Threat Watch

Infection Process of Ryuk Ransomware Simplified by Backlisting IP Addresses

IP addresses are being blacklisted by the new Ryuk sample to circumvent encryption on computers that are already affected. It was reported to researchers that the ransomware is signed with a digital certificate and through investigation, it was discovered that Ryuk will check arp -a output for IP address strings. These partial strings are 10.30.4, 10.30.5, 10.30.6, and 10.31.32. The ransomware will not encrypt the computer if the IP address matches with the one that already exists. Computer names SPB, spb, MSK, Msk and msk will also be compared to the strings which make it easier for the ransomware to infect its victim. Computer names are scanned for the strings and if they match, the encryption process is not continued. Researchers believe the new variant is doing this to avoid encryption of computers in Russia because it is possible MSK could stand for Moscow and SPB could stand for St. Petersburg. If the checks are passed however, the encryption process continues as normal and the .RYK extension is attached to the encrypted files. From there, the victim receives a ransom note with the name “RyukReadMe.html” documenting the payment process. The emails sorcinacin@protonmail[.]com and neyhyretim@protonmail[.]com is included as a means of contact.

ANALYST NOTES

Ransom should avoid being paid and instead be restored from a backup. Users should have a secured backup of their important files stored offline because certain ransomware strains have been known to target backups in the past. Verify that the network being operated on does not make RDS publicly accessible and instead use a firewall and only make it accessible with a VPN.