The Ryuk Ransomware Is Now Turning Into a Dangerous Worm
- A newly sampled variant of Ryuk appears to have the capability to spread on more computers on its own.
- Ryuk was already very successful, even if it required manual lateral movement and payload dropping.
- The new worm-like capabilities may be in their early testing phase, as they lack sophistication.
The French National Cybersecurity Agency (ANSSI) has recently discovered a fresh Ryuk sample in the wild that features worm-like capabilities. Worms are pieces of malicious software that have the ability to detect possible hosts in their reachable range and spread there automatically.
What this means is that a computer infected with the Ryuk ransomware could end up serving as a pivoting point for the infection of all systems connected to the same network, having malware propagating rapidly and getting out of hand before anyone realizing what’s happening.
While we don’t know if the new variant is just a limited test or the mark of a new age for the particular ransomware family, the fact that it was detected in the wild makes researchers worry. Ryuk was already very successful even though it required its operators to navigate it manually for purposes of lateral movement and also to manually drop the payload itself. With the new worming and self-replication attributes, the powerful files encrypter could become an even greater menace.
ANSSI’s analysis of the new sample indicates that the malware uses Windows RPC accesses, generates every possible IP address on local networks, and sends an ICMP ping to all of them for propagation. Also, the new variant doesn’t use any exclusion mechanism, which means the same machine is targeted repeatedly even if it has already been infected. This element indicates that Ryuk’s authors may be testing stuff out right now, as the absence of MUTEX isn’t helping in detection avoidance.
The new sample features two hardcoded lists containing 41 processes and 64 services to be “killed” before the encryption process begins, which is based on the Microsoft CryptoAPI with a unique AES256 key for each file. To encrypt systems that are found to be within the IP address range, the malware is deploying the ‘wake-on-LAN’ command sent to the corresponding MAC address. This activates the drive of the reachable system so it can be encrypted too.
There’s still no decrypter available for the Ryuk ransomware, so even after all this time, it remains an unbreakable piece of malware. The only way to contain the threat is to apply network traversal mitigations.
If you’re already dealing with an ongoing Ryuk infection, search for the privileged account used for the propagation and disable it or change the password. This would force reboots, essentially disturbing the spread.