Maze & Ryuk Ransomware Threat Assessment Report

WHITEPAPER

MAZE & RYUK RANSOMWARE THREAT ASSESSMENT REPORT

TRU THREAT RECONAISSANCE UNIT Where we are right now INTRODUCTION

Ransomware first entered the scene as a serious and categorical threat in May 2017. Since then, the new category has been an incredible money-maker for threat actors and multiple variations have been iterating non stop ever since. Chief Information Security Officers (CISO’s) and security teams across the globe have focused their efforts on detecting and deterring these destructive attacks. One trend, however, appears to be certain: Ransomware is here to stay, and both the virulence and velocity of these attacks are on the rise.

Two new strains of Ransomware appear particularly troubling. Security On-Demand’s Threat Reconnaissance Unit (TRU) has published this Threat Assessment Report in an effort to help educate our community on better identifying indicators and providing guidance on a strategy to counter-act this threat. Unlike typical ransomware, which contain many behavioral commonalities in terms of how it proliferates, the Ryuk and Maze Ransomware strains are changing the landscape and we believe it to be a cause for concern as a new chapter unfolds. Let us examine the Ryuk Ransomware first. Ryuk Proliferation At this point in the lifecycle of a traditional THE RYUK ransomware attack, the ransomware would generally execute and immediately start encrypting folders and files. Such rapid execution decreases the likelihood of detection and this RANSOMWARE encryption process may be as quick as 30 seconds or multiple minutes. Regardless, Ryuk Security researchers have attributed Ryuk to is most successful when the device’s antivirus or the Wizard Spider threat group operating out of endpoint protection services failed to identify and Russia and Eastern Europe, which was first quarantine the threat on the endpoint or target observed in October 2018. Prior to Ryuk, this system. group of hackers operated the “TrickBot” banking Trojan designed to steal credit card Ryuk’s biggest differentiator is its ability to install and banking information to commit wire fraud. and evade detection while making advances on The group’s transition from the “TrickBot” to the victimized machine as it attempts to ransomware confirms that cybercriminals are propagate itself across the network. In some evolving and adopting new tactics to collect attacks, similar to the NotPetya destructive even greater profits from cybercrime. malware attack in 2017, Ryuk spreads internally by exploiting the MS17-010 SMB vulnerability How Ryuk Works that was made famous in the WannaCry The Wizard Spider group first acquired a ransomware attack in the same year. In other commoditized ransomware called Hermes*, cases, Ryuk spreads by exploiting Network then modernized and updated the code to Shares, PSExec, or compromising devices or make it more unique. The Ryuk ransomware servers via stolen credentials. As additional was designed to specifically target enterprise insurance to ensure that the target cannot systems, ranging from national governments to recover, the Ryuk program looks specifically for healthcare companies and media giants. The data backups and attempts to encrypt those as initial attack is perpetrated in a variety of ways. well. Thus, Ryuk manages to negate typical Similar to most other ransomware attacks, it mitigation strategies that many companies has propagated via well-crafted spear-phishing employ by backing their systems up and then attacks, however, it has also been equally restoring in the event of such an attack. effective through traditional vulnerability exploitation and drive-by-download attacks The Wizard Spider hackers are known to be using “click-bait” ads and websites. Following a patient. The entire preparation phase may last successful initial stage execution, a first stage several months, allowing them to both steal vast malware is downloaded and installed, usually amounts of information and maximize the the Trickbot or Emotet Trojans. These Trojans damage to increase the likelihood of a paid do the introductory “investigative” work on the ransom. In some of the Ryuk Program’s most infected system by looking for and stealing recent advancements, the ransomware is credentials stored on the victim’s web reported to actually avoid encrypting Linux virtual browsers and cached credential areas, then it machines (VM) operating on Windows 10 downloads and installs the Ryuk ransomware. computers, because the encryption essentially destroys the VM, making a ransom impossible to obtain; and so the hackers lose their ability to provide a recovery mechanism.

*Hermes has been used in ransomware attacks across the globe by a variety of threat groups and individuals. Most are non-targeted attacks carried out through bulk phishing email campaigns. The Ransom Part Once all the files are encrypted, a ransom note takes over the screen which is typical for all ransomware. The message informs the victim of what has occurred, and that they will be unsuccessful if they try to decrypt their devices with their existing tools, leaving them no option, but to pay the required bitcoin amount on the screen.

Another significant way Ryuk differs from a typical ransomware is the exorbitant ransom requirement. For example, the WannaCry attack in 2017 that impacted over 200,000 devices in a 24-hour period resulted in the hackers only making about $150,000 USD in total. That is less than $1000 per compromised device. Conversely, during the onslaught of Ryuk attacks in August 2018, Ryuk reportedly made over $3M despite compromising far THE MAZE fewer devices and organizations.

One Ryuk attack was against the City of New Bedford Massachusetts, in which the Wizard RANSOMWARE Spider hackers demanded bitcoin payment Though the Maze ransomware is not as valued at $5.3M dollars. The Mayor noted that common or prolific as Ryuk, Maze and the other ransomware attacks against hackers behind it are changing the game as municipalities usually asked for about an we know it by operating very differently than average of $300,000, so he attempted to typical ransomware. Like Ryuk, the Maze negotiate with the hackers offering to pay Ransomware was initially identified in late $300K instead of the $5.3M. The offer was 2018 and uses a variety of attack vectors to rejected, but fortunately for the city, their solid get into the victims' networks, most commonly network architecture meant that only 4% of phishing, vulnerability exploitation, or RDP their devices were impacted. The malware also exploitation. The exploitation mechanism of failed to encrypt data backups, so the Mayor the Remote Desktop Protocol (RDP) is fairly refused to pay the ransom and they restored unique to Maze. During the reconnaissance the systems with minimal disruption to phase, it specifically looks for devices that services. have TCP port 3389 open (a very common

open port), then it crafts an attack to exploit it. While this was a win for the City of New With this tactic, Maze has been successful Bedford, most other targets are not as with many of their most prominent victims. fortunate. The current trend is that most organizations are actually paying the ransom Impact from Maze rather than risk the destructiveness and The most unique aspect of Maze—a game recovery involved with ignoring the demands. changer in the ransomware world—is the Most organizations that do not have a backup threat to “publicly shame” the victim if they or easily accessible copy of their data available have not contacted the exploiter or paid the feel they have no choice but to pay them. ransom. The Maze creators have introduced a website that openly shares samples of the information stolen from the victims and proceeds to publicize the compromise as an additional incentive to pay the ransom. The message on the web site reads as follows:

“Represented here companies don't wish to cooperate with us, and trying to hide our successful attack on their resources. Wait for their databases and private papers here. Follow the news!”* The hackers also emphasize that the published information only acts as leverage for getting paid and that they don’t care about the actual data or have any intention of selling it, but they will send all of the stolen information to WikiLeaks should the victim not pay.

Shaming the victim in public puts the victim in a challenging position psychologically and legally. First, the psychological game instills fear or anxiety causing the victim to be more inclined to pay the ransom rather than have more of their proprietary information leaked onto the internet— where competitors or other undesirable entities could access it. Second, it puts them in a difficult position regarding disclosure laws and requirements. Each state and country has various laws for breach disclosure and every company approaches it differently. The hackers normally disclose the breach for the victim before the victim really has much time to investigate, Incident Preparedness - We suggest that you remediate, and determine the true scope of the build protocols around Ransomware attack as breach. part of your IR plan. You should also incorporate a Ransomware attack in an upcoming table-top exercise. We recommend that you test your processes and war game (simulate) ransomware RECOMMENDATIONS attacks to test your recovery scenarios. These evolutions in ransomware tactics suggest several conclusions and recommendations. Improve your Threat Detection - Catching the attack in the early stages can prevent significant Protect Your Backups - Cybercriminals are financial impact and limit the potential damage. aware that you will likely not pay the ransom if Many SEIM solutions today do not have the you have a robust and ready backup capability. ability to detect advanced threats or correlate That’s why they will want to target your backup Ransomware indicators that can be detected system, disable it or encrypt your backups or easily. Ensure that your monitoring is 24x7 in other copies of data. Protecting your backups coverage. If you don’t have the infrastructure or also means that you should be monitoring for staff to fully monitor, consider hiring a Managed unauthorized access. The attackers know that it Security Services Provider with advanced threat will probably cost your company more to restore detection capabilities. all the data from backups, however if your backup gets encrypted or your system is not very Improve Security awareness Training - The robust, you will be at greater risk with one less humans are always the weakest link in the option to recover.These evolutions in attack. Continued vigilance in helping users ransomware tactics suggest several conclusions discern legitimate or non-legitimate and recommendations. communications is crucial.

* Note the broken English is intentional. CONCLUSION Review the Scope of your Device Logging These recent advances by Ryuk and Maze change 1. Log Monitoring of all critical devices and the ransomware game. It is even more critical than all devices that could be a conduit for ever before to invest wisely in cybersecurity as an Ransomware organization. Mature vulnerability management, email security, endpoint protection, and security 2. Conduct an audit to review what devices operations are important for maintaining secure may be on your network that should be data and need to be at the center of information logged that are currently not providing telemetry to your threat management security efforts. platform or service provider As we continue in 2020, it is inevitable that new 3. Incorporate logs from Anti-phishing and unexpected advances will appear in Measures for email & web content and ransomware and other cybercriminal activities. The develop use cases that will trigger alerts that more secure and resilient our networks are now, may be indicative of Ransomware behaviors the less likely we are to fall victim to Ryuk, Maze, or patterns or whatever new variant is on the horizon.

Security On-Demand (SOD) provides 24x7 advanced cyber-threatdetection services for businesses and ABOUT SECURITY government agencies. SOD’s “security-as-a-service” solutions include24x7 advanced threat monitoring and ON-DEMAND detection, network intrusion protection, automated remediation, log analysis, and regulatory compliance solutions.

Headquartered in San Diego, California with R&D offices in Warsaw Poland, SOD services and protects hundreds of brands globally and is the winner of multiple industry awards. For more information about Security On-Demand, please visit www.securityondemand.com. Follow us on Twitter @SecurityOnDemand. SOURCES

Hanel, Alexander. “What Is Ryuk Ransomware? The Complete Breakdown.” CrowdStrike, 12 Nov. 2019, https://www.crowdstrike.com/blog/big-game-hunting-with- ryuk-another-lucrative-targeted-ransomware/.

“Krebs on Security.” Brian Krebs, https://krebsonsecurity.com/2019/12 /ransomware-gangs- now-outing-victim-businesses-that-dont-pay-up/.

O'Donnell, Lindsey, and Lindsey O'Donnell. “$5.3M Ransomware Demand: Massachusetts City Says No Thanks.” Threatpost English Global Threatpostcom, https://threatpost.com/ransomware- demand-massachusetts-city-no-thanks/148034/.

“Ryuk Ransomware Targeting Organisations Globally.” Ncsc.gov.uk, https://www.ncsc.gov.uk/news/ryuk- advisory.

Schwartz, Mathew J. “Maze Ransomware Gang Dumps Purported Victim List.” Bank Information Security, https://www.bankinfosecurity.in/blogs /maze-ransomware- gang-dumps-purported-victim-list-p-2839.

Sjouwerman, Stu. “[Heads-up. This Is Ugly] After Refusing The Maze Ransomware Payment, Their Stolen Data Was Leaked.” Blog, https://blog.knowbe4.com/heads-up.-this-is- ugly-after-refusing-the-maze-ransomware-payment-their- stolen-data-was-leaked.