A new strain of ransomware first reported in August is now being seen in Canada, hitting at least four organizations here.
“I’m starting to see a certain type of ransomware called Ryuk targeting healthcare organizations,” Canadian cyber security lawyer Imrad Ahmad told IT World Canada on Tuesday. “Typically ransomware locks up your system. This one actually exfiltrates data” as well.
Ahmad, a partner and national leader of the cybersecurity law practice at Miller Thomson LLP said his practice knows of four organizations in the past month alone that were hit. He wouldn’t say how many of the organizations had lost data.
Typically the ransom demanded was around 40 to 50 Bitcoin, he said, which at current value is roughly $34,000 to $42,00.
How each were infected isn’t clear yet,
In August the U.S. Department of Health and Human Services and Check Point Software issued alerts on this particular strain of ransomware.
The way attacks have been executed suggest the people behind it have researched their targets well, probably infiltrating networks before launching the ransomware, because they know where valuable data is. Check Point in the incidents it has seen Ryuk is only used in targeted attacks.
To maintain persistence Ryuk writes itself to the Windows Run registry key. The ransomware will kill more than 40 processes and stop more than 180 services from a list of predefined service and process names. Most belong to antivirus, database, backup and document editing software.
There are similarities between Ryuk and ransomware dubbed Hermes, seen first in the fall of 2017, by some researchers. That led Check Point to believe those behind Ryuk are either the same operators of the Hermes strain, or someone has got access to the Hermes source code. It then adds injected code for file encryption.
According to Check Point, it’s important to note that the malware will attempt to write a dummy file to the Windows directory, which would only be allowed with Admin privileges. This file will write two more files to a subfolder in the Windows directory, one of which contains an RSA Public key for encryption, and the second contains a hardcoded key. But if the creation of the first dummy file fails, the malware will sleep for a while and attempt the same another five times. If failure persists beyond these attempts, Ryuk will simply terminate.
This is important because one of the ways to stop Ryuk is to make sure people with Windows administration privileges have to log in with complex passwords requiring multi-factor authentication.
Check Point said the Hermes strain is “commonly attributed” to the North Korean threat actors dubbed the Lazarus Group,
The U.S. government report included the following recommendations to infosec pros:
- Firewall off SMB (server message block) port 445 for internal computers. If access to this service is required, it should be permitted only for those IP’s that require access. i.e. 445 is required for SCOM to push an agent install, therefore 445 should only be allowed from that source server;
- Application blacklisting should be implemented to prevent the use of tools such as vssadmin.exe, cmd.exe, powershell.exe and similar;
- File Integrity Monitoring should be considered and configured to monitor file creations in “trusted” locations such as the System32
directory. This can also be used to monitor deletes, with an alert configured to fire on excessive deletes in a row;
- Windows Security Event logs should be monitored to capture Scheduled Task creation events – Event ID 4698;
- Registry Auditing should be enabled and monitored to capture any additions to
- Excessive use of known administrative privilege accounts should be alerted on – specifically in a “one to many” behavioral configuration.
i.e. is one specific IP connecting to a large number of devices using the same credentials in a short period of time;
- Ensure privileged accounts have a complex password that does not include any part of the username, or application it relates to.