Ryuk Ransomware PDF
Ryuk Ransomware PDF
Ryuk Ransomware PDF
UDURRANI
UDURRANI 1
Introduction
Ryuk is a fictional character in one of a Japanese series that I never followed. I don't know
much about the character but Ryuk ransomware variant is pretty interesting Its not as
straight forward as other variants. The first stage executable I found, was compiled on Aug
14th (8/14/2018)
Summary
UDURRANI 2
Flow
If you follow the life cycle of this payload, it executes multiple commands, mainly NET.exe,
NET1.exe, DEL.exe, REG.exe, TASKKILL.exe.
UDURRANI 3
All the commands are executed by using ShellExecuteW() function
In this case param is using CMD.exe to execute other commands with rbp as command line
argument(s). Don’t worry about sign_extend(), thats just to change a shorter value to longer
one. Internally, in most cases ShellExecute() function calls CreateProcess().
Let’s look at all the TASKKILL commands. I am sure you can figure out what those
commands are doing.
UDURRANI 4
Payload runs the following command for persistence:
del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk
del /s /f /q d:\*.VHD d:\*.bac d:\*.bak d:\*.wbcat d:\*.bkf d:\Backup*.* d:\backup*.* d:\*.set d:\*.win d:\*.dsk
del /s /f /q e:\*.VHD e:\*.bac e:\*.bak e:\*.wbcat e:\*.bkf e:\Backup*.* e:\backup*.* e:\*.set e:\*.win e:\*.dsk
del /s /f /q f:\*.VHD f:\*.bac f:\*.bak f:\*.wbcat f:\*.bkf f:\Backup*.* f:\backup*.* f:\*.set f:\*.win f:\*.dsk
del /s /f /q g:\*.VHD g:\*.bac g:\*.bak g:\*.wbcat g:\*.bkf g:\Backup*.* g:\backup*.* g:\*.set g:\*.win g:\*.dsk
del /s /f /q h:\*.VHD h:\*.bac h:\*.bak h:\*.wbcat h:\*.bkf h:\Backup*.* h:\backup*.* h:\*.set h:\*.win h:\*.dsk
del %0
Vssadmin and del commands are part of a dropped file called windows.bat
I remember another ransomware, actually a wiper, I named server destroyer. It also had
similar set of features. Please NOTE: This particular payload is not a wiper. You can take a
look at server destroyer wiper by clicking on the following links:
SUMMARY
http://udurrani.com/0fff/server_ransomware.pdf
AUTOMATED FLOW THAT SHOWS LATERAL MOVEMENT AND ALL THE COMMANDS
http://udurrani.com/0fff/server_ransomware_flow.pdf
http://udurrani.com/exp0/olympic_destroyer.pdf
UDURRANI 5
Injection
The payload uses the following functions to iterate through the processStack
CreateToolhelp32Snapshot() // If return != INVALID_HANDLE_VALUE
-> Process32First
-> Process32Next
Payload uses above methodology to go through processes but skips the following processes
i.e. excluded from the injection
❖ csrss.exe
❖ explorer.exe
❖ lsaas.exe
UDURRANI 6
The payload actually has a function that takes an integer value. This value is the PID that
attacker wants to inject into. Once the payload retrieves the right PID, its passed to the
function and the injection mechanism starts working.
YES! you got it: Your files are getting encrypted recursively by
the brand new thread created, right after the injection and you
can’t do squat about it.
The good news is: It doesn't touch some of the folders e.g.
Windows, Chrome, Mozilla but that doesn't really help!
UDURRANI 7
Ransom Note
Gentlemen!
Now your files are crypted with the strongest millitary algorithms RSA4096 and AES-256.
No one can help you to restore files without our special decoder.
If you want to restore your files write to emails (contacts are at the bottom of the sheet)
and attach 2-3 encrypted files
(Less than 5 Mb each, non-archived and your files should not contain valuable information
(Databases, backups, large excel sheets, etc.)).
You will receive decrypted samples and our conditions how to get the decoder.
Please don't forget to write the name of your company in the subject of your e-mail.
As soon as we get bitcoins you'll get all your decrypted data back.
Moreover you will get instructions how to close the hole in security
and how to avoid such problems in the future
+ we will recommend you special software that makes the most problems to hackers.
contact emails
[email protected]
or
[email protected]
BTC wallet:
15RLWdVnY5n1n7mTvU1zjg67wt86dhYqNj
Ryuk
No system is safe
UDURRANI 8
File Extension: Normally ransomware payload would change the file extensions but in this
case file names and extensions are not touched. However file content is encrypted. I like to
code, thats why I developed a similar ransomware that uses AES-RSA encryption and won’t
modify file extension(s). I tested it against 2 AV engines. NOTE: Its not about who is better. I
had 2 AV engines, so I used them for testing.
https://youtu.be/QkNjGGqvtQM
Conclusion
- No matter what people tell you, you MUST backup your corporate data
- Use 2 layers of end-point security
- Hire security folks that can automate
- Remember, if you pay the ransom, that doesn't guarantee you will get your data back.
BlackSheep ransomware had no decryption path.
- Last but not least, hire smart folks
UDURRANI 9
UDURRANI 10