The French National Agency for the Security of Information Systems (ANSSI) announced that earlier this year, it identified a sample of Ryuk that could spread automatically within infected networks. ANSSI presented its findings in a recently published report.
Active since at least 2018 and believed to be operated by Russian cyber-criminals, the Ryuk ransomware has been on the spearpoint of numerous high-profile attacks. It is estimated the malware caused $150 million in damages. In October 2020 alone, Ryuk was responsible for 75% of attacks on the American healthcare sector, Bloomberg reported.
Ryuk previously relied on other malware for the initial deployment. The ransomware used BazarLoader and sometimes Emotet for distribution. Since 2017, the most used loader for the distribution of Ryuk has been TrickBot.
In the past, Ryuk did not have worm-like capabilities, although it was known to encrypt data on compromised networks and removable drives. It is capable of lateral movement within the infected networks now, researchers say.
Ryuk uses a combination of symmetric (AES) and asymmetric (RSA) algorithms for encryption. It can kill specific processes on the infected system, append the .RYK extension to the encrypted files, turn on workstations using the Wake-on-LAN feature and destroy all shadow copies to prevent data recovery.
To spread to other machines, the ransomware copies the executable on identified network shares with a rep.exe or lan.exe suffix. After that, “through the use of scheduled tasks, the malware propagates itself – machine to machine – within the Windows domain. Once launched, it will thus spread itself on every reachable machine on which Windows RPC accesses are possible,” ANSSI explains.
The French agency also notes that the identified sample does not appear to include a mechanism for blocking its execution. This suggests that the malware can re-infect the same device again and again.