$400.000 were paid last month by the officials of Jackson County (Georgia) to recover their files after a RYUK ransomware variant hit their IT infrastructure. Except for the 911 emergency service and their website, everything went down, paralyzing activities and forcing everybody to carry out operations the old way, on paper, including the sheriff’s office.
The FBI, with the help of cyber-security consultants, decided that it is best to pay the ransom, as other methods of recovery would have cost them as much or even more money, while also keeping the systems down for a more extended period. In March 2018, officials in Atlanta (Georgia) ended up paying a whopping $17 million to recover their systems after SamSam ransomware attacked their IT network.
RYUK is commonly used in targeted attacks, and usually distributed using other malware and phishing email campaigns. Jackson County officials have not confirmed how their system got infected. RYUK also crippled some operations of a few important publications, like the Wall Street Journal, New York Times, but also many others.
RYUK ransomware – test findings
RYUK is not a typical ransomware as the methods used to encrypt are very advanced. Upon execution, the malware copies itself to another location and deletes the original executable. Then, it will make sure shadow volume copies of files, but other file extensions and folders typically used by backup systems (like vhd, dsk, bkf, bak) are deleted to limit recovery methods. It does this using a batch file, which initially is saved on the disk in an encrypted format, later decrypted and finally executed.
Most common file types used by users are encrypted. The files are not renamed, but replaced with encrypted content, maintaining the original extensions. We call this type of ransomware “replacers” and usually, they are very difficult to detect.
But the most important particularity of RYUK is how it encrypts the files. It will not use its own executables for this, but a method called “memory injection”, which basically hijacks legitimate, even critical system processes and uses them to encrypt. This is very advanced programming, as usually critical system processes are well protected and very difficult to interact with as RYUK does. This technique also makes sure no significant traces are left behind, making forensic analysis quite challenging, as just a few malware files are written on the disk.
But the most valuable effect of memory injection is the significantly reduced “visibility”. Users, as well as anti-malware solutions, will find it difficult to detect malware activity, as long as legitimate, system processes are involved in the encryption. We are not talking about one or two hijacked processes, we managed to collect almost 15 in our test, all different.
RYUK will also load every time Windows starts, encrypting files over and over. We are unsure if recovery, after many restarts, is possible, unless the same encryption key is used every time.
Many ransom notes are dropped on the disk during the attack, in most affected folders. The ransom note is simple, contains some tips and contact info (emails), and a BitCoin wallet.
As you can see in the video as well, RYUK is probably one of the most dangerous ransomware of the last few months. Once infected, most systems in network will probably be attacked and the damage could be catastrophic and irreversible, especially as there are no publicly available tools to decrypt the files.
RYUK ransomware vs Ranstop – test results
TEMASOFT Ranstop detects this version of RYUK ransomware soon after it starts encrypting files. Upon detection, alerts are fired off, and the malware process is blocked and quarantined. The damaged files are automatically recovered so that the user doesn’t lose any important document.
About TEMASOFT Ranstop
TEMASOFT Ranstop is an anti-ransomware software that detects present and future ransomware, based on file access pattern analysis with a high degree of accuracy. At the same time, it protects user files so that they can be restored in case of malware attacks or accidental loss.
For more information, follow us on social media and subscribe to our newsletter.