Universal Health Services (UHS), a Fortune 500 company and healthcare services provider, has reportedly shut down systems at facilities throughout the United States after the Ryuk ransomware hit its network on September 27, according to an article on the Health IT Security website.

What is Ryuk ransomware?

Ryuk is a sophisticated ransomware threat that targets businesses, hospitals, and government institutions across the world. Unlike common ransomware that target every kind of victim, Ryuk is typically used for tailored attacks. The attackers use manual hacking techniques and open-source tools to move laterally across a private network and gain administrative access. Ryuk is a modified version of the Hermes ransomware.

Both Hermes and Ryuk are known for identifying and encrypting network devices, and deleting shadow copies stored on endpoints. The ransom demanded by attackers will usually be exorbitant as the number of manual processes to initiate this attack is high. These manual processes include extensive network mapping, credential collection, and direct exploitation, which take place prior to each operation.

How does Ryuk ransomware penetrate networks?

The different stages of the Ryuk ransomware attack are:

  • Intrusion

  • Lateral movement

  • Data exfiltration or impact of the attack

There are several ways in which an attack is initiated, such as phishing emails, visiting unsecured websites, or clicking on random pop-ups. Ryuk is almost always distributed through bots, such as TrickBot or Emotet, that provide direct access to the victim’s network.

Not all the TrickBot infections lead to a Ryuk ransomware attack. But, when they do, the attack will be lethal. Typically, the deployment of Ryuk takes place weeks after the bot first shows up on the network. This gap lets the bot steal sensitive information, making the organization vulnerable even before the actual attack. The attacker then uses the data collected by the bot to identify the potential network into which Ryuk can be deployed. This completes the intrusion cycle.

Once inside the network, the attacker initiates manual hacking activities, such as network reconnaissance and lateral movement that help compromise domains controllers, and gives them access to as many systems as possible.

The encryption drill

Once attackers find a suitable system, two files are uploaded within a subfolder inside the directory. The attacker then uploads two files inside the directory. The two files are:

PUBLIC: RSA Public Key

The encryption process begins at this stage.

The attacker sweeps through the file systems, attaching drives to initiate encryption using WNetOpenEnum and WNetEnumResource. Every time a file is encrypted, the encryption key is destroyed. Once a file is encrypted, the extension .ryk is appended. Some files may not have any extension.

Ryuk is capable of encrypting files except for those with .dll, .lnk, .hrmlog, .ini, and .exe extensions. Files stored in the Windows System32, Chrome, Mozilla, Internet Explorer, and Recycle Bin directories are also excluded. This is probably allowed to enable the victim to use a browser to pay the ransom.

Ryuk uses strong encryption techniques. This ensures that the files won’t be recovered easily. Files are typically encrypted using AES-256 and the keys to the files are stored in a file with the .ryk extension. The AES keys are then encrypted with a RSA-4096 public private key pair which is controlled entirely by the attacker.

Ryuk is considered to be a malignant attack as it involves encryption of several keys with other keys, and the entire process is tailor-made for specific victims. This means that, even if the private key of a victim is published, it is not going to help decrypt files belonging to another victim.

What makes Ryuk lethal?

So far, no open-source tools have been able to decrypt Ryuk files. Moreover, the decryptor key provided by the attacker, even after the ransom has been paid, sometimes corrupts files. And, even after the recovery process, the attacker can still corrupt essential files required for the operations of the system. Like any other ransomware program, Ryuk attempts to access and delete shadow copies of data stored in the system to avoid recovery through alternative means. It also contains a kill.bat script that disables important services, such as network backups and Windows Defender antivirus.

How to mitigate the impact of the attack

To successfully defend against human-operated attacks, it is essential to follow some basic best practices. Unfortunately, some organizations sometimes temporarily disable their antivirus, or other security controls, to improve the performance of their system. However, even disabling security systems for a short time presents hackers with an opportunity to enter and disrupt the network. In these instances, attackers could leverage malware that was previously detected by the antivirus to carry out a new attack.

Some of the other commonly exploited weaknesses in a network are:

  • Lack of firewall or multi-factor authentication (MFA) protection

  • Having weak domain credentials

  • Disabling the intrusion prevention system

  • Accessing unsecured websites

 Some best practices that can help mitigate the risk of an attack are:

  1. Patch and update applications and programs regularly. This ensures that entry points for possible ransomware attacks are blocked.

  2. Ensure that firewalls and intrusion prevention have been enabled in your network.

  3. Require strong credentials for the domain.

  4. Deploy a comprehensive solution that can monitor your network and generate alerts.

How can Log360 help?

ManageEngine Log360, a comprehensive security information and event management (SIEM) solution, helps monitor your network and IT infrastructure, and provides real-time alerts and out-of-the-box reports.

Log360 helps you to:

  • Secure your on-premises, hybrid, and cloud platforms.

  • Thwart security attacks, and protect confidential data from breaches.

  • Gain deeper insights into network activity through in-depth network device auditing.

  • Automate the log management process, including logs from public cloud infrastructure.

  • Meet compliance requirements with ease.

  • Quickly implement post-breach actions through extensive forensic analysis capabilities.

and a lot more.

Log360 also provides insights on events such as Application Accessed, Configuration Changes, Firewall Logon, Registry Changes, and so on.

Log360’s log management component EventLog Analyzer monitors the network and detects potential threats. The solution provides real-time alerts, and generates comprehensive reports that helps the administrator take actions to secure the network.

To try out all these features and more, start your free, 30-day trial of Log360 today.

Raghav Iyer
Product Marketing Specialist