Mon. Nov 18th, 2019

NCSC issues an alert for Ryuk ransomware attack

2 min read

The United Kingdom (UK) National Cyber Security Centre (NCSC) issued an alert about the Ryuk ransomware attack, which was launched in conjunction with the Emotet and TrickBot malware. The researchers found that the Ryuk ransomware appeared in different organizational networks along with Emotet and TrickBot.

Ryuk ransomware was first discovered in August 2018, which infects and harms different organizations and benefits millions of dollars for hackers. Emotet is a well-known malware that is used by other Trojan as a dropper for initial infections, with victims all over the world. Trickbot is a bank malware that steals login credentials from an application. Since its discovery, hackers have continually added new features to Trickbot.

PGA ransomware

Ransomware uses TrickBot and Emotet malware in its attack chain, targeting large organizations to obtain high ransoms. The ransomware is said to be operated by a professional hacker organization, GRIM SPIDER.

Ryuk ransomware uses Emotet for initial infection and checks if the victim’s machine is susceptible to infection. Trickbot then deployed additional post-exploitation tools to support operations, including the Mimikatz and PowerShell Empire modules.

Post-exploitation modules to collect credentials and remotely monitor workstations to infect other systems on the same network. Machines infected with Emotet periodically check modules from the Command and Control Server (C2), which are usually DLLs or EXEs that are loaded on infected systems to extend functionality. All non-executable files are encrypted at the end of the infection process and display a ransomware prompt requesting payment of the ransom in Bitcoin. The Ryuk virus is a persistent infectious virus. The malware installer will stop some anti-virus software and install the appropriate version of Ryuk according to the system.

According to NCSC, Ryuk ransomware itself does not have the ability to move laterally across the network, so it relies on initial infection access, which enumerates the shared network and encrypts the shared network it can access. In addition, the anti-forensics technology used by ransomware makes backup recovery more difficult.