Ryuk Ransomware Attack Detection

On the rebound of increased ransomware activities, Ryuk ransomware holds the top spot having victimized internationally renowned companies. Over the last several weeks, researchers are reporting a number of successful ransomware attacks that hit entire networks. The world’s largest office furniture company Steelcase was forced to shut down their systems after the attack, but they report to their shareholders about no known data loss caused by the attack. Ryuk ransomware put out of action the facilities operations within the Universal Health Services and made the infected hospitals shut down their systems and redirect their patients to other healthcare facilities, which shows that healthcare still attracts Ryuk operators after their violent activity at the beginning of the pandemic. Also, an IT services company Sopra Steria informed about the detected attack. According to FBI information, the hackers’ gainings from Ryuk ransomware attacks have exceeded $61M.

Ryuk ransomware attacks on the Healthcare sector

It became known this week that Ryuk affiliates are preparing a massive campaign targeting the US Healthcare sector. Federal agencies released a Security Alert, which warns of the campaign, reveals tactics used by cybercriminals and some indicators of compromise. More than 400 healthcare facilities could be targeted, and according to unverified information, adversaries have already infected 30 of them. 

Cybercriminals plan to cause panic and force a large number of organizations to pay a ransom to decrypt the data. It is also worth noting that Ryuk affiliates often steal sensitive data before encrypting files to have additional leverage on victims. Now the situation is also aggravated by the upcoming elections.

For their recent attacks, fraudsters behind Ryuk attacks adopted the flaw of Zerologon and capabilities of malware frameworks to gain privilege escalation. The exploitation of the vulnerability allowed cybercriminals to hijack domain controllers within hours after a single system in the organization’s network was infected via a phishing email with the BazarLoader and encrypt data both on servers, including backup servers, and on workstations. You can learn more about this vulnerability and the content available at Threat Detection Marketplace to detect its exploitation here.

The new Ryuk strains leverage different techniques to escape detection, then call a function that makes changes to execution permissions. Compared to the earlier ransomware strains, the recent Ryuk attacks show significantly reduced time to encryption, thus considerably decreasing chances for targeted companies to timely detect the attack.

Ryuk attack detection

In almost every case, attacks proceed differently and for each attack, attackers create a unique ransomware sample, so IOCs-based content is unlikely to help detect and stop an attack in time. Our team and Threat Bounty program participants publish threat hunting rules to help identify techniques and procedures leveraged by BazarLoader and Ryuk ransomware. 

SINGLEMALT / KEGTAP / Ryuk Techniques and Procedures rule by Roman Ranskyi: https://tdm.socprime.com/tdm/info/lf753JGo35D4/4Y32c3UBmo5uvpkjQZWE/

Osman Demir, active Threat Bounty developer of actionable detection content for Threat Detection Marketplace, published a Sigma rule that enables detection of the ransomware strain used in the recent attacks – Ryuk Encryption and Evasion Techniques

https://tdm.socprime.com/tdm/info/9lnBk5qhd9IV/Nb8mZXUBTwmKwLA9QLI2/

We also recommend that you pay attention to the following rules available at the Threat Detection Marketplace:

Persistence Of Ryuk Ransomware rule by Emir Erdogan: https://tdm.socprime.com/tdm/info/eWyQLgWZwv3v/EGzmQHUBmo5uvpkju9HX/

Team9/Bazar batch filename pattern (via cmdline) rule by SOC Prime Team: https://tdm.socprime.com/tdm/info/51onXdAhOkLs/sE9tvHIBSh4W_EKGAAjz/

Team9/Bazar scheduled task name (via audit) rule by SOC Prime Team: https://tdm.socprime.com/tdm/info/efOdljfHf6Qk/3KjlQHUBTwmKwLA94W5a/

Bazar Loader Detection (Sysmon detection) rule by Ariel Millahuel: https://tdm.socprime.com/tdm/info/QDvyH85txiBA/w6jmQHUBTwmKwLA9cm-b/

Ryuk detection is available for Chronicle Security and Apache Kafka ksqlDB. The rules have translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio

EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint

 

MITRE ATT&CK: 

Tactics: Impact, Execution, Defense Evasion, Persistence, Discovery, Privilege Escalation, Lateral Movement, Command And Control

Techniques: Data Encrypted for Impact (T1486), User Execution (1204), BITS Jobs (T1197), Domain Trust Discovery (T1482), Remote File Copy (T1544), Remote Services (T1021), Signed Binary Proxy Execution (T1218), Windows Management Instrumentation (T1047), Modify Registry (T1112), Process Injection (T1055), Query Registry (T1012), Registry Run Keys / Startup Folder (T1060), Scripting (T1064)

 

Some behavioral rules for Ryuk ransomware attacks:

WMIC LOLBAS Usage:

https://tdm.socprime.com/tdm/info/BepoiNiXj8Ut/y8WK1W4BUORkfSQheZnZ/

NTDSUTIL:

https://tdm.socprime.com/tdm/info/SOvxy6p5Cnof/Hp4_n2UBtApo-eN_NyF6/

Execution from non-execution folder:

https://tdm.socprime.com/tdm/info/RVIFEay7irsd/bW5VKmkBFVBAemBcGlNv/

NTDS Access:

https://tdm.socprime.com/tdm/info/6VhAtbw6rBa2/WTk92W0BLQqskxffCpek/

Mimikatz Rules:

https://tdm.socprime.com/tdm/info/qoNd4DX79bOa/CzkT2W0BLQqskxffCpcz/

https://tdm.socprime.com/tdm/info/ee3PIzxoFMI6/ncIy2W0BEiSx7l0HIpz0/

https://tdm.socprime.com/tdm/info/QctzDmwqbvco/7MIw0G0BEiSx7l0H9JIj/

https://tdm.socprime.com/tdm/info/es5UmjxJNrQg/FDkd2W0BLQqskxffjZe7/

https://tdm.socprime.com/tdm/info/74llvzojtbi4/PELH6m4ByU4WBiCt6HUg/

PSEXEC Usage:

https://tdm.socprime.com/tdm/info/7GxQdQqC8jRl/Q8XMxm4BUORkfSQh5Yyq/

https://tdm.socprime.com/tdm/info/R8d9PuDz6Kqf/B8tD8nABTfY1LRoXMJme/



Ready to try out SOC Prime Threat Detection Marketplace? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the Threat Detection Marketplace community.