Rewterz Threat Advisory – Ryuk evolves as a new Targeted Ransomware

Thursday, December 20, 2018

SEVERITY: High

 

 

CATEGORY: Emerging Threat

 

 

ANALYSIS SUMMARY

 

 

Attackers using targeted ransomware work on the following methodology:

  • Enter the victim’s network via a weak RDP (Remote Desktop Protocol) password.
  • Escalate their privileges until they’re an administrator.
  • Use their privileged position to overcome security software.
  • Spread their ransomware as widely as possible before encrypting the victim’s files.
  • Leave notes demanding payment in return for decoding/unlocking the files.
  • Wait for the victim to contact them via email.

Successful acquiring of administrator privilege ensures enough damage by the ransomware that the victims have to pay 5-6 figure ransom for decryption of their files. Primarily, industries related to commodities, healthcare and manufacturing are being targeted. Ryuk shows close ties with the HERMES ransomware, a production of the North Korean Lazarus group.

Following is the ransom note found on encrypted computers.

 

Your network has been penetrated.

All files on each host in the network have been encrypted with a strong algorithm.

Backups were either encrypted or deleted or backup disks were formatted.

Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover.

We exclusively have decryption software for your situation No decryption software is available in the public.

DO NOT RESET OR SHUTDOWN – files may be damaged.

DO NOT RENAME OR MOVE the encrypted and readme files.

DO NOT DELETE readme files.

This may lead to the impossibility of recovery of the certain files.

To get info (decrypt your files) contact us at ????????@protonmail.com

or ????????@tutanota.com

BTC wallet: ???????????????????????????????? Ryuk

 

Ryuk demands ransoms of between 15 and 50 bitcoins (between $50,000 and $170,000), with the price escalating by 0.5 bitcoins every day the victim doesn’t pay.

 

 

IMPACT

 

 

System Access, Files encryption, Ransom payment

 

 

INDICATORS OF COMPROMISE

 

IP(s) / Hostname(s)

 

  • 104.199.153[.]189
  • 104.239.157[.]210
  • 187.17.111[.]103
  • 195.20.45[.]185
  • 200.98.255[.]192
  • 23.253.126[.]58
  • 68.168.222[.]206
  • 89.119.67[.]154

 

URLs

  • bedava-chat[.]com
  • bestinfo[.]vv[.]si
  • digiturk[.]adsl[.]com[.]tr
  • freshmirza[.]tk
  • ibrahimreb[.]com
  • infocommsystems[.]com
  • jaragroup[.]com[.]ar
  • klkjwre9fqwieluoi[.]info
  • kukutrustnet777[.]info
  • kukutrustnet777888[.]info
  • kukutrustnet888[.]info
  • kukutrustnet987[.]info
  • lavanyacreation[.]com
  • natufarma[.]net
  • radiantjewelcraft[.]com
  • sets-hm[.]tk
  • veddagroup[.]twomini[.]com

 

Associated-file-path:

  • C:\Users\Public\cjoZX[.]exe
  • C:\Users\Public\window[.]bat

 

Associated-email-addresses:

  • WayneEvenson@tutanota[.]com
  • WayneEvenson@protonmail[.]com

 

Associated-bitcoin-address: 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk

 

Malware Hash (MD5/SHA1/SH256)

  • c0202cf6aeab8437c638533d14563d35
  • d348f536e214a47655af387408b4fca5
  • 958c594909933d4c82e93c22850194aa
  • 86c314bc2dc37ba84f7364acd5108c2b
  • 29340643ca2e6677c19e1d3bf351d654
  • cb0c1248d3899358a375888bb4e8f3fe
  • 1354ac0d5be0c8d03f4e3aba78d2223e
  • 5ac0f050f93f86e69026faea1fbb4450

 

REMEDIATION

 

Block all the threat indicators at their respective controls.

Data Sheets

Corporate Brochure


Our Story


Services


Solutions


Managed Security


Upcoming Rewterz Trainings/Events

Rewterz News

  • 6, March 2019 Rewterz Threat Alert – Threat Indicators – Ursnif/Gozi Malspam
  • 6, March 2019 Rewterz Threat Alert – Threat Actors Targeting Banks Using Tools to Bypass Cyber Security Controls
  • 5, March 2019 Rewterz Threat Alert “Beyond The Grave” Virus – Threat Indicators
  • 5, March 2019 Rewterz Threat Alert – Redaman/RTM Banking Trojan Campaigns

Copyright © Rewterz. All rights reserved.