A recent spate of infections by the Ryuk ransomware in large organizations may be the work of attackers who are using a chain of malware, including Emotet and TrickBot, to gain footholds in target companies before then delivering the ransomware and demanding large Bitcoin payments.
Ryuk is a relatively new strain of ransomware, having emerged last summer, and hasn’t been too widely deployed yet. But it has some notable attributes, including some rather large ransom demands and its growing association with Emotet and TrickBot. A number of security research teams have been tracking the attackers behind these infections, and have found that while the group isn’t using Ryuk on all of the machines infected with Emotet or TrickBot, they’re having quite a bit of financial success with the organizations they are compromising. Researchers at CrowdStrike estimate that the group behind the attacks have pulled in more than $3.7 million in ransom since August.
The attack chain in these incidents typically begins with an infection by the Emotet malware somewhere in the target organization. This often happens through a phishing email with an infected attachment that delivers the malware once it’s opened. After the initial infection, the operator will at some point push the TrickBot malware as a payload to the Emotet-infected machine. TrickBot often is used to steal credentials and other data inside a network. The final stage in the infection operation is the delivery of the Ryuk ransomware, which will then encrypt selected files on the infected machines and drop notes demanding a Bitcoin payment. The ransom demand can vary, from one or two Bitcoin, to as high as 99, according to CrowdStrike’s analysis.
“Our tracking shows that the actors behind Emotet regularly drop malware executables composed of Trickbot and IcedID, among others. The Trickbot and IcedID payloads are observed to be dropped directly via the module loader. However, with the Ryuk ransomware module, it follows a different control-flow path,” an analysis by security firm Kryptos Logic says.
“Ryuk infections are seldom, if ever, dropped directly by Emotet. When the Ryuk module is delivered to a victim, it is done transiently through a Trickbot infection and other tools, not the original Emotet bot.”
"These code similarities are insufficient to conclude North Korea is behind Ryuk attacks."
The Ryuk ransomware has been used in a handful of high-profile infections, including one at the Tribune Publishing company in late December, and another at cloud hosting provider Data Resolution. Researchers say it appears that the operators of the TrickBot malware are being selective about how it’s used, with the same being true of the Ryuk ransomware.
“The TrickBot administrator group, which is suspected to be based in Eastern Europe, most likely provide the malware to a limited number of cyber criminal actors to use in operations. This is partially evident through its use of 'gtags' that appear to be unique campaign identifiers used to identify specific TrickBot users,” Kimberly Goody, Jeremy Kennelly, Jaideep Natu, Christopher Glyer of FireEye wrote in an analysis of the campaign.
“In recent incidents investigated by our Mandiant incident response teams, there has been consistency across the gtags appearing in the configuration files of TrickBot samples collected from different victim networks where Ryuk was also deployed. The uniformity of the gtags observed across these incidents appears to be due to instances of TrickBot being propagated via the malware’s worming module configured to use these gtag values.”
There have been a number of analyses that have connected the Ryuk campaign to North Korean attackers, although some others have cast doubt on that assertion. Researchers at CrowdStrike and FireEye said that the Ryuk code was quite similar to the more common Hermes malware, and may actually be a derivative of it. Hermes has been used by APT38, an attack group associated with North Korea, but that doesn’t necessarily connect Ryuk to North Korea.
“Notably, while there have been numerous reports attributing Ryuk malware to North Korea, FireEye has not found evidence of this during our investigations. This narrative appears to be driven by code similarities between Ryuk and Hermes, a ransomware that has been used by APT38. However, these code similarities are insufficient to conclude North Korea is behind Ryuk attacks, as the Hermes ransomware kit was also advertised for sale in the underground community at one time,” the FireEye researchers said.