HERMES and RYUKTM</em></p><p></p><p>After that, the Trojan starts encrypting the file in portions of the specified size - <strong>1,000,000 bytes each.</strong></p><p></p><p><img src="https://cryptoworld.su/wp-content/uploads/2021/08/image10.jpg" alt="image10.jpg" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><em>File encoding by components</em></p><p></p><p>Next Ryuk adds <strong>a keyword <em>RYUKTM</em>,</strong> with the aim to mark the file as an encrypted, exports <strong>AES key</strong> that encrypted public <strong>RSA key</strong> with the support of <strong>the API <em>CryptExportKey</em></strong>, and attaches it to the end of the file.</p><p></p><p><img src="https://cryptoworld.su/wp-content/uploads/2021/08/image-036.png" alt="image-036.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><em>File Key Export</em></p><p></p><p>Below is an example of an encrypted file <em>with </em><strong>274 bytes of metadata</strong> appended by Ryuk to the end of the file.</p><p></p><p><img src="https://cryptoworld.su/wp-content/uploads/2021/08/image-040.jpg" alt="image-040.jpg" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><em>Attached metadata</em></p><p></p><p><strong>Print job</strong></p><p>After encrypting the files, Ryuk creates a new scheduled job to print <strong>50 copies of the ransom message in RTF format</strong> on the system default printer. The command line for creating such a job looks like this:</p><p></p><p><strong><em>SCHTASKS /CREATE /NP /SC DAILY /TN "PrintvE" /TR "C:\Windows\System32\cmd. exe /c for /l %x in (1,1,50) do start wordpad.exe /p C:\users\Public\YTKkI. dll" /ST 10:25 /SD 05/18/2021 /ED 05/25/2021</em></strong></p><p></p><p>The task will be completed at the prescribed time throughout the week. The printed 50-page ransom message <strong>in RTF format will contain a password that</strong> is uploaded to the public directory as a file with a random name <strong>and extension <em>.dll.</em></strong></p><p></p><p><img src="https://cryptoworld.su/wp-content/uploads/2021/08/image11.jpg" alt="image11.jpg" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><em>Ryuk Ransom RTF Notice</em></p><p></p><p>This feature is also new. It was added to the architecture of the Trojan in order <strong>to harm the</strong> victim's <strong>system</strong> and force him <strong>to pay a ransom</strong> for decrypting files.</p><p></p><p><strong>Remote network connection</strong></p><p>The <strong>Ryuk 8 LAN</strong> command line process is designed to get system ARP caches and send <strong>Wake on Lan packets</strong> to power remote computers. To download the ARP table, the malware uses the <strong>API <em>GetIpNetTable</em></strong> from the file. <strong><em>iphlpapi.dll.</em></strong> Having received the specified table, the ransomware starts sending packets using the <strong>API from the Winsock library.<em>sendto</em></strong></p><p></p><p><img src="https://cryptoworld.su/wp-content/uploads/2021/08/image-042.png" alt="image-042.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><em>Sending a Wake on Lan packet</em></p><p></p><p><strong>Wake on Lan Magic</strong> packets are 6 bytes long with a value of 255 <strong>(hex <em>0xFF</em>)</strong> followed by the destination MAC address written 16 times. The total packet size is <strong>102 bytes.</strong></p><p></p><p><img src="https://cryptoworld.su/wp-content/uploads/2021/08/image-044.png" alt="image-044.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><em>Wake on Lan package</em></p><p></p><p><strong>Sequential enumeration of shared network folders</strong></p><p>Ryuk also seeks to <strong>migrate horizontally to other hosts on the network</strong>. For this, the program predetermines all P-addresses assigned to the system and checks if they belong to the <strong>private IPv4 address</strong> range <strong>(10.xxx, 172.16.xx and 192.168.xx).</strong> Because this check is done using a <strong>function <em>strstr</em>,</strong> you can find matches with other public subnets such as <strong>151.192.172.1.</strong></p><p></p><p><img src="https://cryptoworld.su/wp-content/uploads/2021/08/image12.jpg" alt="image12.jpg" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><em>Error control of private IP networks</em></p><p></p><p>If one of the above subnets is found, the ransomware will start sending <strong>ICMP Echo requests</strong> using the API to discover new computers on that subnet. If the computer responds to the request, it will be considered a potential victim and Ryuk will try to encrypt the files on it.</p><p></p><p><img src="https://cryptoworld.su/wp-content/uploads/2021/08/image13.jpg" alt="image13.jpg" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><em>ICMP Echo Request</em></p><p></p><p>Ryuk will attempt to encode files on any <strong>host it finds</strong>, similar to how it is used for local drives. The ransomware creates a <strong>UNC path</strong> for all drive letters <strong>(A to Z) </strong>in the format Then the Trojan will attempt to gain access and <strong>encrypt along the way. </strong>This attempt is shown in the following figure.<strong><em>\\<IP>\<drive letter>$</em></strong><em>.</em><strong><em>\\<IP></em></strong><em>.</em></p><p></p><p><img src="https://cryptoworld.su/wp-content/uploads/2021/08/image-052.png" alt="image-052.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><em>Encrypting files over UNC</em></p><p></p><p><strong>Server message block (SMB) replication</strong></p><p>The <strong>Ryuk <em>9 REP</em></strong> command line process is responsible for replicating malware to new computers, while checking to see if the process is running twice. To do this, <strong>a mutex object</strong> is created with a name similar to the username of the machine. If the mutex is already present, the <strong>procedure will be stopped.</strong></p><p></p><p><img src="https://cryptoworld.su/wp-content/uploads/2021/08/image-054.png" alt="image-054.png" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><em>Creating a mutex</em></p><p></p><p>In the next step, Ryuk monitors the presence of <strong>its own files</strong> on the remote computer using the <strong>API</strong> <strong><em>GetFileAttributesW</em></strong>. The <strong>UNC</strong> file path is created in parallel; Then the program will try to access the folder <strong><em>C: \ Users \ Public</em></strong> on the remote computer. The file is created with a name that is the checksum of the current username with the added suffix <strong><em>r.exe.</em></strong></p><p></p><p><img src="https://cryptoworld.su/wp-content/uploads/2021/08/image-024.jpg" alt="image-024.jpg" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><em>Copying the Ryuk file</em></p><p></p><p>The ransomware then uses the <strong>API</strong> <strong><em>CopyFileW</em></strong> to copy the file to the remote computer. To ensure that this copy is executed remotely, the malware will create a scheduled task with a random name using the utility <strong><em>schtasks.exe.</em></strong></p><p></p><p><img src="https://cryptoworld.su/wp-content/uploads/2021/08/image14.jpg" alt="image14.jpg" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><em>Creating a remote service</em></p><p></p><p>Thus, for each compromised remote machine, two commands are executed:</p><p></p><p>Code:</p><p>schtasks.exe /Create /S 192.168.56.2 /TN qdpRGwh /TR "C:\\Users\\Pub- lic\\622r.exe" /sc once /st 00:00 /RL HIGHEST</p><p>schtasks.exe /S 192.168.56.2 /Run /TN qdpRGwh</p><p><strong>Conclusion</strong></p><p>This concise report shows a technical description of the Ryuk ransomware and the latest features that have been integrated into its code in order to increase the damage to organizations falling into the victim category.</p><p></p><p>Interestingly, Ryuk's attention has shifted to web servers, as instead of encrypting the index files in the web server folders, the software replaces them with a ransom message. In addition, the Ryuk developers have added the ability to print a malware ransom message on the default printer.</p><p></p><p>In the first half of the year, a number of hacker groups that exploit Ryuk vigorously campaigned and attacked offices around the planet. This is why cybercriminals using Ryuk will resume developing new features and ways of doing things to maximize their value.</p></blockquote><p></p>
[QUOTE="Geniu, post: 367, member: 13"] [I]Ryuk is a ransomware code that encrypts files and requires victims to pay in bitcoins in order to provide decryption keys. Used exclusively for targeted attacks. This ransomware was first detected in August 2018 as part of a campaign targeting multiple companies. Our specialists analyzed the initial versions of the malware and identified similarities and common fragments of the source code with the Hermes ransomware. Hermes is a mass distribution ransomware that is sold on underground forums and is used by several hacker groups. So how will Ryuk protect itself against ransomware?[/I] [B]Ryuk[/B] uses a combination of [B]AES[/B] symmetric encryption [B](256 bits)[/B] and [B]RSA[/B] asymmetric encryption [B](2048 or 4096 bits)[/B] for his own deliberate moves. The symmetric key is used [B]to encrypt the contents of the files[/B], and the asymmetric public key is used [B]to encrypt the symmetric key.[/B] After paying the ransom, the attackers provide the corresponding asymmetric private key that can be used to decrypt the files. Since Ryuk is used for [B]targeted attacks[/B], the primary infection vectors are selected based on the victim's data. These vectors are often targeted phishing emails, remote access to systems using stolen accounts, and the use of well-known mass malware. In the latter case, a combination of [B]Emotet[/B] and [B]TrickBot is[/B] often used to [B]infect Ryuk[/B]; The use of [B]BazarLoader[/B] has also recently been reported. Ryuk infections often come from [B]spear phishing emails[/B] containing a malicious link or [B]MS Office document[/B]. With their help, hackers can penetrate the victim's information environment. In some cases, computers with a [B]compromised RDP protocol[/B] become such an access point. [B][I]Spear phishing[/I][/B] [I]is a subtype of phishing that targets the most limited group of people (a company, a group of its employees, or an individual)[/I] The first scenario uses [B]TrickBot[/B] or [B]BazarLoader[/B] as the malware loader. As a result of its execution, other hackers can gain access to compromised machines. After that, computers are usually loaded with [B]a Cobalt Strike beacon[/B] to steal usernames and passwords and move horizontally across the network to hijack domain controllers. As a result, the Ryuk binary is propagated to all machines through these controllers. How does this code work? Let's find out. [B]Aggregate data The file being analyzed[/B] is a sample of an unpacked ransomware from the Ryuk family. This pattern can be identified using [B]checksums (hashes). Hash typeValue[/B] [I]SHA-11EFC175983A17BD6C562FE7B054045D6DCB341E5SHA-2568F368B029A3A5517CB133529274834585D087A2D3A 5875D03EA38E5774019C8A[/I] The final payload of 30 April was compiled [B]Anti-debugging[/B] Ryuk repeatedly uses decompilation protection techniques to make static analysis of program code difficult. [IMG alt="image1.jpg"]https://cryptoworld.su/wp-content/uploads/2021/08/image1.jpg[/IMG] Disassembly protection technique How to protect yourself from Ryuk ransomware [I]Disassembly protection method[/I] In addition, the malicious code supports methods of protection against debugging using [B]APIs[/B] [B][I]ZwQueryInformationProcess[/I][/B] and various functions (flags), such as [B[I]ProcessDebugFlags[/I][/B], [B][I]ProcessDebugPort[/I][/B] and [B][I]ProcessDebugObjectHandle[/I][/B]. With their help, ransomware can detect the presence of a debugger and [B]forcefully close it.[/B] [IMG alt="image2.jpg"]https://cryptoworld.su/wp-content/uploads/2021/08/image2.jpg[/IMG] Request ProcessHow to Protect Against Ryuk Ransomware. [I]Request process[/I] In addition, the ransomware checks an attribute in the [B]PEB[/B] structure of a [B]process[/B] for the same purpose. [B][I]BeingDebugged[/I][/B] [IMG alt="image-006.jpg"]https://cryptoworld.su/wp-content/uploads/2021/08/image-006.jpg[/IMG] Check for Process Debug Signs How to Protect Against Ryuk Ransomware. [I]Controlling the symptoms of debugging a process[/I] [B]Performance[/B] Ryuk reproduces itself three times into the current folder with different names and runs these new binaries with different command line options. Each such execution [B]maintains a separate fun-ktsiyu[/B]. The file name for the first copy of the malware is generated as [B]a checksum of the current username,[/B] to which is appended [B][I]r.exe.[/I][/B] If the malware cannot get the username, the default name is used - When this file is run, the malware uses the [B]command line. [/B]This process is responsible for Ryuk's self-replication on other machines on the network. [B][I]rep.exe.[/I][/B] [B][I]9 REP.[/I][/B] [IMG alt="image3.jpg"]https://cryptoworld.su/wp-content/uploads/2021/08/image3.jpg[/IMG] First Execution How to Protect Against Ryuk Ransomware [I]First performance[/I] The name of the further copy of the Trojan is generated in a random manner and [B]has the suffix [I]lan.exe.[/I][/B] This copy corresponds to command line [B]8 LAN. [/B]This process is responsible for sending [B]Wake-On-Lan[/B] packets to other computers on the network. [IMG alt="image-010.jpg"]https://cryptoworld.su/wp-content/uploads/2021/08/image-010.jpg[/IMG] Second Execution How to Protect Against Ryuk Ransomware. [I]Second execution[/I] The name of the third copy is formed in the same way as the second, using the same command line. [IMG alt="image4.jpg"]https://cryptoworld.su/wp-content/uploads/2021/08/image4.jpg[/IMG] Executing the third copy How to protect yourself from Ryuk ransomware [I]Execution of a third copy[/I] [B]Foreclosure Notice[/B] To inform the user that the [B]files are encrypted[/B], Ryuk uploads [B]an HTML[/B] ransom message to each encrypted folder. This message is roughly the same for all Ryuk variants. The main difference in this example is the presence of a link button and [B]instructions for installing the Tor browser.[/B] [IMG alt="image-012.png"]https://cryptoworld.su/wp-content/uploads/2021/08/image-012.png[/IMG] Ransom message in HTML format How to protect yourself from Ryuk ransomware [I]Ransom notice in HTML format[/I] When you click the [B]Connect[/B] button, a pop-up window appears with instructions on how to contact the authors of the ransomware. [IMG alt="image-016.png"]https://cryptoworld.su/wp-content/uploads/2021/08/image-016.png[/IMG] Browser message with instructions [I]Message with instructions[/I] Specified in the instructions [B]the onion-lin-ka[/B] leads the user to a communication portal. There is a special form where you have to leave your email address, password, organization name and hacker message (in a separate field). [IMG alt="image5.jpg"]https://cryptoworld.su/wp-content/uploads/2021/08/image5.jpg[/IMG] How to protect yourself from Ryuk ransomware. [I]Login to contact hackers using Ryuk[/I] [B]Diversification of disk resolutions[/B] The Trojan recognizes mapped local drives using an [B]API [I]GetLogicalDrives[/I][/B] call and uses the [B]Windows icacls tool[/B] to change the permissions of each drive in order to gain full access to it. [IMG alt="image-024.jpg"]https://cryptoworld.su/wp-content/uploads/2021/08/image-024.jpg[/IMG] [I]Executing the Icacls command[/I] Here's an example of a command that Ryuk will execute: [B][I]icacls "C:\*" /grant Everyone: F /T /C /Q[/I] Force termination of processes and services[/B] Before encrypting files, the Trojan creates a new thread to terminate a number of processes and stop some services. [IMG alt="image6.jpg"]https://cryptoworld.su/wp-content/uploads/2021/08/image6.jpg[/IMG] [I]Flow formation[/I] In this new thread, Ryuk creates a list of running processes and services and compares it to a list [B]of 41 processes and 64 services[/B] hardcoded into its code. Some of these processes and services are related to antivirus and backup tools, while others may use files encrypted as part of an attack. [IMG alt="image7.jpg"]https://cryptoworld.su/wp-content/uploads/2021/08/image7.jpg[/IMG] [I]Stream functions[/I] The encoder uses the following command to complete the process: Code: C:\Windows\System32\taskkill.exe /IM /F The command to stop the services targeted by the ransomware: Code: C:\Windows\System32\net.exe stop /y Since such services as well as processes are checked by a function [B][I]strstr [/I][/B]that returns partial matches of strings, the malware also terminates other non-target processes, such as [B][I]audioendpointbuilder[/I][/B]because it contains a string of endpoints. [IMG alt="image8.jpg"]https://cryptoworld.su/wp-content/uploads/2021/08/image8.jpg[/IMG] [I]Force shutdown of a service[/I] [B]File encryption[/B] The Trojan tries to encrypt [B]local and network drives by[/B] scanning all files on them and checking the path and name of each file. Ryuk does not encrypt files whose full paths include the following names: [B][I]\Windows\ Windows boot WINDOWS\ Chrome Mozilla SYSVOL NTDS netlogon sysvol[/I][/B] The malware also does not encrypt files with any of the following strings in their names: RyukReadMe.html [B][I]boot dll ntldr exe .ini .lnk bootmgr boot NTDETECT[/I][/B] In addition, Ryuk checks the filenames for the presence of the [B]index[/B]. If present, the program will call the [B]function [I]RyukDropRansomNoteInIndexFile.[/I][/B] [IMG alt="image-026.png"]https://cryptoworld.su/wp-content/uploads/2021/08/image-026.png[/IMG] [I]Tracking files with the string index in the name[/I] If the file has an extension [B][I].php[/I],[/B] the ransomware will generate [B]PHP code [/B]to create an [B]HTML[/B] ransom [B]message[/B]. Otherwise, it will overwrite the contents of the file using the HTML code of the ransom claim message. Thus, when trying to access the site, the user [B]will see Ryuk's message with the demands of the cybercriminals.[/B] [IMG alt="image-028.png"]https://cryptoworld.su/wp-content/uploads/2021/08/image-028.png[/IMG] [I]Embedding Ryuk ransom notification text into files named index[/I] This feature is believed to have been added in newer versions of malware to attack web servers and hack public websites, replacing their home pages with ransom messages from Ryuk. This tactic has never been used in ransomware before, the ultimate goal of which is to force the victim to pay a ransom. The coding technique in the latest version of Ryuk is the same as before. For each file, the program uses [B]random AES-256 keys[/B] generated using the [B]API [/B]and then encrypts these keys using [B]the RSA public key[/B] embedded in the malicious code. With this scheme, cybercriminals guarantee secure encryption as well as reliable key management.[B][I]CryptGenKey[/I][/B] [IMG alt="image-034.png"]https://cryptoworld.su/wp-content/uploads/2021/08/image-034.png[/IMG] [I]AES-256 key generation[/I] On the eve of processing a file, the Trojan checks whether the file has already been encrypted. To do this, a keyword search is carried out: for old versions of [B]Ryuk[/B] and for new ones. If such keywords are found, the file will not be used and will not be encrypted. [B][I]HERMES[/I][/B] [B][I]RYUKTM[/I][/B] [IMG alt="image9.jpg"]https://cryptoworld.su/wp-content/uploads/2021/08/image9.jpg[/IMG] [I]Checking HERMES and RYUKTM[/I] After that, the Trojan starts encrypting the file in portions of the specified size - [B]1,000,000 bytes each.[/B] [IMG alt="image10.jpg"]https://cryptoworld.su/wp-content/uploads/2021/08/image10.jpg[/IMG] [I]File encoding by components[/I] Next Ryuk adds [B]a keyword [I]RYUKTM[/I],[/B] with the aim to mark the file as an encrypted, exports [B]AES key[/B] that encrypted public [B]RSA key[/B] with the support of [B]the API [I]CryptExportKey[/I][/B], and attaches it to the end of the file. [IMG alt="image-036.png"]https://cryptoworld.su/wp-content/uploads/2021/08/image-036.png[/IMG] [I]File Key Export[/I] Below is an example of an encrypted file [I]with [/I][B]274 bytes of metadata[/B] appended by Ryuk to the end of the file. [IMG alt="image-040.jpg"]https://cryptoworld.su/wp-content/uploads/2021/08/image-040.jpg[/IMG] [I]Attached metadata[/I] [B]Print job[/B] After encrypting the files, Ryuk creates a new scheduled job to print [B]50 copies of the ransom message in RTF format[/B] on the system default printer. The command line for creating such a job looks like this: [B][I]SCHTASKS /CREATE /NP /SC DAILY /TN "PrintvE" /TR "C:\Windows\System32\cmd. exe /c for /l %x in (1,1,50) do start wordpad.exe /p C:\users\Public\YTKkI. dll" /ST 10:25 /SD 05/18/2021 /ED 05/25/2021[/I][/B] The task will be completed at the prescribed time throughout the week. The printed 50-page ransom message [B]in RTF format will contain a password that[/B] is uploaded to the public directory as a file with a random name [B]and extension [I].dll.[/I][/B] [IMG alt="image11.jpg"]https://cryptoworld.su/wp-content/uploads/2021/08/image11.jpg[/IMG] [I]Ryuk Ransom RTF Notice[/I] This feature is also new. It was added to the architecture of the Trojan in order [B]to harm the[/B] victim's [B]system[/B] and force him [B]to pay a ransom[/B] for decrypting files. [B]Remote network connection[/B] The [B]Ryuk 8 LAN[/B] command line process is designed to get system ARP caches and send [B]Wake on Lan packets[/B] to power remote computers. To download the ARP table, the malware uses the [B]API [I]GetIpNetTable[/I][/B] from the file. [B][I]iphlpapi.dll.[/I][/B] Having received the specified table, the ransomware starts sending packets using the [B]API from the Winsock library.[I]sendto[/I][/B] [IMG alt="image-042.png"]https://cryptoworld.su/wp-content/uploads/2021/08/image-042.png[/IMG] [I]Sending a Wake on Lan packet[/I] [B]Wake on Lan Magic[/B] packets are 6 bytes long with a value of 255 [B](hex [I]0xFF[/I])[/B] followed by the destination MAC address written 16 times. The total packet size is [B]102 bytes.[/B] [IMG alt="image-044.png"]https://cryptoworld.su/wp-content/uploads/2021/08/image-044.png[/IMG] [I]Wake on Lan package[/I] [B]Sequential enumeration of shared network folders[/B] Ryuk also seeks to [B]migrate horizontally to other hosts on the network[/B]. For this, the program predetermines all P-addresses assigned to the system and checks if they belong to the [B]private IPv4 address[/B] range [B](10.xxx, 172.16.xx and 192.168.xx).[/B] Because this check is done using a [B]function [I]strstr[/I],[/B] you can find matches with other public subnets such as [B]151.192.172.1.[/B] [IMG alt="image12.jpg"]https://cryptoworld.su/wp-content/uploads/2021/08/image12.jpg[/IMG] [I]Error control of private IP networks[/I] If one of the above subnets is found, the ransomware will start sending [B]ICMP Echo requests[/B] using the API to discover new computers on that subnet. If the computer responds to the request, it will be considered a potential victim and Ryuk will try to encrypt the files on it. [IMG alt="image13.jpg"]https://cryptoworld.su/wp-content/uploads/2021/08/image13.jpg[/IMG] [I]ICMP Echo Request[/I] Ryuk will attempt to encode files on any [B]host it finds[/B], similar to how it is used for local drives. The ransomware creates a [B]UNC path[/B] for all drive letters [B](A to Z) [/B]in the format Then the Trojan will attempt to gain access and [B]encrypt along the way. [/B]This attempt is shown in the following figure.[B][I]\\<IP>\<drive letter>$[/I][/B][I].[/I][B][I]\\<IP>[/I][/B][I].[/I] [IMG alt="image-052.png"]https://cryptoworld.su/wp-content/uploads/2021/08/image-052.png[/IMG] [I]Encrypting files over UNC[/I] [B]Server message block (SMB) replication[/B] The [B]Ryuk [I]9 REP[/I][/B] command line process is responsible for replicating malware to new computers, while checking to see if the process is running twice. To do this, [B]a mutex object[/B] is created with a name similar to the username of the machine. If the mutex is already present, the [B]procedure will be stopped.[/B] [IMG alt="image-054.png"]https://cryptoworld.su/wp-content/uploads/2021/08/image-054.png[/IMG] [I]Creating a mutex[/I] In the next step, Ryuk monitors the presence of [B]its own files[/B] on the remote computer using the [B]API[/B] [B][I]GetFileAttributesW[/I][/B]. The [B]UNC[/B] file path is created in parallel; Then the program will try to access the folder [B][I]C: \ Users \ Public[/I][/B] on the remote computer. The file is created with a name that is the checksum of the current username with the added suffix [B][I]r.exe.[/I][/B] [IMG alt="image-024.jpg"]https://cryptoworld.su/wp-content/uploads/2021/08/image-024.jpg[/IMG] [I]Copying the Ryuk file[/I] The ransomware then uses the [B]API[/B] [B][I]CopyFileW[/I][/B] to copy the file to the remote computer. To ensure that this copy is executed remotely, the malware will create a scheduled task with a random name using the utility [B][I]schtasks.exe.[/I][/B] [IMG alt="image14.jpg"]https://cryptoworld.su/wp-content/uploads/2021/08/image14.jpg[/IMG] [I]Creating a remote service[/I] Thus, for each compromised remote machine, two commands are executed: Code: schtasks.exe /Create /S 192.168.56.2 /TN qdpRGwh /TR "C:\\Users\\Pub- lic\\622r.exe" /sc once /st 00:00 /RL HIGHEST schtasks.exe /S 192.168.56.2 /Run /TN qdpRGwh [B]Conclusion[/B] This concise report shows a technical description of the Ryuk ransomware and the latest features that have been integrated into its code in order to increase the damage to organizations falling into the victim category. Interestingly, Ryuk's attention has shifted to web servers, as instead of encrypting the index files in the web server folders, the software replaces them with a ransom message. In addition, the Ryuk developers have added the ability to print a malware ransom message on the default printer. In the first half of the year, a number of hacker groups that exploit Ryuk vigorously campaigned and attacked offices around the planet. This is why cybercriminals using Ryuk will resume developing new features and ways of doing things to maximize their value. [/QUOTE]
Name
Verification
Post reply
Home
Forums
CARDING & HACKING
Hacking Tools
How to protect against ransomware?
Top