Ryuk Ransomware Partners with TrickBot to Gain Access to Infected Networks


Historically, Ryuk has been considered a targeted ransomware that scopes out a target, gained access via Remote Desktop Services or other direct methods, stole credentials, and then targeted high profile data and servers to extort the highest ransom amount possible.

Ryuk has been a high profile ransomware due to its wide impact on the networks it infects, high ransom demands, and reports of having earned close to 3.7 million dollars. Just recently, Ryuk was used in an attack that affected the newspaper distribution for large publications such as Wall Street Journal, New York Times, and Los Angeles Times.

New research now indicates that the Ryuk actors may be renting other malware as an Access-as-a-Service to gain entrance to a network.

In new reports by both FireEye and CrowdStrike, researchers explain how TrickBot is being used by other actors to get access to an infected networks. Once these bots infect a computer, they would create reverse shells back to other actors, such as the ones behind Ryuk, so that they can manually infiltrate the rest of the network and install their payloads.

FireEye is calling this type of access TEMP.MixMaster, which refers to any incidents that they have seen where Ryuk is installed following a TrickBot infection. They feel that the TrickBot operators are renting their service to a limited number of cyber criminals who use it to gain access to networks where TrickBot is installed.

“The TrickBot administrator group, which is suspected to be based in Eastern Europe, most likely provide the malware to a limited number of cyber criminal actors to use in operations,” states FireEye’s research.

Ryuk is not the only ransomware that targets enterprise victims. FireEye has also seen the Dridex bot being used by the actors behind BitPaymer, while SamSam continues to directly target victims without the use of other malware to gain access.

“These two groups are using interactive access that enables them to deploy ransomware in a coordinated fashion to an organization’s most critical systems and involving a human operator in payment negotiations,” Christopher Glyer, Chief Security Architect at FireEye, told internetnewsblog via email. “This technique is also used by a third group (that doesn’t use banking trojan access) who deploy SamSam ransomware to extort victims. Two of the threat actors were recently indicted by the Department of Justice.”

TrickBot to Ryuk

TrickBot is commonly distributed through large malspam campaigns including attachments that install the malware onto a computer.  CrowdStrike has also stated that TrickBot can be installed a different malware called Emotet that is also distributed through malspam.

These malspam campaigns masquerade as various legitimate companies sending emails with subjects pretending to be HSBC Payment Advice, payroll emails, documents from Lloyds Bank, and Deloitte payroll schedules.

One of the campaigns that FireEye noticed distributing Ryuk is a malspam campaign pretending to be a Deloitte payroll schedule. This campaign contains attachments that when opened and have macros enabled, download and install TrickBot on the victim’s computer.

Deloitte Malspam
Deloitte Malspam

After TrickBot was installed, a reverse shell would be created back to bad actors, which allows them to remotely gain access to the infected computer and then install Ryuk throughout the network.

This was typically done by downloading the PowerShell post-exploitation toolkit called Empire. Empire is a toolkit that allows actors to quickly distribute payloads through a network, while at the same time evading detection.

These actors would use Empire to steal credentials on other computers in the network and then install the Ryuk Ransomware on high value targets. Once installed, the ransomware would encrypt files, rename to have a .RYK extension, and drop ransom notes named RyukReadMe.txt.

The use of TrickBot does not mean the actors behind Ryuk are not also targeting victims and gaining access through open services like Remote Desktop Services. Glyer told internetnewsblog that by partnering with TrickBot, Ryuk is now offered an additional “target of opportunity” to gain access to a network.

From Russia with Love

Historically researchers have attributed the Ryuk Ransomware to North Korea. This is because of code similarities between Ryuk and the Hermes Ransomware, which was used in an attack on a Taiwan bank that was widely believed to have been done by actors from North Korea.

In October 2017, the Hermes Ransomware was used to misdirect IT staff while cybercriminals were stealing money from the FEIB, or Far Eastern International Bank, in Taiwan. This attack was attributed to the Lazarus Group, which is a hacking group believed to be operating out of North Korea.

As the code similarities between Hermes and Ryuk are very similar, Ryuk has been attributed to North Korean actors as well.

In research first released this week by McAfee and then followed the next day by FireEye and CrowdStrike, researchers now feel that it is more likely that the actors behind Ryuk originate from Russia.

This is because in August 2017, the Hermes ransomware was being sold online on the underground hacking forum by a Russian speaking actor. Furthermore, like most Russian based ransomware, it contains code so that it would not encrypt computer’s that have a system language set to Russian, Ukrainian, or Belarusian.

Hermes 2.1 being sold on
Hermes 2.1 being sold on

A later post in that same forum thread mentions the ransomware Ryuk. This caused the researchers to wonder if the Lazarus Group simply bought an off-the-shelf ransomware to use as part of their attack, rather than spending the time to create a new one.

“What if the actor who attacked the Taiwanese bank simply bought a copy of Hermes and added it to the campaign to cause the distraction?” stated McAfee’s research. “Why go to the trouble to build something, when the actor can just buy the perfect distraction in an underground forum?”

At the same time, what if Hermes was created by North Korean actors who added the language checks to make it a appears like it was made by a Russian. Unfortunately, its difficult to tell and is why attribution can be so hard.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Most Popular

To Top