2328
Home Malware Analysis Detailed Technical Analysis Report of Ryuk Ransomware
Detailed Technical Analysis Report of Ryuk Ransomware Detailed Technical Analysis Report of Ryuk Ransomware
Malware Analysis | 08/23/2018

Detailed Technical Analysis Report of Ryuk Ransomware


When was the last time you checked your PC health? Do you know your PC requires a regular Check Up!!!

RYUK Ransomware Overview

RYUK Ransom is a part of the ransomware family, found by the security researcher; it encrypts the victim's machine by using AES Encryption method.

It doesn’t append the filename of the affected file by adding some extension in the last like other malware does, it primarily focuses on the encrypting the file contents. It drops the ransom note on the desktop and all the processed folder.

Flow Chart

Flow Chart

Technical Analysis of RYUK Ransomware

File Name: ryuk.exe

MD5: 5AC0F050F93F86E69026FAEA1FBB4450

File Type: .EXE

Spread Via:  Spam Campaign & Exploit Kit

 

Detail Description of RYUK Ransomware with Screenshots

 

This ransomware contains the following PDB information:

PDB: C:\\Users\\Admin\\Documents\\Visual Studio 2015\\Projects From Ryuk\\ConsoleApplication54\\x64\\Release\\ConsoleApplication54.pdb

On execution of this ransomware, it first checks the system architecture (32 Bit or 64 Bit) accordingly to that it will drop their payload (both the modules are embedded in the single file). During dropping the payload, it generates the 5 letter random name based on the SRAND function.

Get peace of mind! Get rid of malicious programs instantly

Free Malware Scan Compatible with Win 10,8.1,8 & 7

Thereafter, randomly generated payload file is written to a directory, depending on the OS Version on the victim’s machine. If the OS Version is XP or older than XP, then it writes a file atDocuments and Settings\Default User”. If the Victim machine is running a higher version of Windows Operating System other than XP, in that case, it writes a file at “\Users\Public\” location.

Read Detailed Technical Analysis Report of Fake Xerox Multifunction Printer Spam Campaign

As you can see in the following screenshot:

Path

Figure 1 Writes File Based On OS Version

Thereafter, it checks whether it’s running under wow64 process based on the output it writes the suitable payload (32 Bit or 64 Bit).

 

IsWow64Process

Figure 2 WOW64 Process Check

 

In the last, before terminating the main process of ransomware (ryuk.exe), the dropper (randome_5_letter name.exe) calls the ShellExecuteW to execute the ryuk ransomware payload.

 Shell Execute

Figure 3 Calling ShellExecuteW API

This ransomware attempts to kills several processes by using Task Kill command:

 

C /IM zoolz.exe /F          

C /IM mysqld-nt.exe /F      

C /IM synctime.exe /F       

C /IM agntsvc.exe /F        

C /IM mysqld-opt.exe /F     

C /IM tbirdconfig.exe /F    

C /IM dbeng50.exe /F        

C /IM ocautoupds.exe /F     

C /IM thebat.exe /F         

C /IM dbsnmp.exe /F         

C /IM ocomm.exe /F          

C /IM thebat64.exe /F       

C /IM encsvc.exe /F         

C /IM ocssd.exe /F          

C /IM thunderbird.exe /F    

C /IM excel.exe /F          

C /IM onenote.exe /F        

C /IM visio.exe /F          

C /IM firefoxconfig.exe /F  

C /IM oracle.exe /F         

C /IM winword.exe /F        

C /IM infopath.exe /F       

C /IM outlook.exe /F        

C /IM wordpad.exe /F        

C /IM isqlplussvc.exe /F    

C /IM powerpnt.exe /F       

C /IM xfssvccon.exe /F      

C /IM msaccess.exe /F       

C /IM sqbcoreservice.exe /F 

C /IM tmlisten.exe /F       

C /IM msftesql.exe /F       

C /IM sqlagent.exe /F       

C /IM PccNTMon.exe /F       

C /IM mspub.exe /F          

C /IM sqlbrowser.exe /F     

C /IM CNTAoSMgr.exe /F      

C /IM mydesktopqos.exe /F   

C /IM sqlservr.exe /F       

C /IM Ntrtscan.exe /F       

C /IM mydesktopservice.exe /F

C /IM sqlwriter.exe /F      

C /IM mbamtray.exe /F       

C /IM mysqld.exe /F         

C /IM steam.exe /F          

 

This ransomware also attempts to stop several processes using net stop command:

stop \"Acronis VSS Provider\" /y           

 stop ntrtscan /y                           

 stop \"Enterprise Client Service\" /y      

 stop OracleClientCache80 /y                

 stop \"Sophos Agent\" /y                   

 stop PDVFSService /y                       

 stop \"Sophos AutoUpdate Service\" /y      

 stop POP3Svc /y                            

 stop \"Sophos Clean Service\" /y           

 stop ReportServer /y                        

 stop \"Sophos Device Control Service\" /y  

 stop ReportServer$SQL_2008 /y              

 stop \"Sophos File Scanner Service\" /y    

 stop ReportServer$SYSTEM_BGC /y            

 stop \"Sophos Health Service\" /y          

 stop ReportServer$TPS /y                   

 stop \"Sophos MCS Agent\" /y               

 stop ReportServer$TPSAMA /y                

 stop \"Sophos MCS Client\" /y              

 stop RESvc /y                              

 stop \"Sophos Message Router\" /y          

 stop sacsvr /y                             

 stop \"Sophos Safestore Service\" /y       

 stop SamSs /y                              

 stop \"Sophos System Protection Service\" /y

 stop SAVAdminService /y                    

 stop \"Sophos Web Control Service\" /y     

 stop SAVService /y                         

 stop \"SQLsafe Backup Service\" /y         

 stop SDRSVC /y                             

 stop \"SQLsafe Filter Service\" /y         

 stop SepMasterService /y                   

 stop \"Symantec System Recovery\" /y       

 stop ShMonitor /y                          

 stop \"Veeam Backup Catalog Data Service\" /

 stop Smcinst /y                            

 stop AcronisAgent /y                       

 stop SmcService /y                         

 stop AcrSch2Svc /y                         

 stop SMTPSvc /y                            

 stop Antivirus /y                          

 stop SNAC /y                               

 stop ARSM /y                               

 stop SntpService /y                        

 stop BackupExecAgentAccelerator /y         

 stop sophossps /y                          

 stop BackupExecAgentBrowser /y             

 stop SQLAgent$BKUPEXEC /y                  

 stop BackupExecDeviceMediaService /y       

 stop SQLAgent$ECWDB2 /y                    

 stop BackupExecJobEngine /y                

 stop SQLAgent$PRACTTICEBGC /y              

 stop BackupExecManagementService /y        

 stop SQLAgent$PRACTTICEMGT /y              

 stop BackupExecRPCService /y               

 stop SQLAgent$PROFXENGAGEMENT /y           

 stop BackupExecVSSProvider /y              

 stop SQLAgent$SBSMONITORING /y             

 stop bedbg /y                               

 stop SQLAgent$SHAREPOINT /y                

 stop DCAgent /y                            

 stop SQLAgent$SQL_2008 /y                  

 stop EPSecurityService /y                  

 stop SQLAgent$SYSTEM_BGC /y                

 stop EPUpdateService /y                    

 stop SQLAgent$TPS /y                       

 stop EraserSvc11710 /y                     

 stop SQLAgent$TPSAMA /y                    

 stop EsgShKernel /y                        

 stop SQLAgent$VEEAMSQL2008R2 /y            

 stop FA_Scheduler /y                       

 stop SQLAgent$VEEAMSQL2012 /y              

 stop IISAdmin /y                           

 stop SQLBrowser /y                         

 stop IMAP4Svc /y                           

 stop SQLSafeOLRService /y                  

 stop macmnsvc /y                           

 stop SQLSERVERAGENT /y                     

 stop masvc /y                              

 stop SQLTELEMETRY /y                       

 stop MBAMService /y                         

 stop SQLTELEMETRY$ECWDB2 /y                

 stop MBEndpointAgent /y                    

 stop SQLWriter /y                          

 stop McAfeeEngineService /y                

 stop SstpSvc /y                            

 stop McAfeeFramework /y                    

 stop svcGenericHost /y                     

 stop McAfeeFrameworkMcAfeeFramework /y     

 stop swi_filter /y                         

 stop McShield /y                           

 stop swi_service /y                         

 stop McTaskManager /y                      

 stop swi_update_64 /y                      

 stop mfemms /y                             

 stop TmCCSF /y                             

 stop mfevtp /y                             

 stop tmlisten /y                           

 stop MMS /y                                

 stop TrueKey /y                            

 stop mozyprobackup /y                      

 stop TrueKeyScheduler /y                   

 stop MsDtsServer /y                         

 stop TrueKeyServiceHelper /y               

 stop MsDtsServer100 /y                     

 stop UI0Detect /y                          

 stop MsDtsServer110 /y                     

 stop VeeamBackupSvc /y                     

 stop MSExchangeES /y                       

 stop VeeamBrokerSvc /y                     

 stop MSExchangeIS /y                       

 stop VeeamCatalogSvc /y                    

 stop MSExchangeMGMT /y                     

 stop VeeamCloudSvc /y                       

 stop MSExchangeMTA /y                      

 stop VeeamDeploymentService /y             

 stop MSExchangeSA /y                       

 stop VeeamDeploySvc /y                     

 stop MSExchangeSRS /y                      

 stop VeeamEnterpriseManagerSvc /y          

 stop MSOLAP$SQL_2008 /y                    

 stop VeeamMountSvc /y                      

 stop MSOLAP$SYSTEM_BGC /y                  

 stop VeeamNFSSvc /y                        

 stop MSOLAP$TPS /y                          

 stop VeeamRESTSvc /y                       

 stop MSOLAP$TPSAMA /y                      

 stop VeeamTransportSvc /y                  

 stop MSSQL$BKUPEXEC /y                     

 stop W3Svc /y                              

 stop MSSQL$ECWDB2 /y                       

 stop wbengine /y                           

 stop MSSQL$PRACTICEMGT /y                  

 stop WRSVC /y                              

 stop MSSQL$PRACTTICEBGC /y                 

 stop MSSQL$VEEAMSQL2008R2 /y               

 stop MSSQL$PROFXENGAGEMENT /y              

 stop SQLAgent$VEEAMSQL2008R2 /y            

 stop MSSQL$SBSMONITORING /y                

 stop VeeamHvIntegrationSvc /y              

 stop MSSQL$SHAREPOINT /y                   

 stop swi_update /y                         

 stop MSSQL$SQL_2008 /y                     

 stop SQLAgent$CXDB /y                      

 stop MSSQL$SYSTEM_BGC /y                   

 stop SQLAgent$CITRIX_METAFRAME /y          

 stop MSSQL$TPS /y                           

 stop \"SQL Backups\" /y                    

 stop MSSQL$TPSAMA /y                       

 stop MSSQL$PROD /y                         

 stop MSSQL$VEEAMSQL2008R2 /y               

 stop \"Zoolz 2 Service\" /y                

 stop MSSQL$VEEAMSQL2012 /y                 

 stop MSSQLServerADHelper /y                

 stop MSSQLFDLauncher /y                    

 stop SQLAgent$PROD /y                      

 stop MSSQLFDLauncher$PROFXENGAGEMENT /y    

 stop msftesql$PROD /y                       

 stop MSSQLFDLauncher$SBSMONITORING /y      

 stop NetMsmqActivator /y                   

 stop MSSQLFDLauncher$SHAREPOINT /y         

 stop EhttpSrv /y                           

 stop MSSQLFDLauncher$SQL_2008 /y           

 stop ekrn /y                               

 stop MSSQLFDLauncher$SYSTEM_BGC /y         

 stop ESHASRV /y                            

 stop MSSQLFDLauncher$TPS /y                

 stop MSSQL$SOPHOS /y                       

 stop MSSQLFDLauncher$TPSAMA /y             

 stop SQLAgent$SOPHOS /y                    

 stop MSSQLSERVER /y                        

 stop AVP /y                                

 stop MSSQLServerADHelper100 /y             

 stop klnagent /y                           

 stop MSSQLServerOLAPService /y             

 stop MSSQL$SQLEXPRESS /y                   

 stop MySQL80 /y                            

 stop SQLAgent$SQLEXPRESS /y                

 stop MySQL57 /y                            

 stop wbengine /y                            

 stop KAVFS /y                              

 stop kavfsslp /y                           

 stop mfefire /y                            

 stop KAVFSGT /y                            

 

Thereafter, it also has persistent mechanism capabilities that makes sure that after every system reboot it gets auto restarted on the victim’s system.

Process Tree

Figure 4 Process Tree of Ryuk Ransomware

It creates the following entry in the registry for persistence.

/C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "

This ransomware is also capable of process enumeration by using SeDebugPrivilege it elevates the extended capabilities of the processes and try to avoid explorer.exe, csrss.exe and lsass.exe.

Process Enumeration

Figure 5 Process Enumeration

Ryuk ransomware will iterate all the processes and try to inject a code to each processes address space.

In the last it also drops the window.bat file that contains the batch script code for deletion of Virtual Shadow Copy. It needs UAC Permission to run that script file.

UAC

Figure 6 UAC Permission to execute Window.bat

Batch Script File Content:

VSS

Figure 7 Deletion of Shadow Copy

During execution it also drops the ransom note (RyukReadMe.txt) in every processed folder, while opening the process note in the notepad it contains following ransom information.

 

Your network has been penetrated.

 

All files on each host in the network have been encrypted with a strong algorithm.

 

Backups were either encrypted or deleted or backup disks were formatted.

Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover.

 

We exclusively have decryption software for your situation

No decryption software is available in the public.

 

DO NOT RESET OR SHUTDOWN - files may be damaged.

DO NOT RENAME OR MOVE the encrypted and readme files.

DO NOT DELETE readme files.

This may lead to the impossibility of recovery of the certain files.

 

To get info (decrypt your files) contact us at

WayneEvenson@protonmail.com

or

WayneEvenson@tutanota.com

 

BTC wallet:

14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk

 

Ryuk

 

No system is safe

 

 

IOC’s

Hash

5AC0F050F93F86E69026FAEA1FBB4450

 

Associated File Path:

C:\Users\Public\cjoZX.exe

C:\Users\Public\window.bat

 

Associated Email Address

WayneEvenson@tutanota.com

WayneEvenson@protonmail.com

 

Associated Bitcoin Address

 

14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk

Read Detailed Technical Analysis Report of Fake Brightpay Payslip Notification Campaign

Are you worried about your PC health?

Check your PC Health for Free!

Powered By:howtoremoveit.info Run Free Scan


Tips to Prevent virus and malware from Infecting Your System:
  1. Enable your popup blocker: Pop-ups and ads on the websites are the most adoptable tactic used by cybercriminals or developers with the core intention to spread malicious programs.
    So, avoid clicking uncertain sites, software offers, pop-ups etc. and Install a powerful ad- blocker for ChromeMozilla, and IE
  2. Keep your Windows Updated: To avoid such infections, we recommend that you should always keep your system updated through automatic windows update.By doing this you can keep your device free from virus.According to the survey, outdated/older versions of Windows operating system are an easy target.
  3. Third-party installation: Try to avoid freeware download websites as they usually install bundled of software with any installer or stub file.
  4. Regular Backup: Regular and periodical backup helps you to keep your data safe in case the system is infected by any kind of virus or any other infection.Thus always backup important files regularly on a cloud drive or an external hard drive.
  5. Always have an Anti-Virus: Precaution is better than cure. We recommend that you install an antivirus like ITL Total Security or a good Malware Removal Tool like Download Virus RemovalTool

 

Newsletter

Are your devices Secure?

Best Anti-Malware program in 2018

ad_computer_work
Start Scan Now  Download Time: less than 1 minute
× Zoom Image
×

1

indicatorImg_logo
mlcsetup
2

3

1

2

3

1

2

3