Ryuk first appeared in August 2018, and while not incredibly active across the globe, at least three organizations were hit with Ryuk infections over the course of the first two months of its operations, landing the attackers about $640,000 in ransom for their efforts.
According to CrowdStrike analysis from late last week, Grim Spider has specialized in going after big game with Ryuk – targeting large organizations for a high-ransom return. Lately, it’s also been using TrickBot and Emotet malware in its attack chain – a state of affairs that raises hypotheses around Grim Spider attribution.
GRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return.
This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER, a criminal enterprise of which GRIM SPIDER appears to be a cell.
The WIZARD SPIDER threat group, known as the Russia-based operator of the TrickBot banking malware, had focused primarily on wire fraud in the past.
The analysis shows that Ryuk is a result of the custom development of an older commodity malware known as Hermes, believed to have been authored by North Korea’s Stardust Chollima (a.k.a. APT38, believed to be a revenue-generating offshoot of the well-known APT Lazarus Group).
Hermes first gained publicity in October 2017 when it was used as part of a sophisticated SWIFT attack against the Far Eastern International Bank (FEIB) in Taiwan.
FireEye is calling this type of access TEMP.MixMaster, which refers to any incidents that they have seen where Ryuk is installed following a TrickBot infection.
What is the nexus between Emotet, Trickbot, and Ryuk?
Machines infected with Emotet periodically check for modules from a command and control server (C2). These modules are typically DLLs or EXEs which are loaded on an infected system for extending capabilities.
Additionally, some modules such as Trickbot may receive further payloads, encoded in a C2 command, leading to the decoding and running of an EXE of the actor’s choice, like Ryuk.
Our tracking shows that the actors behind Emotet regularly drop malware executables composed of Trickbot and IcedID, among others.
The Trickbot and IcedID payloads are observed to be dropped directly via the module loader. However, with the Ryuk ransomware module, it follows a different control-flow path.
Ryuk infections are seldom, if ever, dropped directly by Emotet. When the Ryuk module is delivered to a victim, it is done transiently through a Trickbot infection and other tools, not the original Emotet bot.
According to Checkpoint and multiple other analysts and researchers, Ryuk is spread as a secondary payload through botnets, such as TrickBot and Emotet.
Here is the running theory: Emotet makes the initial infection on the endpoint. It has its own abilities to spread laterally throughout the network, as well as launch its own MalSpam campaign from the infected endpoint, sending additional malware to other users on the same or different networks.
From there, the most common payload that we have seen Emotet drop over the last six months has been TrickBot. This malware has the capability to steal credentials, and also to move around the network laterally and spread in other ways.
Both TrickBot and Emotet have been used as information stealers, downloaders, and even worms based on their most recent functionality.
At some point, for reasons we will explore later in this post, TrickBot will download and drop Ryuk ransomware on the system, assuming that the infected network is something that the attackers want to ransom.
- An obfuscated PowerShell script is executed and connects to a remote IP address.
- A reverse shell is downloaded and executed on the compromised host.
- PowerShell anti-logging scripts are executed on the host.
- Reconnaissance of the network is conducted using standard Windows command line tools along with external uploaded tools.
- Lateral movement throughout the network is enabled using Remote Desktop Protocol (RDP).
- Service User Accounts are created.
- PowerShell Empire is downloaded and installed as a service.
- Lateral movement is continued until privileges are recovered to obtain access to a domain controller.
- PSEXEC is used to push out the Ryuk binary to individual hosts.
- Batch scripts are executed to terminate processes/services and remove backups, followed by the Ryuk binary.
IOC’s and VT reference:
Attribution Still Unclear – CrowdStrike
Still unsure, North Korean APT or the Crimeware Annoying Persistent Threat?
“Currently, none do not have definitive evidence that the entirety of MixMaster activity, from TrickBot distribution and operation to Ryuk deployment, is being conducted by a common operator or group,” the analysts said. “The TrickBot administrator group, which is suspected to be based in Eastern Europe, most likely provide the malware to a limited number of cyber-criminal actors to use in operations.”
They added, “It is also plausible that Ryuk malware is available to multiple eCrime actors who are also using TrickBot malware, or that at least one TrickBot user is selling access to environments they have compromised to a third party.”