CyberWire Daily - Ryuk ransomware relationship revelations. [Research Saturday]
Episode Date: March 23, 2019Investigators from McAfee's advanced threat research unit, working with partners at Coveware, have reevaluated hasty attributions of Ryuk ransomware to North Korea and have explored the inner workings... of the threat. John Fokker is head of cyber investigations in McAfee's Advanced Threat research unit. He join us to share their findings. The original research can be found here: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-exploring-the-human-connection/  Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps, not the entire network, continuously verifying
every request based on identity and context, simplifying security management with AI-powered
automation, and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
We did an earlier piece on Rayak.
It hit the news just after Christmas and New Year's.
I was traveling back from the States back to Europe.
That's John Fokker.
He's head of cyber investigations in McAfee's Advanced Threat Research Unit.
The research we're discussing today is titled Rayak, Exploring the Human Connection.
And we saw this at the several press instances,
like I think the LA Times and some other newspapers
were unable to print their newspaper
because it was hit by Rayak.
And the thing that stood out to me,
and actually one of my colleagues
who I did the first piece with,
we were like, it was attributed within a day to North Korea.
And we didn't know where it went in that direction, but we both had a good were like, it was attributed within a day to North Korea. And we didn't know where it went in that direction.
But we both had a good feeling like, hey, we need to look into this because this is
going the wrong way.
We publish within McAfee, we publish a lot on North Korea.
And this didn't have the same sign.
So we took a good look at it.
And we're actually one of the first ones to say, like, hey, based on if we just look at the facts, it could be a regular cybercrime operation, but it's probably not North Korea.
And that actually started a movement.
So we see a lot of our industry peers, well, follow suit.
And then they did a tremendous and really, really good in-depth additional research.
But there was still something missing.
And I was actually in contact with a company named Coveware.
And they're great guys.
And they specialize in mitigation of ransomware.
So if a company that we always advocate don't pay because you're supporting the extortionists.
But they said, well, all in all, it's the choice of the company.
But what they do is they're transparent about it.
And they said like, hey, if you are thinking of negotiation,
please call us.
We'll help you out.
And because we deal with this, we'll do the payments for you
and all these things.
And they had several riot cases.
And I was like, hey, that's interesting because from the security point of view,
we always look at the malware and we try to pull it apart. But the human connection, which is in an extortion case, maybe even the most interesting or the most relevant one, wasn't discovered or wasn't spoke about, wasn't researched. So that made me team up with Coveware to take a closer look at how that worked for this specific ransomware family.
Yeah, it's an interesting collaboration. One of the things you lead off this particular
post about, the research that you did here, you talk about something called the diamond model.
Can you describe that for us?
It's a holistic model for intrusion analysis. And you have, I think some of the listeners
also know the cyber kill chain, but it's a way of structuring the connection between
and it's shaped as a diamond that's no surprise between an adversary on the top and you have the
victim on the bottom and either left or right you have the capability of an actor or an adversary
and the infrastructure used and with capability we we often say the malware infrastructure could
be c2 infrastructure hosting hosting, all these things.
Well, the adversary, that's the criminal.
That could be one or several.
And the victim, it's this goal.
So when you look at traditional malware research, that's focused on the capability.
And for instance, if we do a cybercrime investigation and we go on to a cybercriminal forum and we would like to talk to an adversary or we see an advertisement
of a certain criminal so like hey do you want to buy this piece of ransomware then we're actually
linking a capability the piece of ransomware that we found to somebody who is advertising it the
adversary or if we analyze the ransomware and within the code we see like hey it beacons out
to this specific c2 or command and
control server infrastructure. We make a link with the infrastructure. And thus, there's also a link
between an adversary and a victim, especially in this case, because the victim has something that
the adversary wants. And in this case, it's money. And vice versa is also true because the adversary
has something that the victim wants,
and that's access to his files. So it really, it provides a framework to sort of make connections
between the various components. That is correct. Yeah. It's a way to structure your thought
process and to make sure that you're not missing anything. And I use it personally in shaping my
research. So I know like, okay, I'm now looking at this part of my research,
and it's interesting to explore this connection. Well, let's dig into some of the details here
about RYAC. One of the things you delved into was the ransom amounts and the negotiations.
What did you find here? RYAC is a targeted form of ransomware, as we have seen, and the ransom
amounts are really high. They're much, much higher as compared to,
for instance, GanttCrab or the more run-of-the-mill, if you might call it, the other
forms of ransomware as a service. So that's something that stands out in RIAC. And in the
beginning when it was discovered, we saw that there was a similarity between the ransom note
that the software leaves behind and other forms like BitPayment,
we still don't know if there's a link or if it's just a way of showing there.
It's like a copy and imitation as a sincerest form of flattery.
Right, right.
There's some laziness with a copy and paste.
Yeah, yeah.
Why change something winning?
In Dutch, we say, why would you develop something that's
half flawed if you can just steal it and it's perfect?
I like it. So in terms of the numbers here, what are we talking about? What kind of dollars are
they asking for? Oh, wow. They have demands in Bitcoins and it could be they they calculate it that's what we suspect also when
working with coveware because it's targeted so they they access the network it's not like okay
they deliver the ransomware and they lock your machine and they hope for that you'll pay they
actually actively intrude your network do a lateral movement try to get control of the domain
controller and then have an estimate about how big your network is and based lateral movement, try to get control of the domain controller, and then
have an estimate about how big your network is. And based on the size of your network, they will
show you or they will demand a certain amount of Bitcoins. And that could be a relatively large
amount, for instance, if you're a hosting company, because then you have a lot of computers.
So it's sizable. And it could be anywhere from 10 Bitcoins all the way up to, I think,
So it's sizable and it could be anywhere from 10 bitcoins all the way up to I think we saw like 100 or 30.
But it's relatively really, really high amounts.
Yeah. And one of the things you pointed out in your research was that that sort of spreads a disproportionate amount of risk to particular industries.
That is correct. Yeah. Yeah, if you run an industry where you're relying on, for instance, logistics or, like I touched on, hosting providers,
there's not a lot of profit to be made and you have a lot of systems to work together and you cannot afford a lot of downtime.
Those type of companies are hit the hardest by RIAC, especially if they don't have proper backups and it's not segmented. And they were able to penetrate the whole network.
As we have been told by Coveware, they had in our research, we saw companies going out of business because of this.
Now, one of the things that you tracked is their Bitcoin activity.
What did you see there?
Yeah, you see when we look at the activity, we do see that there's a large amount. It varies, us being the separate victims.
And we see there's payments being done and there's payments taken out. So people are paying
and they're making a lot of money. That's what we see. Yeah. It's interesting also to me that
they seem to be open to negotiations. Yes. It is a really interesting negotiation style. It's extremely short and blunt. But we did see two types of profiles, though. Some were stonewalled and they said like, hey, you have modus operandi. And they actually were very susceptible to negotiation.
So it was able to lower the amount to have to be paid.
And that's interesting to us because that shows two different methods of operation.
And that might indicate that there's several people or several groups active with RIAC.
Yeah, it was interesting to note in some of the email responses that you published in your
research, one of them even included a paragraph on ways to protect yourself from future infections.
Yeah, that's something that's typical for a lot of ransomware cases that we see.
I think CryptoWall back in the day was one of the first ones to start with,
congratulations, you're now part of the club.
And for some reason, sometimes they even see themselves as a help desk. And I've read a lot
of these communications. And I don't know if there's such a thing as a cyber Stockholm syndrome,
but sometimes even the victims are grateful that they can get their files back. And they're
grateful to the criminals, which is interesting to me because they're actually the perpetrators.
Yeah.
Well, let's dig into some of the details of the decrypter.
So suppose someone does pay up.
They pay the ransom.
What do they get sent, and what's in that file?
What we suspect, and that's our running hypothesis, and we're almost certain,
it's a modified version of Hermes, and Hermes was a kit.
Hermes 2.1 was a kit that sold on exploit.in, the forum.
And what they get there is a really simple decryptor on MS-DOS, and you could run it.
And the first iteration, when you run it, it will check if the virus is still persistent within
the registry it will delete that registry key it will delete the service and it will ask you to
reboot the system when you rebooted it you'd run the system again and it's it's just basically a
couple of lines of of terminal code it has two options either you can decrypt per file or it says an automatic decryption. But it is very rudimentary and very simple.
Whereas Vryek is targeted at organizations.
It's usually several computers and it is a network environment and they try to spread it en masse.
Whereas when we take a look at the decrypt trades, never built for network distribution decryption.
Take a look at the decryptor.
It's never built for network distribution decryption.
It is a very faulty programs system, which halts if there's some alterations in the file path.
And it will just fail the decryption process. So it makes me believe that they've modified something just slightly, but it wasn't made for this type of ransomware, targeted ransomware distribution.
Yeah, that's an interesting disconnect that on the encryption side, they have, I suppose,
a certain level of sophistication by being able to move laterally and so forth, but the
decryptor doesn't match.
Yeah, our suspicions are with this group is that their speciality, and that's also linked
with the way it's delivered.
So from our industry peers, we've seen it as well.
There's a really strong connection with TrickBot,
one of the more sophisticated,
well, it's not even a bank control unit anymore.
It's a Swiss army knife.
And we suspect that the group or the groups behind it
have a better skill set in penetration testing
or doing the actual penetration, lateral movement,
getting the domain controller, and more the hands-on hacking skills
as opposed to being a brilliant ransomware or malware coder.
So we see that they're really comfortable in running through a system
and gaining control, but they're not coders.
So they will use the RIAC, what we think is that they bought that somewhere else, and they will just deploy that.
That's a telltale sign that's specific for this type of infection.
Yeah, it's interesting that when you look at how RIAC is a very expensive bit of ransomware. I guess the amount of ransom that they're asking for is very high.
You would expect better customer service, for lack of a better word, when it comes to getting your files back.
That is absolutely true.
For the amount of money that they ask and that they're actually being paid, you would expect that they could.
expect that they could uh i actually jokingly said that to a couple of colleagues like wow they could they could hire a really good programmer to make this into a much better product but it's it is
very worrisome to for us as well because certain companies they go all out and they could barely
pay the ransom demand then you're faced with a decryptor that doesn't work properly
and that brings you in another level of problems.
You're either able to fail and you won't get your files back at all, or it takes away the
extensions of your files. So only by your file name, you should recognize what your files are.
Well, try to do that in a network environment for a company that's months worth of work.
That's so strange. So yeah, I don't want to call it out,
but they better do some better programming. Yeah, it's interesting because you think,
you know, word would get around. They'd get a bad reputation and people would stop paying the
ransom. Yeah, because they get inside and they infect, they're really, really successful in
spreading through a network and spreading on all these computer systems. And certain companies, they also have a problem with the backups because they go that far
that they can also wipe out the backup systems as well.
Yeah, you made a really good point in your post here about this. You said that victims should
always make an exact copy of the encrypted hard disk before trying to use the decryptor.
That is correct. And that actually goes for any type of ransomware. When you look at what the industry does together with law
enforcement, we've set up a portal called No More Ransom where you can get keys for ransomware.
It's not necessarily for Riot, but for other forms of ransomware as well. So if you have
recent backups and you can place them back, fine, go for it. Then you're back in business.
But if you have the option, please leave your encrypted drive and back up to a new drive because at least you'll
have your files even though they're encrypted but if there's a decrypt you're coming out in the in
the future and you can use that to decrypt your files and in the case of right because it's faulty
you at least you have a second chance you can figure out based on for instance the findings
that we had in our article you have a second try because it can figure out based on, for instance, the findings that we had in our article, you have a second try.
Nothing is as worse as if you only have one copy and you try to decrypt it and it fails and all your files are lost forever.
Yeah.
Well, so take us through, what are your conclusions here?
Based on the information you've gathered here, what do you think we're dealing with?
Yeah, we try to do our research based on a competing hypothesis.
So we actually put a hypothesis out there that we think is our leading hypothesis, and we actually invite the industry to prove otherwise.
It's more of a scientific approach because if they can't prove it otherwise or falsify our findings, then it's the most strongest hypothesis.
And what we think is that Wrike is a direct descendant of Hermes 2.1.
There's slight modifications, but we saw the Hermes file marker in the decryptor as in the software and in the encrypted files.
Well, as I said earlier, Wrike is definitely not designed to use in large-scale corporate environments.
And that also shows the scalability issues from the decryptor.
And based on the negotiations that we saw and the tactics, the TTPs, we think there's several actors or actor groups spreading RIAC.
And they might be tied in because there's a relationship with TrickBot. And also based on some of the conversations
that we have seen, we think there's a link with some post-Soviet republics, that there's a
definite link with that because we found some quotes. What do you make of when we were at the
beginning of our conversation about what you perceive, I suppose, as a misattribution that
was sort of latched onto by a lot of people.
It can happen.
It's what we see in the industry a lot is there's a lot of and also from the media and
everybody wants to know who done it, who is behind it.
That's natural.
And I come from a law enforcement background.
And that's also who done it.
That's also the question that everybody wants to know.
But we have to realize that when we're in the security industry and we're looking at the capability of actors, that who is not our strong suit.
It's more like what happened and how did they do it?
We should shy away from attribution.
And that's our call.
Because the whole case was linked on a finding that there was something that actually the ransomware was used by North Korea in a separate campaign as a distraction.
But it had no signs that it was made by North Korea or whatever.
And we could find the ransomware back on the forums, on a Russian underground forum.
So it was a jump to conclusions.
And we would really advocate, don't do that.
Just stick to the facts.
And together, as an industry, everybody has a piece of the puzzle.
And then we can tie it together and come to the more stronger hypothesis and actually help law enforcement agencies worldwide with their efforts in attribution or arresting these individuals.
So what are your recommendations for organizations to protect themselves, both against RIOC specifically, but ransomware in general?
network segmentation, have your antivirus updated, look at, especially with the targeted ransomware campaigns or any targeted campaign, look at how your identity management is done
because they always go for the domain controller. Look at, for instance, in a corporate environment,
take a look at your users and reevaluate the rights that certain users have because there's
a lot of like right aggregation taking place in companies, maybe even enforce two-factor
authentication on certain accounts, things like that. It's basic disaster recovery hygiene and
hardening your network infrastructure and with defense in depth. For this ransomware,
there's no general decryptor. But for other ransomware cases, I would advertise people,
if you want to have more prevention advice or what to do,
or if you want to report to the police, please visit nomoreransom.org. It's a nonprofit. It's
made by a lot of industry partners, so ourselves and all the other companies and law enforcement
and government agencies. And they offer free decryptors for a lot of things. So if there's
any listeners, for instance, who got hit by Gantrab, and they have
up to, I think, Gantrab version 5.1, there's a general decryptor that can help get your files
back. Our thanks to John Fokker from McAfee for joining us. The research is titled
Rayuk, Exploring the Human Connection. We'll have a link in the show notes.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner. Thanks for listening.