By: Owen Dubiel
June 25, 2021
How to Detect Ryuk Ransomware with Qradar
By: Owen Dubiel
June 25, 2021
Ransomware is a scary topic to discuss in any enterprise. The thought of a malicious file that can encrypt and steal sensitive data is a terrifying outcome that could occur. The key to defeating Ransomware is identifying and eliminating it quickly. This article will review a particular type of Ransomware called Ryuk and some supporting details around how it works. Most importantly, we will provide a search string that can be directly used with Qradar to effectively detect any traces of Ryuk lurking on your network.
Identifying features of Ryuk
It is a big-game player; it only goes after large enterprises with a lot of capital. This malware has successfully hacked over 56 companies totaling around 305 bitcoin (3.7 million), and this number is constantly growing. The following are some identifying features of the Ryuk Ransomware.
- Utilizes Powershell to perform all operations
- Encrypts files using RSA-2048
- Uses one decryption key for all files within each compromise (unique to the enterprise)
- The Dropper file is rare to capture as it is deleted shortly have install
Only EXE and DLL files are excluded from Ryuks Encryptions process, thus making the host unstable
- Does not try to gain persistence on compromised hosts
- Attribution is claimed mainly through North Korea and Russian
- It is created based on older Ransomware called Hermès
Ryuk has caused significant havoc with large corporations, costing them hundreds of thousands in ransom payments. Since it uses a unique key for each attack, there is no way to disclose a decryption key publicly. Most companies are forced to pay the hefty ransom.
A search query for Qradar
Using Qradar as your SIEM service, we have put together a quick detection search query that can alert on early indicators of the Ryuk ransomware. This search looks for specific file hashes known to be used for the dropper and installation files, as well as the payload itself. Lastly, the search contains the known file path of where the installation commonly takes place. Please note that these paths could vary and change with time as the attack develops; for more significant results, try adding wildcards to it to broaden the scope.
SELECT UTF8(payload) as search_payload"File Hash", "Process CommandLine", "ParentCommandLine" from events where LOGSOURCETYPENAME(devicetype)='Microsoft Windows Security Event Log' and "EventID"='1' and ("File Hash" = 'c0202cf6aeab8437c638533d14563d35' or "File Hash" = 'd348f536e214a47655af387408b4fca5' or "File Hash" = '958c594909933d4c82e93c22850194aa' or "File Hash" = '86c314bc2dc37ba84f7364acd5108c2b' or "File Hash" = '29340643ca2e6677c19e1d3bf351d654' or "File Hash" = 'cb0c1248d3899358a375888bb4e8f3fe' or "File Hash" = '1354ac0d5be0c8d03f4e3aba78d2223e' or "File Hash" = '5ac0f050f93f86e69026faea1fbb4450' or "File Hash" = '965884f19026913b2c57b8cd4a86455a61383de01dabb69c557f45bb848f6c26' or "File Hash" = 'b8fcd4a3902064907fb19e0da3ca7aed72a7e6d1f94d971d1ee7a4d3af6a800d' or "File Hash" = '795db7bdad1befdd3ad942be79715f6b0c5083d859901b81657b590c9628790f') or ("Process CommandLine" ilike '%REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\admin\AppData\Local%')
It is important for the company that the incident response plan is activated to notify all parties. IRP (incident response plans) should include contact information, the timeline of events, and procedures to inform authorities if needed. Lastly, it should involve a third party to have one on retainer to assist with any forensics work required to document the ransomware attack. Forensic must be done in a strict format to be used in the court of law.
Resource for identifying Ransomware (no more ransomware project)
Although Ryuk cannot be currently decrypted, other ransomware attacks have public decryption keys available. The “NoMoreRansom” project has a website dedicated to thwarting ransomware attacks by providing free resources to those in need. Some of the services offered include:
- Decryption tools/keys for hundreds of known Ransomware
- Prevention tips and tricks
- A hotline to local and global authorities
- Report a Crime
- Common questions
If anything, add nomoreransom.org to your bookmarks as a resource in case it is ever needed. They provide a great breakdown of each type of Ransomware and walkthrough documents on hold to handle each one.
Ransomware is one of those attacks that everyone fears but never thinks will happen to them. Cybercriminals are their full-time job, so most are well thought out and trained to be successful based on standard system configurations. The Ryuk Ransomware targets medium to large-scale financial institutions that have access to large sums of money. To understand more about preventing Ransomware, head on over to Cybrary websites to delve into some of the courses they have to strengthen your overall security stance today.