GRD Journals- Global Research and Development Journal for Engineering | Volume 4 | Issue 7 | June 2019

ISSN: 2455-5703

Study of Ryuk Ransomware Attack

Ashu Ramjit Maurya
MCA Student
Department of Information Technology
ASM IMCOST, Thane, Mumbai

Abstract

As of late Ransomware infection programming spread like a violent wind winds. A twister wind makes damage properties;
similarly ransomware makes PC information non secure. Each client is moving towards digitization. Client keep information sec ure
in his or her PC. A ransomware is one of the program infection that commandeer client’s information. A ransomware may secure
the framework a way which isn't for a normal individual to reverse.It not just targets home computers but business additional ly
gets influenced. It scrambles information so that ordinary individual can never again unscramble. An individual needs to pay
payment to unscramble it. However, it doesn't produce that documents will be discharged. This paper gives a concise investiga tion
of Ryuk ransomware, its impact on PC world and its preventive measures to control ransomware on PC framework.
Keywords- Ryuk, Hermes, Ransomware, Decrypt, Encrypt, Threat, Security

I. INTRODUCTION
While families assembled for nourishment and joy on Christmas Ev e, most organizations slept. Nothing was blending, not by any
means a mouse—or so they thought. For those at Tribune Publishing and Data Resolution, nonetheless, a quiet assault was
gradually spreading through their systems, scrambling information and ending tasks. What's more, this assault was from a
genuinely new ransomware family called Ryuk.
Ryuk, which made its introduction in August 2018, is not the same as numerous other ransomware families being
analyzed, not as a result of its abilities, but since of the novel way it corrupted the system.
Ryuk first showed up in August 2018, and keeping in mind that not staggeringly dynamic over the globe, atleast three associat ions
were hit with Ryuk through the span of the initial two months of its activities, getting the hackers about $640,000 in payment for
their endeavors.
In spite of an effective run, Ryuk itself has usefulness that you would find in a couple of other present day compared to
other ransomware families. This incorporates the capacity to distinguish and scramble system drives and assets, just as erase
shadow duplicates on the endpoint. By doing this, the hackers could incapacitate the Windows System Restore choice for client s,
and in this manner make it difficult to recover from the infection without external backup.
While no difference were found in the gathered examples, two forms of payment notes were sent to exploited people; a
more drawn out, eloquent and pleasantly stated note, which prompted the most elevated recorded installment of 50 BT C (around
$320,000), and a shorter, increasingly unpolished note, which was sent to different associations and furthermore prompted some
fine payoff installments extending between 15-35 BTC (up to $224,000). This could suggest there might be two levels of offensive.

Fig. 1: Ryuk “Polite” Ransom Note

All rights reserved by www.grdjournals.com 48

 Study of Ryuk Ransomware Attack
(GRDJE/ Volume 4 / Issue 7 / 010)

One interesting part of this ransomware is that it drops more than one note on the framework. The second note is written
in an amenable tone, like notes dropped by BitPaymer ransomware, which adds to the secret.

Fig. 2: Ryuk “not-so-polite” Ransom Note

Ryuk is contaminating frameworks utilizing Emotet and TrickBot which are botnets to circulate the ransomware via spam
emails or by other medium. Be that as it may, what's vague is the reason culprits would utilize t his ransomware after an effectively
fruitful contamination.
For this situation, we can really take a page from the Hermes playbook. Hermes being utilized in Taiwan as a way to
cover the tracks of another malware family as of now on the system. Is Ryuk being utilized similarly?
Since Emotet and TrickBot are not state-supported malware, and they are generally naturally propelled to a cover of
would-be unfortunate casualties (as opposed to distinguishing an objective and being propelled physically), it appea rs to be odd
that Ryuk would be utilized in just a couple of cases to shroud the contamination. So maybe we can preclude this hypothesis.
A moment, progressively likely hypothesis is that the reason for Ryuk is as a final desperate attempt to coerce more an
incentive from an officially succulent target.
Suppose that the aggressors behind Emotet and TrickBot have their bots guide out systems to recognize an objective
association. On the off chance that the objective has an enormous enough contamination spread of Emotet/TrickBot, or potentially
if its tasks are basic or profitable enough that interruption would trigger a tendency to pay the payoff at that point that may make
them the ideal focus for a Ryuk disease.
The genuine aim for utilizing this malware must be guessed now. Nonetheless, regardless of whether it's concealing the
tracks of other malware or basically searching for approaches to make more money in the wake of taking all the pertinent
information they could, organizations ought to be careful about discounting this one.
The reality remains that there are a huge number of dynamic Emotet and TrickBot contaminations everywhere throughout
the world at the present time. Any of the associations that are managing these dangers need to pay attention to them, in light of the
fact that a data stealer may transform into terrible ransomware whenever. This is reality of our advanced risk scene.

II. COMPARISON WITH HERMES

Security Experts at Checkpoint have just directed profound investigation of this risk, an d one of their discoveries was that Ryuk
imparts numerous likenesses to another ransomware family: Hermes.
Within both Ryuk and Hermes, there are various cases of comparative or indistinguishable code sections. Furthermore, a
few strings inside Ryuk have been found that allude to Hermes —in two separate cases.
Whenever propelled, Ryuk will initially search for the Hermes marker that is embedded into each scrambled document.
This is a way to recognize whether the record or framework has just been infected a nd additionally scrambled.
The other case includes whitelisted organizers, and keeping in mind that not as accursing as the primary, the way that
both ransomware families whitelist certain envelope names is another sign that the two families may share originators. For in stance,
both Ryuk and Hermes whitelist an organizer named "Ahnlab", which is the name of a famous South Korean security programming.

All rights reserved by www.grdjournals.com 49

 Study of Ryuk Ransomware Attack
(GRDJE/ Volume 4 / Issue 7 / 010)

In the event that you know your malware, you may recollect that Hermes was ascribed to the “Lazarus Group”, who are
related with suspected North Korean country state activities. This has driven numerous experts and columnists to guess that North
Korea was behind this whole incident.

III. PROTECTION
Since we know how and conceivably How Ryuk infects organizations, how might we ensure against this malware and others like
it?

A. Anti Exploit Technology

The use of exploits for both infection and lateral movement has been increasing for years. The primary method of infection for
Emotet at the moment is through spam with attached Office documents loaded with malicious scripts.
These malicious scripts are macros that, once the user clicks on “Enable content” (usually through some kind of social engine ering
trick), will launch additional scripts to cause havoc. We most commonly see scripts for JavaScript and PowerShell, with PowerShell
quickly becoming the de-facto scripting language for infecting users.
While you can stop these dangers via preparing users to perceive social engineering threats or use an email protection software
that perceives spam mail, using the technology user can also block those ryuk scripts from trying to be installing the malware on
system.
Moreover, utilizing protection technology, for example anti-ransomware giving the huge amount of protection against
ransomware infections, stopping them before they can do serious damage

B. Using Regular, Updated Malware Scans

This is a general rule that has been ignored enough times to be worth men tioning here. In order to have effective security solutions,
they need to be used to updated frequently so that they can recognize and block the latest threats.So as to have effective se curity
arrangements, they should be utilized and updated every now and again so they can perceive and hinder the most recent dangers.
In one case, the IT group of an association didn't realize they were lousy with Emotet bots until they had updated their secu rity
programming.
They had false trust in a security arrangement that wasn't completely armed equipped with the tools to stop the dangers.
And because of that, they had a serious problem on their hands.

C. Using Network Segmentation

This is a tactic that we have been recommending for years, especially when it comes to protecting against ransomware. To ensure
that you don’t lose your mapped or networked drives and resources if a single endpoint gets infected, it’s a good idea to seg ment
access to certain servers and files.
There are two different ways to segment your network and reduce the damage from a ransomware attack. First, restrict
access to certain mapped drives based on role requirements. Second, use a separate or third -party system for storing shared files
and folders, such as Box or Dropbox.

IV. CONCLUSION
This last year has carried with it some novel ways to deal with causing disturbance and pulverization in the working environment.
While ransomware was the deadliest malware for organizations in 2017, 2018 and past hope to present to us various malware sen t
in a solitary assault chain.
What’s more, families like Emotet and TrickBot continue to evolve their tactics, techniques, and capabilities, making
them more dangerous with each new generation.
While today, we might be worried about Emotet dropping Ryuk, tomorrow Emo tet could simply act as ransomware
itself.It’s up to businesses and security professionals to stay on top of emerging threats, however minor they may appear, as they
often signal a change in the shape of things to come.

REFERENCES
Website References
[1] https://www.sentinelone.com/wp-content/uploads/2018/09/Ryuk-note3.png
[2] https://sensorstechforum.com/wp-content/uploads/2018/12/stf-ryuk-ransomware-virus-RYK-extension-ransom-note.jpg
[3] https://securityboulevard.com/2018/09/how-ryuk-ransomware-targets-av-solutions-not-just-your-files/
Example
[4] https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/
[5] https://www.coveware.com/ryuk-ransomware
[6] https://sensorstechforum.com/remove-ryuk-ransomware-ryk-extension/

All rights reserved by www.grdjournals.com 50