Ryuk challenges the traditional strategy of finding a bug, fixing a bug

Security organizations must think of their people as opponents; this may be the best form of defense.

When health care and election security collided this week, security researchers removed the Ryuk ransomware strain and its likely route of execution. The reactionary response is often too late when it comes to ransomware, and “shutting down” to prevent its spread is an unrealistic tactic.

“Many of these attack vectors should be tested now,” Charles Henderson, global director of X-Force Red at IBM Security, said in a webcast Monday. It’s basic safety hygiene.

Federal agencies issued an advisory on October 28 for Ryuk and the UNC1878 threat group to health organizations. According to IBM, Ryuk’s tenure time drops to around 20 organizations per week.

But Ryuk is a standard malware available to everyone.

“It’s very easy to point out that there are phishing flaws in healthcare organizations. But the reality is that phishing is a real combat vector across the industryā€¯ Henderson said.

After Ryuk went off the radar for the better half of 2020, his infection strategy continued to evolve. Here are the typical steps that lead to a Ryuk execution:

Initial access

Phishing and spear-phishing are still the rules. The UNC1878 threat group is generally based on gaining access through the use and reuse of the SendGrid online marketing platform. “They generally go through perimeter security devices because they are not necessarily bad or not on spam block lists,” said Chris Sperry, director of X-Force Threat Research at IBM Security, during the presentation.

For example, if emails are sent with a link to Google Docs, they can break the tracking mechanisms. “It is very difficult to protect yourself from legitimate traffic with legitimate links sent through major devices,” he said.

Attachments with a double extension and ending in “.ext” can also bypass the filters because they are not actually attached to messages, Sperry said. “Otherwise, I would think that such an attachment with a double extension would probably be detected in the mail server inbox if a basic security solution exists.”

After clicking the link, Bazar Loader or Bazar Backdoor is copied to a home system and a phone. This is the core infiltration for UNC1878 and newer from Emotet and Trickbot.

The main malware uses EmerDNS, which according to Sperry is decentralized on the basis of the blockchain and is rarely monitored. “I don’t know how many people actually recognize alternative DNA as EmerDNS.” Alternate domains are also used when communicating with C2.

Cobalt Strike

Red teams and opponents rely on Cobalt Strike. With Cobalt Strike, intruders can map the environment and use Mimikatz, LaZagne, or Kerbrute to get passwords.

Bad actors “put together the information they need to pre-populate one or more referral files,” Sperry said. These batch files help with the distribution of Ryuk via Windows Management Instrumentation (WMI) or PowerShell.

It is “interesting for this group to see a crossover in their instruments, they are usually signed with a certificate,” which indicates the intentions of the operators, Sperry said. IBM has found an overlap in code signing certificates between Cobalt Strike Beacon and Ryuk.

Until they are discovered, criminals can present themselves as sufficient “legitimate business information” to obtain a code-signature certificate that offers the opportunity to launch the attack.

Where to focus

There is no one-size-fits-all solution for preventing ransomware and even simulating phishing campaigns to train employees and deter mistakes. Instead, companies should try to measure the percentage of errors that have occurred while taking human error into account.

“The simple fact is, if you rely on training to save yourself, you’re going to have a big problem in the end,” said Henderson. “I don’t think many CISOs claims to have solved the fisheries problem.”

Even when a business has adequate backups, ransomware has evolved into data exfiltration that is changing the way businesses react to an attack.

Responding to an attack shouldn’t be the first test a ransomware security organization takes. Damage control extends beyond penetration testing and threat intelligence to Red Team testing. “It’s like hitting a mole … if you hit one, three more will appear,” Henderson said.

Cyberattack relations are good at preparing an organization to think like an attacker. Otherwise, the security organization remains reactionary. “Because most organizations have a large number of unpatched vulnerabilities, they will not reach any more vulnerabilities anytime soon,” said Henderson. Organizations need to go beyond the “find bugs, fix bugs” mentality and think like an adversary, otherwise, it becomes “more a question of IT controls than security controls”.