Ryuk ransomware develops worm-like capability

Ryuk ransomware develops worm-like capability

The French government’s computer emergency readiness team, that’s part of the National Cybersecurity Agency of France, or ANSSI, has discovered a Ryuk variant that has worm-like capabilities during an incident response.

For those unacquainted with Ryuk, it is a type of ransomware that is used in targeted attacks against enterprises and organizations. It was first discovered in the wild in August 2018 and has been used in numerous cyberattacks since, including high profile incidents like the attack on the Tampa Bay Times and other newspapers in January 2020. According to the FBI, it is the number one ransomware in terms of completed ransom payments.

How has Ryuk changed?

The French team found a variant of Ryuk that could spread itself from system to system within a Windows domain. Once launched, it will spread itself on every reachable machine on which Windows Remote Procedure Call (RPC) access is possible. (Remote procedure calls are a mechanism for Windows processes to communicate with one another.)

Why is this remarkable?

This is notable for two separate reasons.

  • Ryuk used to be dropped into networks and spread manually, by human operators, or deployed into networks by other malware.
  • Historically, one of the major players when it came to dropping Ryuk has been Emotet. And as it happens, the Emotet botnet suffered a serious blow when, in a coordinated action, multiple law enforcement agencies seized control of the Emotet botnet. And if the plan behind this takedown works, the botnet will be rolled up from the inside.

Targeted ransomware attacks command high ransoms because they infect entire networks, grinding whole organizations to a halt. Until this discovery, Ryuk had always relied on something else to spread it through the networks it attacked.

Given the timing of the Emotet takedown (January 27, 2021) and the discovery of the worm-like capabilities (“early 2021”) it’s tempting to connect the two. However, it would have required a very quick turn-around for these new capabilities to have been developed in response to the loss of Emotet. On the other hand, I’m not a firm believer in coincidence, especially when there are compelling reasons to suspect otherwise.

Not an Emotet alternative

But the new-found worm capabilities of Ryuk are not an alternative to the initial infection of a network that was done through Emotet. The worm-like capabilities can be deployed once they are inside and not to get inside.

And even though Emotet was renowned for appearing in combination with Ryuk, it certainly wasn’t its exclusive dealer. It is still hard to tell what the impact of the Emotet takedown will be on the malware families that were often seen as its companions.

Ryuk’s technical capabilities

The team behind Ryuk has proven with earlier tricks that they are very adept in using networking protocols. In 2019 researchers found that Ryuk had been updated with the ability to scan address resolution protocol (ARP) tables on infected systems, to obtain a list of known systems and their IP and MAC addresses. For systems found within the private IP address range, the malware was then programmed to use the Windows Wake-on-LAN command, sending a packet to the device’s MAC address, instructing it to wake up, so it could remotely encrypt the drive. Wake-on-LAN is a technology that allows a network professional to remotely power on a computer or to wake it up from sleep mode.

The combination of ARP and RPC.

Summing up, this new variant can find systems in the “neighborhood” by reading the ARP tables, wake those systems up by sending a Wake-on-LAN command, and then use RPC to copy itself to identified network shares. This step is followed by the creation of a scheduled task on the remote machine.

In 2019, the NCSC reported that

“Ryuk ransomware itself does not contain the ability to move laterally within a network,”

meaning that attackers would first conduct network reconnaissance, identify systems for exploitation and then run tools and scripts to spread the crypto-locking malware. With the development of this new capability, this statement is now no longer true.

Mitigating network traversal

One of the mitigation processes that were proposed, and that didn’t involve any cyber-security software, was to disable the user account(s) that are in use to send the RPC calls, and to change the KRBTGT domain password. The KRBTGT is a local default account that acts as a service account for the Kerberos Distribution Center (KDC) service. Every Domain Controller in an Active Directory domain runs a KDC service. Disabling the user account(s), and especially changing the KRBTGT domain password, will have a serious effect on the network operations and require many systems to reboot. But these troubles don’t outweigh the ramifications of a full network falling victim to ransomware.

Keep your networks safe, everyone!


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.