Research Saturday 3.23.19
Ep 78 | 3.23.19

Ryuk ransomware relationship revelations.


Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by Juniper Networks. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:26] And now a word about our sponsor, Juniper Networks. Organizations are constantly evolving and increasingly turning to multicloud to transform IT. Juniper's connected security gives organizations the ability to safeguard users, applications, and infrastructure by extending security to all points of connection across the network. Helping defend you against advanced threats, Juniper's connected security is also open, so you can build on the security solutions and infrastructure you already have. Secure your entire business, from your endpoints to your edge, and every cloud in between, with Juniper's connected security. Connect with Juniper on Twitter or Facebook. And we thank Juniper for making it possible to bring you Research Saturday.

Dave Bittner: [00:01:13] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data - all without ever decrypting anything. All without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at

John Fokker: [00:01:53] We did an earlier piece on Ryuk. It hit the news just after Christmas and New Year's. I was travelling back from the States, back to Europe.

Dave Bittner: [00:02:01] That's John Fokker. He's head of cyber investigations in McAfee's Advanced Threat Research Unit. The research we're discussing today is titled, "Ryuk: Exploring the Human Connection."

John Fokker: [00:02:11] And we saw this - that the several press instances like that, I think the LA Times and some other newspapers were unable to print their newspaper because it was hit by Ryuk. And the thing that stood out to me - and actually one of my colleagues who I did the first piece with - we were like, it was attributed within a day to North Korea. And we didn't know where it went in that direction, but we both had a good feeling like, hey, we need to look into this, because this is going the wrong way. We publish - within McAfee, we publish a lot on North Korea, and this didn't have the same signs.

John Fokker: [00:02:47] So, we took a good look at it, and we were actually one of the first ones to say, like, hey, based on if we just look at the facts, it could be a regular cybercrime operation, but it's probably not North Korea. And that actually started a movement. So, we see a lot of our industry peers follow suit, and then they did a tremendous and really, really good in-depth additional research. But there is still something missing.

John Fokker: [00:03:16] And I was actually in contact with a company named Coveware, and they're great guys, and they specialize in mitigation of ransomware. So, if a company - and we always advocate don't pay, because you're supporting the extortionists - but they said, well, all in all, it's the choice of the company. But what they do is they're transparent about it, and they say, like, hey, if you are thinking of negotiation, please call us, we'll help you out, because we deal with this, we'll do the payments for you and all these things.

John Fokker: [00:03:46] So they had several Ryuk cases. And I was like, hey, that's interesting, because, from the security point of view, we always look at the malware and we try to pull it apart, but the human connection - which is, in an extortion case, maybe even the most interesting or the most relevant one - wasn't discovered or wasn't spoken about, wasn't researched. So, that made me team up with Coveware to take a closer look at how that worked for this specific ransomware family.

Dave Bittner: [00:04:13] Yeah, it's an interesting collaboration. One of the things you lead off this particular post about, the research that you did here, you talk about something called the "Diamond Model." Can you describe that for us?

John Fokker: [00:04:23] It's a holistic model for intrusion analysis, and you have, I think, some of the listeners also know the cyber kill chain. But it's a way of structuring the connection between - and it's shaped as a diamond, that's no surprise - between an adversary on the top and you have the victim on the bottom, and either left or right you have the capability of an actor or an adversary, and the infrastructure used. Now, with capability, we often say the malware. Infrastructure could be C2, infrastructure hosting, all these things. While the adversary - that's the criminal, that could be one or several. And the victim, it's his goal.

John Fokker: [00:04:59] So, when you look at traditional malware research, that's focused on the capability. And, for instance, if we do a cybercrime investigation, and we go on to a cyber criminal forum, and we would like to talk to an adversary, or we see an advertisement of a certain criminal - so, like, hey, do you want to buy this piece of ransomware? Then we're actually linking a capability - the piece of ransomware that we found - to somebody who's advertising it, the adversary. Or, if we analyze the ransomware, and within the code we see, like, hey, it beacons out to this specific C2 or command-and-control server infrastructure, we make a link with the infrastructure.

John Fokker: [00:05:37] And thus, there is also a link between an adversary and a victim, especially in this case. Because the victim has something that the adversary wants. And in this case, it's money. And vice versa is also true, because the adversary has something that the victim wants - that's access to his files.

Dave Bittner: [00:05:54] So it really - it provides a framework to sort of make connections between the various components.

John Fokker: [00:06:00] That is correct, yeah. It's a way to structure your thought process, and to make sure that you're not missing anything. And I use it personally in shaping my research. So I know like, okay, I'm now looking at this part of my research, and it's interesting to explore this connection.

Dave Bittner: [00:06:16] Well, let's dig into some of the details here about Ryuk. One of the things you delved into was the ransom amounts and the negotiations. What did you find here?

John Fokker: [00:06:25] Ryuk is a targeted form of ransomware, as we have seen, and the ransom amounts are really high. They're much, much higher as compared to, for instance, GandCrab, or the more run-of-the-mill, if you might call it, the other forms of ransomware-as-a-service. So that's something that stands out in Ryuk. And in the beginning, when it was discovered, we saw that there was a similarity between the ransom notes that the software leaves behind and other forms like BitPaymer. We still don't know if there is a link or if it's just a way of showing their - (Laughs) - it's like a copy, an imitation, as a sincerest form of flattery.

Dave Bittner: [00:07:03] Right. (Laughs) Right. There's some laziness with the copy-and-paste.

John Fokker: [00:07:07] Yeah. Yeah. Why change something winning, if you, uh - in Dutch, we say, why would you develop something that's half-flawed, if you could just steal it and it's perfect?

Dave Bittner: [00:07:19] (Laughs) I like it. So, in terms of the numbers here, what are we talking about? What kind of dollars are they asking for?

John Fokker: [00:07:25] Oh wow, they have demands in bitcoins and it's - it could be they calculate it - that's what we suspect, also when working with Coveware - because it's targeted, so they access the network. It's not like, okay, they deliver the ransomware and they lock your machine, and they hope for - that you'll pay. They actually actively intrude your network, do a lateral movement, try to get control of the domain controller, and then have an estimate about how big your network is. Based on the size of your network, they will show you or they will demand a certain amount of bitcoins. And that could be a relatively large amount. For instance, if you're a hosting company, because then you have a lot of computers. So it's sizable, and it could be anywhere from ten bitcoins all the way up to - I think we saw like a hundred, or thirty. But it's relatively really, really high amounts.

Dave Bittner: [00:08:19] Yeah, and one of the things you pointed out in your research was that that sort of spreads a disproportionate amount of risk to particular industries.

John Fokker: [00:08:26] That is correct, yeah. If you run a industry that's - where you're reliant on, for instance, logistics, or, like I touched on, hosting providers - there's not a lot of profit to be made, and you have a lot of systems to work together, and you cannot afford a lot of downtime - those type of companies are hit the hardest by Ryuk. Especially if they don't have proper backups, and it's not segmented and they were able to penetrate the whole network, as we've been told by Coveware, they had - and in our research - we saw companies going out of business because of this.

Dave Bittner: [00:09:02] Now, one of the things that you tracked is their bitcoin activity. What did you see there?

John Fokker: [00:09:06] Yeah. You see in - when we look at the activity, we do see that there's a large amount. It varies - those being the separate victims. And we see there's payments being done and there's payments taken out. So people are paying, and they're making a lot of money. That's what we see.

Dave Bittner: [00:09:23] Yeah. It's interesting also, to me, that they seem to be open to negotiations.

John Fokker: [00:09:28] Yes. It is a really interesting negotiation style. It's extremely short and blunt, but we did see two types of profiles though. Some were stonewalled and they said like, hey, you have to pay this amount, and they were not negotiable. Where other cases - and it's all Ryuk, whereas first we thought it was one group - there was a completely different way of doing their business, or modus operandi. And they actually were very susceptible to negotiation. So it was able to lower the amount to have to be paid. And that's interesting to us, because that shows two different methods of operation, and that might indicate that there is several people or several groups active with Ryuk.

Dave Bittner: [00:10:11] Yeah, it was interesting to note in some of the email responses that you published in your research. One of them even included a paragraph on ways to protect yourself from future infections.

John Fokker: [00:10:22] Yeah. That's something that's typical for a lot of ransomware cases that we see. I think CryptoWall, back in the day, was one of the first ones to start with, "Congratulations, you're now part of the club." And for some reason, sometimes they even see themselves as a help desk. And I've read a lot of these communications, and I don't know if there's such a thing as a cyber-Stockholm Syndrome, but sometimes even the victims are grateful that they can get their files back, and they're grateful to the criminals...

Dave Bittner: [00:10:52] Hmm.

John Fokker: [00:10:51] ...Which is interesting to me because they're actually the perpetrators.

Dave Bittner: [00:10:56] Yeah. Well, let's dig into some of the details of the decryptor. So, suppose someone does pay up. They pay the ransom. What do they get sent, and what's in that file?

John Fokker: [00:11:06] What we suspect, and that's our running hypothesis - we're almost certain it's - Ryuk is a modified version of Hermes, and Hermes was a kit. Hermes2.1 was a kit that sold on Exploit[.]IN, the forum. And what they get there is a really simple decryptor - MS-DOS - and you could run it, and the first iteration when you run it, it will check if the virus is still persistent within the registry. It will delete that registry key, it will delete the service, and it will ask you to reboot the system. When you rebooted it, you'd run the system again, and it's just basically a couple of lines of terminal code. It has two options. Either you can decrypt per file, or it says "automatic decryption."

John Fokker: [00:11:52] But it is very rudimentary and very simple. Whereas Ryuk is targeted at organizations - it's usually several computers and it is a network environment and they try to spread it en masse - whereas when we take a look at the decryptor, it's never built for network distribution decryption. It is a very faulty program system which halts if there is some alterations in the file path, and it will just fail the decryption process. So it makes me believe that they modified something just slightly, but it wasn't made for this type of ransomware - targeted ransomware distribution.

Dave Bittner: [00:12:34] Yeah, that's an interesting disconnect - that on the encryption side, they have, I suppose, a certain level of sophistication, by being able to move laterally and so forth. But the decryptor doesn't match.

John Fokker: [00:12:46] Yeah. Our suspicions are, with this group, is that their specialty - and that's also linked with the the way it's delivered. So it's - from our industry peers we've seen it as well, and there's a really strong connection with Trickbot, one of the more sophisticated - well, it's not even a banking Trojan anymore, it's a Swiss Army knife. And we suspect that this group, or the groups behind it have a better skill set in penetration testing, or doing the actual penetration, lateral movement, getting the domain controller, and more of the hands-on hacking skills, as opposed to being a brilliant ransomware or malware coder.

John Fokker: [00:13:28] So they're - we see that they're really comfortable in running through a system and gaining control, but they're not coders. So they will use the Ryuk - what we think is that they bought that somewhere else - and they will just deploy that. That's a telltale sign that's specific for this type of infection.

Dave Bittner: [00:13:45] Yeah, it's interesting that when you look at how Ryuk is a very expensive bit of ransomware - I guess, the amount of ransom that they're asking for is very high - you would expect better customer service, for lack of a better word, when it comes to getting your files back.

John Fokker: [00:14:02] That is absolutely true. For the amount of money that they ask and that they're actually being paid, you would expect that it could - I actually jokingly said that to a couple of colleagues, it's like, wow, they could they could hire a really good programmer to make this into a much better product.

John Fokker: [00:14:18] But it is very worrisome, for us as well. Because certain companies - they go all out, and they could barely pay the ransom demand. Then you're faced with a decryptor that doesn't work properly. And that brings you another level of problems. You're either - it will fail and you won't get your files back at all, or it takes away the extensions of your files, so only by your filename you should recognize what your files are. Well, try to do that in a network environment for a company - that's months worth of work. That's so strange. So, yeah. I don't want to call it out, but they'd better do some better programming.

Dave Bittner: [00:14:56] Yeah, it's interesting, because you'd think, you know, word would get around, they'd get a bad reputation, and people would stop paying the ransom.

John Fokker: [00:15:02] Yeah. Because they get inside and they infect, they're really, really successful in spreading through a network, and spreading on all these computer systems. And certain companies - they also have a problem with the backups, because they go that far that they can also wipe out the backup systems as well.

Dave Bittner: [00:15:21] Yeah. You made a really good point in your post here about this. You said that victims should always make an exact copy of the encrypted hard disk before trying to use the decryptor.

John Fokker: [00:15:31] That is correct. And that actually goes for any type of ransomware. When you look at what the industry does, together with law enforcement, we've set up a portal called "No More Ransom," where you can get keys for ransomware. It's not necessarily for Ryuk, but for other forms of ransomware as well. So, if you have recent backups and you can place them back, fine, go for it. Then you're back in business. But if you have the option, please leave your encrypted drive, and backup to a new drive, because at least you'll have your files, even though they're encrypted. If there's a decryptor coming out in the future, you could use that to decrypt your files.

John Fokker: [00:16:05] And in the case of Ryuk, because it's faulty, at least you'll have a second chance. You can figure out, based on, for instance, the findings that we had in our article, you have a second try. Because it's - nothing is as worse as if you only have one copy, and you try the decryptor, and it fails, and all your files are lost forever.

Dave Bittner: [00:16:23] Yeah. Well, so take us through - what are your conclusions here? Based on the information you've gathered here, what do you think we're dealing with?

John Fokker: [00:16:31] Yeah. We tried to do our research based on competing hypotheses. So we actually put a hypothesis out there that we think is our leading hypothesis, and we actually invite the industry to prove otherwise. It's more of a scientific approach, because if they can't prove it otherwise, or falsify our findings, then it's the most strongest hypothesis. And what we think is that Ryuk is a direct descendant of Hermes2.1. There's slight modifications, but we saw the Hermes file marker in the decryptor, as in the software, and in the encrypted files. Well, as I said earlier, Ryuk is definitely not designed to use a large-scale corporate environments. And that also shows in the scalability issues in the decryptor.

John Fokker: [00:17:16] And based on the negotiations that we saw, and in the tactics, the TTPs, we think there's several actors or actor groups spreading Ryuk, and they might be tied in because there's a relationship with Trickbot. And also, based on some of the conversations that we have seen, we think there is a link with some Post-Soviet republics. There is a definite link with that, because we found some quotes.

Dave Bittner: [00:17:43] What do you make of, when we were - at the beginning of our conversation, about what you perceive, I suppose, as a misattribution that was sort of latched onto by a lot of people?

John Fokker: [00:17:53] It can happen. It's what we see in the industry a lot is there's a lot of - and also from the media - everybody wants to know, "whodunit?" Who is behind it? That's natural. And I come from a law enforcement background, and that's also, "whodunit?" That's also the question that everybody wants to know.

John Fokker: [00:18:11] But we have to realize that, when we're in the security industry, and we're looking at the capability of actors, that "who" is not our strong suit. It's more like, "what happened, and how did they do it?" We should shy away from attribution, and that's our call. Because it was - the whole case was linked on a finding that there was something - that actually the ransomware were used by North Korea in a separate campaign as a distraction. But it had no signs that it was made by North Korea or whatever. And we could find the ransomware back on the forums, on a Russian underground forum.

John Fokker: [00:18:45] So, it was a jump to conclusions, and we would really advocate, don't do that. Just stick to the facts and, together, as an industry, everybody has a piece of the puzzle, and then we can tie it together and come to the more stronger hypotheses and actually help law enforcement agencies worldwide with their efforts in attribution or arresting these individuals.

Dave Bittner: [00:19:08] So, what are your recommendations for organizations to protect themselves, both against Ryuk specifically, but ransomware in general?

John Fokker: [00:19:16] Well, the number one thing, "an ounce of prevention is better than a pound of cure," I think Benjamin Franklin once said. Backups is the number one thing. And if you have a chance, offline backups as well. Network segmentation. Have your antivirus updated. Look at - especially with the targeted ransomware campaigns or any targeted campaign - look at how your identity management is done, because they always go for the domain control. Look at, for instance, in a corporate environment, take a look at your users and re-evaluate the rights that certain users have, because there's a lot of rights aggregation taking place in companies. Maybe even enforce two-factor authentication on certain accounts. Things like that. It's basic disaster recovery hygiene, and hardening your network infrastructure and with defense-in-depth.

John Fokker: [00:20:02] For this ransomware, there's no general decryptor. But for other ransomware cases, I would advise people - if you want to have more prevention advice, or what to do, or if you want to report to the police, please visit It's a nonprofit, it's made by a lot of industry partners - so, ourselves and all the other companies - and law enforcement and government agencies. And they offer free decryptors for a lot of things.

John Fokker: [00:20:28] So if there's any listeners, for instance, who got hit by GandCrab, and they have up to, I think, GandCrab version 5.1, there is a general decryptor that can help get your files back.

Dave Bittner: [00:20:43] Our thanks to John Fokker from McAfee for joining us. The research is titled, "Ryuk: Exploring the Human Connection." We'll have a link in the show notes.

Dave Bittner: [00:20:52] Thanks to Juniper Networks for sponsoring our show. You can learn more at, or connect with them on Twitter or Facebook.

Dave Bittner: [00:21:01] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at

Dave Bittner: [00:21:10] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben. Editor is John Petrik. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.