[Mal Series #5] Ryuk Ransom

The sample will loads and inject the malicious payload into cmd.exe .

Loader

Anti-Debug bypass:

set zf=1 in address 00415408

After bypass this, find the normal windows api for process injection and debug through it to reach the injected process.

cmd.exe

The payload in cmd.exe will resolve all the Windows API dynamically:

The actual payload is in the memory location 35000000(may different each time). Carve it out and fix the PE header for static analysis.

Payload found in mem location 35000000

Windows API:
LoadLibrary
GetProcessAddress

Some deobfuscation process through the call 35001AE2

Task terminate list:

Process with these keyword in its name will get terminate:

virtual vmcomp vmwp veeam backup backup xchange sql dbeng sofos calc ekrn zoolz encsvc excel firefoxconfig infopath msaccess mspub mydesktop ocautoupds ocomm ocssd onenote oracle outlook powerpnt sqbcoreservice steam synctime tbirdconfig thebat thunderbird visio word xfssvccon tmlisten pccntmon cntaosmgr ntrtscan mbamtray

Windows API:
CreateToolhelp32Snapshot
Process32First
Process32Next
ShellExecute

Service terminate list:

Service with these keyword in its name will get terminate:

boot vmcomp vmwp veeam Back xchange ackup acronis sql Enterprise Sophos Veeam AcrSch Antivirus Antivirus bedbg DCAgent EPSecurity EPUpdate Eraser EsgShKernel FA_Scheduler IISAdmin IMAP4 MBAM Endpoint Afee McShield task mfemms mfevtp mms MsDts Exchange ntrt PDVF POP3 Report RESvc sacsvr SAVAdmin SamS SDRSVC SepMaster Monitor Smcinst SmcService SMTP SNAC swi_ CCSF TrueKey tmlisten UI0Detect W3S WRSVC NetMsmq ekrn EhttpSrv ESHASRV AVP klnagent wbengine KAVF mfefire

Windows API:
OpenSCManager
EnumServiceStatus

Delete shadow copy:

Windows API:
WinExec

Using multiple command to delete the shadow copy

Enable drive access to every user

It is done through by executing icacls.exe

icacls “<Logical Drives>\*” /grant Everyone:F /T /C /Q

Windows API:
GetLogicalDrive
CreateProcess

List of commands executed:

taskkill /IM <taskname>/F
net stop <services> /y
cmd.exe /c “WMIC.exe shadowcopy delete”
cmd.exe /c “vssadmin.exe Delete Shadows /all /quiet”
cmd.exe /c “bcdedit /set {default} recoveryenabled No & bcdedit /set {default}”
cmd.exe /c “bootstatuspolicy ignoreallfailures”
icacls “<Logical Drives>\*” /grant Everyone:F /T /C /Q

File Encryption

ReadFile -> CryptEncrypt -> SetFilePointer -> WriteFile

Wake-On-Lan feature to open and encrypt remote drive

Tries to identify hosts on the LAN via ARP Ping Scanner by enumerate through the common private IP range below. This will action requires a newly spawn process with the name <random strings>lan.exe.

Private IP enumeration

<random strings>lan.exe & 8 LAN

Excluded file with these name (Upppercase also)
dll ntldr exe .ini .lnk bootmgr boot NTDETECT RyukReadMe.html

Also exclude these following folder:
mozilla chrome \Windows\ programfiles

Ransom note

RyukReadMe.html

RyukReadMe.html

References

Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices