ryuk update - hhs.gov · 2020. 7. 7. · internet. we have attempted to include as many as possible...
TRANSCRIPT
Ryuk Update01302020
Report 202001301000
Agenda
TLP WHITE ID 202001301000 2
bull Overview
bull Functionality
bull Shifting Attribution
bull Blacklisting capabilities ndash Further attribution
bull Threat Actors
bull Historic Activity
bull Emotet =gt TrickBot =gt Ryuk delivery
bull Ransom Demands
bull Prominent Ryuk Activity and Alerts in the Last Year
bull Ryuk Defense and Mitigations
bull Indicators of Compromise (IOCs)
bull References
bull QuestionsNon-Technical managerial strategic and high-level (general audience)
Technical Tactical IOCs requiring in-depth knowledge (sysadmins IRT)
Slides Key
Image courtesy of Bleeping Computer
3
bull Ryukbull Ransomware
bull First identified in 2018bull Initially thought to be Hermes
bull Modified version of Hermes 21bull Similar codebull Similar functionality
bull Likely utilized by Russian criminal groupsbull Originally attributed to North Korea
bull Often deployed with other weaponsbull TrickBotbull Emotet
bull Used against big targets (big game hunting)bull Known for high ransom remandsbull Encryption scheme built for small-scale operations
bull Why the name ldquoRyukrdquobull Fictional character in Japanese comic book series
Death Note
Overview
First public disclosure of Ryuk (source Twittercom)
Photo credit httpwwwrayphillipscouk
TLP WHITE ID 202001301000
4
bull Establishes persistence by modifying registrybull Injects itself into running processes bull Encrypts files using RSA-2048 and AES-256bull Can download additional exploitation toolsbull Can steal credentialsbull In one case the ransomware appears to have used
unsecured or brute forced Remote Desktop Protocols (RDPs) to gain access
bull Stores keys in the executable using the proprietary Microsoft SIMPLEBLOB format
bull Capable of targeting beyond immediate system devices Encrypts network-connected devices mounted devices and remote hosts
bull Conceals its tracks - deletes many files related to the intrusion makes it challenging to identify infection vector
bull Most recently Wake-on-LAN allows for the targeting of systems that are in standbysleep mode and it would otherwise have no ability to reach and ARP pinging allows for the identification of more systems on a network
Functionality
TLP WHITE ID 202001301000
Image source Bankinfosecuritycom
Image source Reactionary Times
5
bull Original attribution North Koreabull Hermes-related code
bull Similar call flowsbull Marker code is identicalbull Lazarus Group and APT 38 has history of use
bull Targets International bankingSWIFT
bull Updated attribution linked to Russian cyber criminal groupsbull CrowdStrike medium-high confidence Ryuk is used by
Russian threat actorsbull FireEye ldquomost likely hypothesisrdquo Ryuk operators are
Russian cybercriminalsbull Why
bull Hermes has been seen for sale on the dark web
bull Uploaded files related to Ryuk to file-scanning website from Russian IP
bull Does not work on systems with Russian Ukrainian or Belarusian language enabled
bull Use by various APTs and criminal group threat actorsbull CrowdStrike Grim Spiderbull FireEye TEMPMixmaster
Shifting Attribution
TLP WHITE ID 202001301000
Source Forbes
6
Shifting Attribution
TLP WHITE ID 202001301000
bull A comparison of call flow diagram of the encryption functions of Ryuk and Hermes
bull Both instances of malware have similar code structure
bull Both instances of malware have similar flow
Source Checkpoint
7
Blacklisting Capabilities ndash Further Attribution
TLP WHITE ID 202001301000
bull June 2019 a new Ryuk variant was discovered which makes checks before encryption
bull Ryuk will not encrypt systems on the subnets 10304 10305 10306 or 103132
bull Ryuk will not encrypt systems that contain certain strings (SPB Spb spb MSK Msk and mskldquo)
bull These blacklisting capabilities were likely added to avoid encrypting systems in Russia
Images courtesy of Bleeping Computer
8
Threat Actors
TLP WHITE ID 202001301000
bull FireEye TEMPMixMaster
bull ldquohellipfinancially-motivated activity that involves the interactive deployment of Ryuk ransomware following TrickBot malware infectionsrdquo
bull Not concluded to be a single threat group
bull ldquohellipproven to be highly successful at soliciting large ransom payments from victim organizationsrdquo
bull CrowdStrike GRIM SPIDER
bull cell of WIZARD SPIDER bull Developer of TrickBotbull Wizard Spider cell of
Mummy Spider (Emotet)
Source Crowdstrikecom
9
Threat Actors
TLP WHITE ID 202001301000
bull Initial activitybull August 2018 to Jan 2019 $47M USD in BTC acquiredbull Used in cyberattacks targeting various newspapers in December (slight delays in delivery but no
significant operational impact) bull San Diego Union-Tribunebull Los Angeles Times and Tribune Publishing
bull Includes Chicago Tribune New York Daily News Baltimore Sun and Orlando Sentinelbull Used to attack cloud hosting provider Data Resolution Onslow Water and Sewer Authority in North
Carolina and an unnamed Canadian company that owns several restaurant chains
bull Combining Ryuk with Emotet and TrickBot
bull ldquoAlong with Emotet TrickBot has become one of the most versatile and dangerous pieces of modular malware hitting enterprise environmentsrdquo ndash HelpNet Security
bull ldquoInteractive deployment of ransomwarerdquo to conduct reconnaissance and ultimately ldquomaximize their disruption of business operationsrdquo - FireEye
SYSTEM(S) ENCRYPTED RANSOM DEMANDEDEmotet TrickBot Ryuk
10
Emotet TrickBot Ryuk Delivery
TLP WHITE ID 202001301000
Source Kryptoslogiccom
11TLP WHITE ID 202001301000
Emotet TrickBot Ryuk DeliveryAnother example of the workflow of Emotet TrickBot and Ryuk when used together
12TLP WHITE ID 202001301000
Ransom Demands
bull Ryuk is known to be one of the most costly ransomware familiesbull According to Coveware Ryuk payments are often 10 times more than its peers
13TLP WHITE ID 202001301000
bull March 2019bull IT systems for Jackson County Georgia attacked They paid $400000 (most IT systems except
website and 911 knocked down)
bull May 2019 bull Disrupted operations of CE Niehoff amp Co a manufacturing firm
bull April 2019 bull Stuart Florida attacked with Ryukbull Imperial County California refused to pay $12M Ryuk ransom demand but suffered downtime
bull June 2019bull Key Biscayne Florida attacked with Ryukbull Lake City Florida paid ~$460K in Ryuk attack ransombull British GCHQ releases warning about global Ryuk campaignbull Georgiarsquos Administrative Office of the Courts attacked
bull July 2019bull La Porte County Indiana attacked paid $130000 ransom bull Chinese company Tencent releases report on Ryuk attacking targets in Chinabull Coveware report notes dramatically increasing ransomware ransom demands identifies Ryuk as one
of the reasonsbull New Bedford Massachusetts attacked Refused to pay ransom and rebuiltbull Several Louisiana school districts attacked with Ryuk
Prominent Ryuk Activity and Alerts in the Last Year
14TLP WHITE ID 202001301000
Prominent Ryuk Activity and Alerts in the Last Yearbull August 2019
bull Rockville Centre school district (Long Island New York) paid nearly $100000 ransom for a Ryuk attack
bull September 2019bull Ryuk-related malware observed exfiltrating sensitive military and financial files
bull October 2019bull DCH Health System in Alabama were attacked shut down and temporarily stopped admitting new
non-emergency patients
bull November 2019bull Ransomware attack on Louisiana Office of Technology Services likely Ryuk based on publically-
releasedbull Multinational Spanish security company Prosegur temporarily shut down IT network after Ryuk attackbull Ryuk attack on Cadena SER (Spainrsquos largest radio station)bull Ryuk attack on T-System a provider of end-to-end IT solutions for emergency and urgent healthcare
providers allegedly the infection spread to public segments such as their demilitarized zone extranet and even their helpdesk
bull December 2019bull Ryuk used to attack IT network of a federally regulated maritime facility
bull January 2020bull Ryuk used to attack several oil and gas facilitiesbull Coveware again reports dramatically increasing ransomware demands identifies Ryuk as one of the
reasons
15TLP WHITE ID 202001301000
Prominent Ryuk Activity and Alerts in the Last Yearbull January 2020
bull Ryuk used to attack several oil and gas facilitiesbull Coveware again reports dramatically increasing ransomware demands identifies Ryuk as one of the
reasons
16
Ryuk Defense and Mitigations
TLP WHITE ID 202001301000
bull Provide social engineering and phishing training to employees [10SA] [1MD]
bull Develop and maintain policy on suspicious e-mails for end users Ensure suspicious e-mails are reported [10SA] [10MA]
bull Ensure emails originating from outside the organization are automatically marked before received [1SA] [1MA]
bull Apply applicable patches and updates immediately after testing Develop and maintain patching program if necessary [7SA] [7MD]
bull Implement Intrusion Detection System (IDS) [6SC] [6MC] [6LC]bull Implement spam filters at the email gateways [1SA] [1MA]bull Block suspicious IP addresses at the firewall [6SA] [6MA] [6LE]
bull Implement whitelisting technology on appropriate assets to ensure that only authorized software is allowed to execute [2SA] [2MA] [2LE]
bull Implement access control based on the principal of least privilege [3SA] [3MA] [3LC]
bull Implement and maintain anti-malware solution [2SA] [2MA] [2LD]
bull Conduct system hardening to ensure proper configurations [7SA] [7MD]bull Disable the use of Remote Desktop Protocol (RDP) or if absolutely needed
restrict its use applying the principle of least privilege and monitorlog its usage [7SA] [7MD]
We suggest contacting local law enforcement in the case of a cyberattack Also the FBIrsquos Internet Crime Complaint Center (IC3) can be reached herehttpswwwic3govcomplaintdefaultaspx
17TLP WHITE ID 202001301000
Prominent Ryuk Activity and Alerts in the Last Year
bull Please note several things about the indicators of compromise (IOCs) on the following slidesbull There is a significant quantity of indicators of compromise related to Ryuk available on the public
Internet We have attempted to include as many as possible in this presentation However there may be some available to the public not included here
bull Upon being released to the public IOCs may become ldquoburnedrdquo which is to say that the attackers will adjust their TTPs weapon and infrastructure so that the public IOCs are no longer used
bull There are instances of obsolete IOCs being reused so any organization attempting to defend themselves should consider all possibilities
bull New IOCs are constantly being released especially with a tool as prominent and frequently used as TrickBot It is therefore incumbent upon any organization attempting to defend themselves to remain vigilant maintain situational awareness and be ever on the lookout for new IOCs to operationalize in their cyber defense infrastructure
18
Indicators of Compromise
TLP WHITE ID 202001301000
Command and control
474916850 4211591177 199227126250 68417310
1901457484 1377415118 24113161184 7218912441
18525138208 719410125 1972325085 741345113
18868208240 206130141255 9423220113 10527171234
24247181155 923816339 1901457484 1822532066
174105235178 7414016033 474916850 17222297179
18580148162 6531241133 6412817537
18111317230 14019054187 242272224
17410523382 24247181226 21318363245
71141298 46149182112 10311091118
2161836243 21332122246 241196970
19
Indicators of Compromise (Continued)
TLP WHITE ID 202001301000
Hashes
1354ac0d5be0c8d03f4e3aba78d2223e 29340643ca2e6677c19e1d3bf351d654 5ac0f050f93f86e69026faea1fbb4450 86c314bc2dc37ba84f7364acd5108c2b 958c594909933d4c82e93c22850194aa c0202cf6aeab8437c638533d14563d35 cb0c1248d3899358a375888bb4e8f3fe d348f536e214a47655af387408b4fca5
Reference Materials
21
References
TLP WHITE ID 202001301000
bull Ryuk Ransomware Exploring the Technical and Human Connectionsbull httpswwwcovewarecomblog2019219ryuk-ransomware-exploring-the-technical-and-human-
connections
bull 2017 Cylance Threat Reportbull httpspagescylancecom2018-03CylanceThreatReport2017html
bull 2018 Global Threat Report Blurring the Lines Between Statecraft and Tradecraft Crowdstrikebull httpsgocrowdstrikecomrs281-OBQ-266imagesReport2018GlobalThreatReportpdf
bull TEMPMixMaster group infects with Trickbot and delayed Ryuk ransomware combobull httpswwwscmagazinecomhomesecurity-newsfinancially-motivated-threat-actorsreferred-to-as-
temp-mixmaster-are-infecting-victims-with-trickbot-malware-before-deploying-the-infamous-ryuk-ransomware
bull Ryuk ransomware linked to Emotet and TrickBot trojans suspicions shift to cybercriminal groupbull httpswwwscmagazinecomhomesecurity-newsryuk-ransomware-linked-to-emotet-and-trickbot-
trojans-suspicions-shift-to-cybercriminal-group
bull Ryuk ransomware earns hackers $37M in Bitcoin over 5 months - 52 known ransom transactions were recorded the highest worth 99 BTC
bull httpsthenextwebcomhardfork20190114ryuk-bitcoin-ransomware
bull Ryuk Ransomware Crew Makes $640000 in Recent Activity Surgebull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-crew-makes-640-000-in-recent-
activity-surge
22
References
TLP WHITE ID 202001301000
bull Ryuk ransomware gang probably Russian not North Koreanbull httpswwwzdnetcomarticleryuk-ransomware-gang-probably-russian-not-north-korean
bull Cloud Hosting Provider Dataresolutionnet Hit by Ryuk Ransomwarebull httpswwwsecurityswcomblogcloud-hosting-provider-dataresolution-net-hit-by-ryuk-ransomware
bull CrowdStrike 2018 Global Threat Report Blurring the Lines Between Statecraft and Tradecraftbull httpsgocrowdstrikecomrs281-OBQ-266imagesReport2018GlobalThreatReportpdf
bull TrojanTrickBotbull httpsblogmalwarebytescomdetectionstrojan-trickbot
bull TrickBot Banking Trojan Takes Center Stage in 2018bull httpsblogbarklycomtrickbot-trojan-2018-campaigns
bull HHS HCCIC cybersecurity alert New Ryuk ransomware quickly racking up damagebull httpswwwhealthcareitnewscomnewshhs-hccic-cybersecurity-alert-new-ryuk-ransomware-quickly-
racking-damage
bull Notorious Ryuk Ransomware Adds Trojans to Cyberattack Methodbull httpshealthitsecuritycomnewsnotorious-ryuk-ransomware-adds-trojans-to-cyberattack-method
bull Emotet re-emerges after the holidaysbull httpsblogtalosintelligencecom201901return-of-emotethtml
bull The Unholy Alliance of Emotet TrickBot and the Ryuk Ransomwarebull httpsduocomdecipherthe-unholy-alliance-of-emotet-trickbot-and-the-ryuk-ransomware
23
References
TLP WHITE ID 202001301000
bull Cybercrime and Other Threats Faced by the Healthcare Industrybull httpswwwtrendmicrocomcontentdamtrendmicroglobalensecurity-
intelligenceresearchreportswp-cybercrime-amp-other-threats-faced-by-the-healthcare-industrypdf
bull Ryuk ransomware targets big businesses New ransomware group waits and gathers intel before attacking large enterprises
bull httpswwwtechradarcomnewsryuk-ransomware-targets-big-businesses
bull Computer virus hits newspapers coast-to-coastbull httpswwwnbcnewscomnewsus-newscomputer-virus-hits-southern-california-newspapers-
n953001
bull Ryuk Ransomware A Targeted Campaign Break-Down CheckPoint Researchbull httpsresearchcheckpointcomryuk-ransomware-targeted-campaign-break
bull Ryuk ransomware targets big businessesbull httpswwwtechradarcomnewsryuk-ransomware-targets-big-businesses
bull United States Department of Homeland Security Cybersecurity and Infrastructure Security Agency Alert (TA18-201A) Emotet Malware
bull httpswwwus-certgovncasalertsTA18-201A
bull Research Suggests Russian-Based Hackers Behind Ryuk Ransomwarersquos $25 Million Gainsbull httpsfinanceyahoocomnewsresearch-suggests-russian-based-hackers-131700487html
bull Long Island Ransomware Attack New York School Pays $100000bull httpswwwmsspalertcomcybersecurity-breaches-and-attacksransomwareryuk-hits-rockville-centre
24
References
TLP WHITE ID 202001301000
bull Ransomware hits computer networks of North Carolina water utility CyberScoopbull httpswwwcyberscoopcomransomware-hits-onwasa-computer-network-north-carolina-water-utility
bull Media Release Cyber-Criminals Target Critical Utility in Hurricane-Ravaged Area Onslow Water and Sewer Authority
bull httpswwwonwasacomDocumentCenterView3701Scan-from-2018-10-15-08_08_13-Abull Origin of virus that hobbled newspapers still unclear - The origins of a suspected computer attack that
disrupted the Los Angeles Times and Tribune Publishing newspapers remain unclearbull httpsabcnewsgocomUSwireStoryorigin-virus-hobbled-newspapers-unclear-60083516
bull Meet CrowdStrikersquos Adversary of the Month for February MUMMY SPIDERbull httpswwwcrowdstrikecomblogmeet-crowdstrikes-adversary-of-the-month-for-february-mummy-
spider February 8 2018 bull North Korea APT() and recent Ryuk Ransomware attacks
bull httpsblogkryptoslogiccommalware20190110dprk-emotethtmlbull US Coast Guard Warns Over Ryuk Ransomware Attacks
bull httpswwwbankinfosecuritycomus-coast-guard-warns-over-ryuk-ransomware-attacks-a-13563bull Georgia county pays a whopping $400000 to get rid of a ransomware infection
bull httpswwwzdnetcomarticlegeorgia-county-pays-a-whopping-400000-to-get-rid-of-a-ransomware-infection
bull Informations Concernant Les Rancongiciels Lockergoga Et Ryukbull httpswwwcertssigouvfruploadsCERTFR-2019-ACT-005pdf
bull Cybereason Researchers Discover a Triple Threat Attack Utilizing Emotet to Deploy TrickBot Which Steals Data and Spreads Ryuk Ransomware
bull httpswwwbenzingacompressreleases1904p13470755cybereason-researchers-discover-a-triple-threat-attack-utilizing-emote
25
References
TLP WHITE ID 202001301000
bull Ryuk Ransomware Adds IP and Computer Name Blacklistingbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-adds-ip-and-computer-name-
blacklistingbull US Coast Guard - Marine Safety Information Bulletin
bull httpswwwdcouscgmilPortals9DCO20Documents5pMSIB2019MSIB_10_19pdfbull Wizard Spider Upgrades Ryuk Ransomware to Reach Deep into LANs
bull httpsthreatpostcomwizard-spider-upgrades-ryuk-ransomware149853bull US Coast Guard Says Ryuk Ransomware Took Down Maritime Facility
bull httpswwwbleepingcomputercomnewssecurityus-coast-guard-says-ryuk-ransomware-took-down-maritime-facility
bull Mistaken For North Koreans The Ryuk Ransomware Hackers Are Making Millionsbull httpswwwforbescomsitesthomasbrewster20190220mistaken-for-north-koreans-the-ryuk-
ransomware-hackers-are-making-millions6d47034775f4bull Ryuk Ransomware Exploring the Technical and Human Connections
bull httpswwwcovewarecomblog2019219ryuk-ransomware-exploring-the-technical-and-human-connections
bull Stuarts city hall ransomware attack more than likely caused by phishing email scambull httpswwwtcpalmcomstorynewslocalmartin-county20190422city-halls-ransomware-attack-
may-linked-phishing-email-scam-ryuk3540067002bull 7 Florida municipalities have fallen prey to cyber attacks since last year
bull httpswwwnaplesnewscomstorynewscrime201908207-florida-municipalities-have-fallen-prey-cyber-attacks-ryuk-ransomware-phishing2065063001
bull Tampa Bay Times hit with Ryuk ransomware attackbull httpsblogmalwarebytescomransomware202001tampa-bay-times-hit-with-ryuk-ransomware-
attack
26
References
TLP WHITE ID 202001301000
bull Cyber attack Virus Ryuk disrupts The Watertown Daily Times Sunday paper deliverybull httpswwwibtimessgcyber-attack-virus-ryuk-disrupts-watertown-daily-times-sunday-paper-delivery-
30503bull How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
bull httpswwwdarkreadingcomattacks-breacheshow-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attackdd-id1334760
bull Florida LAN Someone clicks link again giving Key Biscayne ransomwarebull httpsarstechnicacominformation-technology201906is-there-something-in-the-water-third-florida-
city-hit-by-ransomwarebull New Warning on Ryuk Ransomware
bull httpswwwdarkreadingcomdocumentaspdoc_id=1335101bull La Porte County Pays $130000 Ransom To Ryuk Ransomware
bull httpswwwbleepingcomputercomnewssecurityla-porte-county-pays-130-000-ransom-to-ryuk-ransomware
bull China on Ryuk Virus alert Deadly ransomware sneaks through the countryrsquos computer systemsbull httpswwwcryptopolitancomchina-on-ryuk-virus-alert
Ryuk Sodinokibi Ransomware Responsible for Higher Average Ransomshttpswwwbleepingcomputercomnewssecurityryuk-sodinokibi-ransomware-responsible-for-higher-average-ransoms
Ryuk Related Malware Steals Confidential Military Financial Fileshttpswwwbleepingcomputercomnewssecurityryuk-related-malware-steals-confidential-military-financial-files
Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarehttpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
27
References
TLP WHITE ID 202001301000
bull Rolling back Ryuk Ransomwarebull httpsnewssophoscomen-us20191004rolling-back-ryuk-ransomware
bull DCH Hospital Pays Ryuk Ransomware for Decryption Keybull httpswwwbleepingcomputercomnewssecuritydch-hospital-pays-ryuk-ransomware-for-decryption-
key
bull Louisiana was hit by Ryuk triggering another cyber-emergencybull httpsarstechnicacominformation-technology201911louisiana-was-hit-by-ryuk-triggering-another-
cyber-emergency
bull Security firm Prosegur Weve shut our IT network after Ryuk ransomware attackbull httpswwwzdnetcomarticlesecurity-firm-prosegur-weve-shut-our-it-network-after-ryuk-ransomware-
attack
bull Cash-moving giant Prosegur knocked offline by Ryuk ransomwarebull httpswwwcsoonlinecomarticle3504492cash-moving-giant-prosegur-knocked-offline-by-ryuk-
ransomwarehtml
bull New ransomware rakes in $4 million by adopting a ldquobig game huntingrdquo strategy Ryuk lies in wait for as long as a year then pounces on only the biggest prey
bull httpsarstechnicacominformation-technology201901new-ransomware-rakes-in-4-million-by-adopting-a-big-game-hunting-strategy
bull A Nasty Trick From Credential Theft Malware to Business Disruptionbull httpswwwfireeyecomblogthreat-research201901a-nasty-trick-from-credential-theft-malware-to-
business-disruptionhtml
28
References
TLP WHITE ID 202001301000
bull Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarebull httpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
bull Hackers Demand Bitcoin Ransom in Cyberattack on Big Canadian Restaurantsbull qhttpswwwcbccanewsbusinessransomware-hack-recipe-unlimited-restaurant-cyberattack-
14847487
bull Ryuk Ransomware Is Making Victims Left and Rightbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-is-making-victims-left-and-right
bull Ryuk Cult Character to Ransomware Villainbull httpssecurityboulevardcom201912ryuk-cult-character-to-ransomware-villain
bull Hermes ransomware distributed to South Koreans via recent Flash zero-daybull httpsblogmalwarebytescomthreat-analysis201803hermes-ransomware-distributed-to-south-
koreans-via-recent-flash-zero-day
Questions
30
Questions
Upcoming Briefsbull Artificial Intelligence ndash Application to the Healthcare Industry
bull Electronic Health Record systems
bull PyXie RAT
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide feedback to HC3HHSGOV
Requests for InformationNeed information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
TLP WHITE ID 202001301000
31
About Us
HC3 works with private and public sector partners to improve cybersecurity throughout the Healthcare and Public Health (HPH) Sector
Sector amp Victim Notifications White PapersDirected communications to victims or potential victims of compromises vulnerable equipment or PIIPHI theft and general notifications to the HPH about currently impacting threats via the HHS OIG
Document that provides in-depth information on a cybersecurity topic to increase comprehensive situational awareness and provide risk recommendations to a wide audience
Threat Briefings amp WebinarBriefing document and presentation that provides actionable information on health sector cybersecurity threats and mitigations Analysts present current cybersecurity topics engage in discussions with participants on current threats and highlight best practices and mitigation tactics
Need information on a specific cybersecurity topic or want to join our listserv Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
Products
TLP WHITE ID 202001301000
Contact
Health Sector Cybersecurity Coordination Center (HC3)
(202) 691-2110 HC3HHSGOV
- Ryuk Update
- Agenda
- Overview
- Functionality
- Shifting Attribution
- Shifting Attribution
- Slide Number 7
- Threat Actors
- Threat Actors
- Slide Number 10
- Slide Number 11
- Ransom Demands
- Slide Number 13
- Slide Number 14
- Slide Number 15
- Slide Number 16
- Slide Number 17
- Slide Number 18
- Slide Number 19
- Slide Number 20
- References
- References
- References
- References
- References
- References
- References
- References
- Slide Number 29
- Questions
- About Us
- Slide Number 32
-
Agenda
TLP WHITE ID 202001301000 2
bull Overview
bull Functionality
bull Shifting Attribution
bull Blacklisting capabilities ndash Further attribution
bull Threat Actors
bull Historic Activity
bull Emotet =gt TrickBot =gt Ryuk delivery
bull Ransom Demands
bull Prominent Ryuk Activity and Alerts in the Last Year
bull Ryuk Defense and Mitigations
bull Indicators of Compromise (IOCs)
bull References
bull QuestionsNon-Technical managerial strategic and high-level (general audience)
Technical Tactical IOCs requiring in-depth knowledge (sysadmins IRT)
Slides Key
Image courtesy of Bleeping Computer
3
bull Ryukbull Ransomware
bull First identified in 2018bull Initially thought to be Hermes
bull Modified version of Hermes 21bull Similar codebull Similar functionality
bull Likely utilized by Russian criminal groupsbull Originally attributed to North Korea
bull Often deployed with other weaponsbull TrickBotbull Emotet
bull Used against big targets (big game hunting)bull Known for high ransom remandsbull Encryption scheme built for small-scale operations
bull Why the name ldquoRyukrdquobull Fictional character in Japanese comic book series
Death Note
Overview
First public disclosure of Ryuk (source Twittercom)
Photo credit httpwwwrayphillipscouk
TLP WHITE ID 202001301000
4
bull Establishes persistence by modifying registrybull Injects itself into running processes bull Encrypts files using RSA-2048 and AES-256bull Can download additional exploitation toolsbull Can steal credentialsbull In one case the ransomware appears to have used
unsecured or brute forced Remote Desktop Protocols (RDPs) to gain access
bull Stores keys in the executable using the proprietary Microsoft SIMPLEBLOB format
bull Capable of targeting beyond immediate system devices Encrypts network-connected devices mounted devices and remote hosts
bull Conceals its tracks - deletes many files related to the intrusion makes it challenging to identify infection vector
bull Most recently Wake-on-LAN allows for the targeting of systems that are in standbysleep mode and it would otherwise have no ability to reach and ARP pinging allows for the identification of more systems on a network
Functionality
TLP WHITE ID 202001301000
Image source Bankinfosecuritycom
Image source Reactionary Times
5
bull Original attribution North Koreabull Hermes-related code
bull Similar call flowsbull Marker code is identicalbull Lazarus Group and APT 38 has history of use
bull Targets International bankingSWIFT
bull Updated attribution linked to Russian cyber criminal groupsbull CrowdStrike medium-high confidence Ryuk is used by
Russian threat actorsbull FireEye ldquomost likely hypothesisrdquo Ryuk operators are
Russian cybercriminalsbull Why
bull Hermes has been seen for sale on the dark web
bull Uploaded files related to Ryuk to file-scanning website from Russian IP
bull Does not work on systems with Russian Ukrainian or Belarusian language enabled
bull Use by various APTs and criminal group threat actorsbull CrowdStrike Grim Spiderbull FireEye TEMPMixmaster
Shifting Attribution
TLP WHITE ID 202001301000
Source Forbes
6
Shifting Attribution
TLP WHITE ID 202001301000
bull A comparison of call flow diagram of the encryption functions of Ryuk and Hermes
bull Both instances of malware have similar code structure
bull Both instances of malware have similar flow
Source Checkpoint
7
Blacklisting Capabilities ndash Further Attribution
TLP WHITE ID 202001301000
bull June 2019 a new Ryuk variant was discovered which makes checks before encryption
bull Ryuk will not encrypt systems on the subnets 10304 10305 10306 or 103132
bull Ryuk will not encrypt systems that contain certain strings (SPB Spb spb MSK Msk and mskldquo)
bull These blacklisting capabilities were likely added to avoid encrypting systems in Russia
Images courtesy of Bleeping Computer
8
Threat Actors
TLP WHITE ID 202001301000
bull FireEye TEMPMixMaster
bull ldquohellipfinancially-motivated activity that involves the interactive deployment of Ryuk ransomware following TrickBot malware infectionsrdquo
bull Not concluded to be a single threat group
bull ldquohellipproven to be highly successful at soliciting large ransom payments from victim organizationsrdquo
bull CrowdStrike GRIM SPIDER
bull cell of WIZARD SPIDER bull Developer of TrickBotbull Wizard Spider cell of
Mummy Spider (Emotet)
Source Crowdstrikecom
9
Threat Actors
TLP WHITE ID 202001301000
bull Initial activitybull August 2018 to Jan 2019 $47M USD in BTC acquiredbull Used in cyberattacks targeting various newspapers in December (slight delays in delivery but no
significant operational impact) bull San Diego Union-Tribunebull Los Angeles Times and Tribune Publishing
bull Includes Chicago Tribune New York Daily News Baltimore Sun and Orlando Sentinelbull Used to attack cloud hosting provider Data Resolution Onslow Water and Sewer Authority in North
Carolina and an unnamed Canadian company that owns several restaurant chains
bull Combining Ryuk with Emotet and TrickBot
bull ldquoAlong with Emotet TrickBot has become one of the most versatile and dangerous pieces of modular malware hitting enterprise environmentsrdquo ndash HelpNet Security
bull ldquoInteractive deployment of ransomwarerdquo to conduct reconnaissance and ultimately ldquomaximize their disruption of business operationsrdquo - FireEye
SYSTEM(S) ENCRYPTED RANSOM DEMANDEDEmotet TrickBot Ryuk
10
Emotet TrickBot Ryuk Delivery
TLP WHITE ID 202001301000
Source Kryptoslogiccom
11TLP WHITE ID 202001301000
Emotet TrickBot Ryuk DeliveryAnother example of the workflow of Emotet TrickBot and Ryuk when used together
12TLP WHITE ID 202001301000
Ransom Demands
bull Ryuk is known to be one of the most costly ransomware familiesbull According to Coveware Ryuk payments are often 10 times more than its peers
13TLP WHITE ID 202001301000
bull March 2019bull IT systems for Jackson County Georgia attacked They paid $400000 (most IT systems except
website and 911 knocked down)
bull May 2019 bull Disrupted operations of CE Niehoff amp Co a manufacturing firm
bull April 2019 bull Stuart Florida attacked with Ryukbull Imperial County California refused to pay $12M Ryuk ransom demand but suffered downtime
bull June 2019bull Key Biscayne Florida attacked with Ryukbull Lake City Florida paid ~$460K in Ryuk attack ransombull British GCHQ releases warning about global Ryuk campaignbull Georgiarsquos Administrative Office of the Courts attacked
bull July 2019bull La Porte County Indiana attacked paid $130000 ransom bull Chinese company Tencent releases report on Ryuk attacking targets in Chinabull Coveware report notes dramatically increasing ransomware ransom demands identifies Ryuk as one
of the reasonsbull New Bedford Massachusetts attacked Refused to pay ransom and rebuiltbull Several Louisiana school districts attacked with Ryuk
Prominent Ryuk Activity and Alerts in the Last Year
14TLP WHITE ID 202001301000
Prominent Ryuk Activity and Alerts in the Last Yearbull August 2019
bull Rockville Centre school district (Long Island New York) paid nearly $100000 ransom for a Ryuk attack
bull September 2019bull Ryuk-related malware observed exfiltrating sensitive military and financial files
bull October 2019bull DCH Health System in Alabama were attacked shut down and temporarily stopped admitting new
non-emergency patients
bull November 2019bull Ransomware attack on Louisiana Office of Technology Services likely Ryuk based on publically-
releasedbull Multinational Spanish security company Prosegur temporarily shut down IT network after Ryuk attackbull Ryuk attack on Cadena SER (Spainrsquos largest radio station)bull Ryuk attack on T-System a provider of end-to-end IT solutions for emergency and urgent healthcare
providers allegedly the infection spread to public segments such as their demilitarized zone extranet and even their helpdesk
bull December 2019bull Ryuk used to attack IT network of a federally regulated maritime facility
bull January 2020bull Ryuk used to attack several oil and gas facilitiesbull Coveware again reports dramatically increasing ransomware demands identifies Ryuk as one of the
reasons
15TLP WHITE ID 202001301000
Prominent Ryuk Activity and Alerts in the Last Yearbull January 2020
bull Ryuk used to attack several oil and gas facilitiesbull Coveware again reports dramatically increasing ransomware demands identifies Ryuk as one of the
reasons
16
Ryuk Defense and Mitigations
TLP WHITE ID 202001301000
bull Provide social engineering and phishing training to employees [10SA] [1MD]
bull Develop and maintain policy on suspicious e-mails for end users Ensure suspicious e-mails are reported [10SA] [10MA]
bull Ensure emails originating from outside the organization are automatically marked before received [1SA] [1MA]
bull Apply applicable patches and updates immediately after testing Develop and maintain patching program if necessary [7SA] [7MD]
bull Implement Intrusion Detection System (IDS) [6SC] [6MC] [6LC]bull Implement spam filters at the email gateways [1SA] [1MA]bull Block suspicious IP addresses at the firewall [6SA] [6MA] [6LE]
bull Implement whitelisting technology on appropriate assets to ensure that only authorized software is allowed to execute [2SA] [2MA] [2LE]
bull Implement access control based on the principal of least privilege [3SA] [3MA] [3LC]
bull Implement and maintain anti-malware solution [2SA] [2MA] [2LD]
bull Conduct system hardening to ensure proper configurations [7SA] [7MD]bull Disable the use of Remote Desktop Protocol (RDP) or if absolutely needed
restrict its use applying the principle of least privilege and monitorlog its usage [7SA] [7MD]
We suggest contacting local law enforcement in the case of a cyberattack Also the FBIrsquos Internet Crime Complaint Center (IC3) can be reached herehttpswwwic3govcomplaintdefaultaspx
17TLP WHITE ID 202001301000
Prominent Ryuk Activity and Alerts in the Last Year
bull Please note several things about the indicators of compromise (IOCs) on the following slidesbull There is a significant quantity of indicators of compromise related to Ryuk available on the public
Internet We have attempted to include as many as possible in this presentation However there may be some available to the public not included here
bull Upon being released to the public IOCs may become ldquoburnedrdquo which is to say that the attackers will adjust their TTPs weapon and infrastructure so that the public IOCs are no longer used
bull There are instances of obsolete IOCs being reused so any organization attempting to defend themselves should consider all possibilities
bull New IOCs are constantly being released especially with a tool as prominent and frequently used as TrickBot It is therefore incumbent upon any organization attempting to defend themselves to remain vigilant maintain situational awareness and be ever on the lookout for new IOCs to operationalize in their cyber defense infrastructure
18
Indicators of Compromise
TLP WHITE ID 202001301000
Command and control
474916850 4211591177 199227126250 68417310
1901457484 1377415118 24113161184 7218912441
18525138208 719410125 1972325085 741345113
18868208240 206130141255 9423220113 10527171234
24247181155 923816339 1901457484 1822532066
174105235178 7414016033 474916850 17222297179
18580148162 6531241133 6412817537
18111317230 14019054187 242272224
17410523382 24247181226 21318363245
71141298 46149182112 10311091118
2161836243 21332122246 241196970
19
Indicators of Compromise (Continued)
TLP WHITE ID 202001301000
Hashes
1354ac0d5be0c8d03f4e3aba78d2223e 29340643ca2e6677c19e1d3bf351d654 5ac0f050f93f86e69026faea1fbb4450 86c314bc2dc37ba84f7364acd5108c2b 958c594909933d4c82e93c22850194aa c0202cf6aeab8437c638533d14563d35 cb0c1248d3899358a375888bb4e8f3fe d348f536e214a47655af387408b4fca5
Reference Materials
21
References
TLP WHITE ID 202001301000
bull Ryuk Ransomware Exploring the Technical and Human Connectionsbull httpswwwcovewarecomblog2019219ryuk-ransomware-exploring-the-technical-and-human-
connections
bull 2017 Cylance Threat Reportbull httpspagescylancecom2018-03CylanceThreatReport2017html
bull 2018 Global Threat Report Blurring the Lines Between Statecraft and Tradecraft Crowdstrikebull httpsgocrowdstrikecomrs281-OBQ-266imagesReport2018GlobalThreatReportpdf
bull TEMPMixMaster group infects with Trickbot and delayed Ryuk ransomware combobull httpswwwscmagazinecomhomesecurity-newsfinancially-motivated-threat-actorsreferred-to-as-
temp-mixmaster-are-infecting-victims-with-trickbot-malware-before-deploying-the-infamous-ryuk-ransomware
bull Ryuk ransomware linked to Emotet and TrickBot trojans suspicions shift to cybercriminal groupbull httpswwwscmagazinecomhomesecurity-newsryuk-ransomware-linked-to-emotet-and-trickbot-
trojans-suspicions-shift-to-cybercriminal-group
bull Ryuk ransomware earns hackers $37M in Bitcoin over 5 months - 52 known ransom transactions were recorded the highest worth 99 BTC
bull httpsthenextwebcomhardfork20190114ryuk-bitcoin-ransomware
bull Ryuk Ransomware Crew Makes $640000 in Recent Activity Surgebull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-crew-makes-640-000-in-recent-
activity-surge
22
References
TLP WHITE ID 202001301000
bull Ryuk ransomware gang probably Russian not North Koreanbull httpswwwzdnetcomarticleryuk-ransomware-gang-probably-russian-not-north-korean
bull Cloud Hosting Provider Dataresolutionnet Hit by Ryuk Ransomwarebull httpswwwsecurityswcomblogcloud-hosting-provider-dataresolution-net-hit-by-ryuk-ransomware
bull CrowdStrike 2018 Global Threat Report Blurring the Lines Between Statecraft and Tradecraftbull httpsgocrowdstrikecomrs281-OBQ-266imagesReport2018GlobalThreatReportpdf
bull TrojanTrickBotbull httpsblogmalwarebytescomdetectionstrojan-trickbot
bull TrickBot Banking Trojan Takes Center Stage in 2018bull httpsblogbarklycomtrickbot-trojan-2018-campaigns
bull HHS HCCIC cybersecurity alert New Ryuk ransomware quickly racking up damagebull httpswwwhealthcareitnewscomnewshhs-hccic-cybersecurity-alert-new-ryuk-ransomware-quickly-
racking-damage
bull Notorious Ryuk Ransomware Adds Trojans to Cyberattack Methodbull httpshealthitsecuritycomnewsnotorious-ryuk-ransomware-adds-trojans-to-cyberattack-method
bull Emotet re-emerges after the holidaysbull httpsblogtalosintelligencecom201901return-of-emotethtml
bull The Unholy Alliance of Emotet TrickBot and the Ryuk Ransomwarebull httpsduocomdecipherthe-unholy-alliance-of-emotet-trickbot-and-the-ryuk-ransomware
23
References
TLP WHITE ID 202001301000
bull Cybercrime and Other Threats Faced by the Healthcare Industrybull httpswwwtrendmicrocomcontentdamtrendmicroglobalensecurity-
intelligenceresearchreportswp-cybercrime-amp-other-threats-faced-by-the-healthcare-industrypdf
bull Ryuk ransomware targets big businesses New ransomware group waits and gathers intel before attacking large enterprises
bull httpswwwtechradarcomnewsryuk-ransomware-targets-big-businesses
bull Computer virus hits newspapers coast-to-coastbull httpswwwnbcnewscomnewsus-newscomputer-virus-hits-southern-california-newspapers-
n953001
bull Ryuk Ransomware A Targeted Campaign Break-Down CheckPoint Researchbull httpsresearchcheckpointcomryuk-ransomware-targeted-campaign-break
bull Ryuk ransomware targets big businessesbull httpswwwtechradarcomnewsryuk-ransomware-targets-big-businesses
bull United States Department of Homeland Security Cybersecurity and Infrastructure Security Agency Alert (TA18-201A) Emotet Malware
bull httpswwwus-certgovncasalertsTA18-201A
bull Research Suggests Russian-Based Hackers Behind Ryuk Ransomwarersquos $25 Million Gainsbull httpsfinanceyahoocomnewsresearch-suggests-russian-based-hackers-131700487html
bull Long Island Ransomware Attack New York School Pays $100000bull httpswwwmsspalertcomcybersecurity-breaches-and-attacksransomwareryuk-hits-rockville-centre
24
References
TLP WHITE ID 202001301000
bull Ransomware hits computer networks of North Carolina water utility CyberScoopbull httpswwwcyberscoopcomransomware-hits-onwasa-computer-network-north-carolina-water-utility
bull Media Release Cyber-Criminals Target Critical Utility in Hurricane-Ravaged Area Onslow Water and Sewer Authority
bull httpswwwonwasacomDocumentCenterView3701Scan-from-2018-10-15-08_08_13-Abull Origin of virus that hobbled newspapers still unclear - The origins of a suspected computer attack that
disrupted the Los Angeles Times and Tribune Publishing newspapers remain unclearbull httpsabcnewsgocomUSwireStoryorigin-virus-hobbled-newspapers-unclear-60083516
bull Meet CrowdStrikersquos Adversary of the Month for February MUMMY SPIDERbull httpswwwcrowdstrikecomblogmeet-crowdstrikes-adversary-of-the-month-for-february-mummy-
spider February 8 2018 bull North Korea APT() and recent Ryuk Ransomware attacks
bull httpsblogkryptoslogiccommalware20190110dprk-emotethtmlbull US Coast Guard Warns Over Ryuk Ransomware Attacks
bull httpswwwbankinfosecuritycomus-coast-guard-warns-over-ryuk-ransomware-attacks-a-13563bull Georgia county pays a whopping $400000 to get rid of a ransomware infection
bull httpswwwzdnetcomarticlegeorgia-county-pays-a-whopping-400000-to-get-rid-of-a-ransomware-infection
bull Informations Concernant Les Rancongiciels Lockergoga Et Ryukbull httpswwwcertssigouvfruploadsCERTFR-2019-ACT-005pdf
bull Cybereason Researchers Discover a Triple Threat Attack Utilizing Emotet to Deploy TrickBot Which Steals Data and Spreads Ryuk Ransomware
bull httpswwwbenzingacompressreleases1904p13470755cybereason-researchers-discover-a-triple-threat-attack-utilizing-emote
25
References
TLP WHITE ID 202001301000
bull Ryuk Ransomware Adds IP and Computer Name Blacklistingbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-adds-ip-and-computer-name-
blacklistingbull US Coast Guard - Marine Safety Information Bulletin
bull httpswwwdcouscgmilPortals9DCO20Documents5pMSIB2019MSIB_10_19pdfbull Wizard Spider Upgrades Ryuk Ransomware to Reach Deep into LANs
bull httpsthreatpostcomwizard-spider-upgrades-ryuk-ransomware149853bull US Coast Guard Says Ryuk Ransomware Took Down Maritime Facility
bull httpswwwbleepingcomputercomnewssecurityus-coast-guard-says-ryuk-ransomware-took-down-maritime-facility
bull Mistaken For North Koreans The Ryuk Ransomware Hackers Are Making Millionsbull httpswwwforbescomsitesthomasbrewster20190220mistaken-for-north-koreans-the-ryuk-
ransomware-hackers-are-making-millions6d47034775f4bull Ryuk Ransomware Exploring the Technical and Human Connections
bull httpswwwcovewarecomblog2019219ryuk-ransomware-exploring-the-technical-and-human-connections
bull Stuarts city hall ransomware attack more than likely caused by phishing email scambull httpswwwtcpalmcomstorynewslocalmartin-county20190422city-halls-ransomware-attack-
may-linked-phishing-email-scam-ryuk3540067002bull 7 Florida municipalities have fallen prey to cyber attacks since last year
bull httpswwwnaplesnewscomstorynewscrime201908207-florida-municipalities-have-fallen-prey-cyber-attacks-ryuk-ransomware-phishing2065063001
bull Tampa Bay Times hit with Ryuk ransomware attackbull httpsblogmalwarebytescomransomware202001tampa-bay-times-hit-with-ryuk-ransomware-
attack
26
References
TLP WHITE ID 202001301000
bull Cyber attack Virus Ryuk disrupts The Watertown Daily Times Sunday paper deliverybull httpswwwibtimessgcyber-attack-virus-ryuk-disrupts-watertown-daily-times-sunday-paper-delivery-
30503bull How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
bull httpswwwdarkreadingcomattacks-breacheshow-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attackdd-id1334760
bull Florida LAN Someone clicks link again giving Key Biscayne ransomwarebull httpsarstechnicacominformation-technology201906is-there-something-in-the-water-third-florida-
city-hit-by-ransomwarebull New Warning on Ryuk Ransomware
bull httpswwwdarkreadingcomdocumentaspdoc_id=1335101bull La Porte County Pays $130000 Ransom To Ryuk Ransomware
bull httpswwwbleepingcomputercomnewssecurityla-porte-county-pays-130-000-ransom-to-ryuk-ransomware
bull China on Ryuk Virus alert Deadly ransomware sneaks through the countryrsquos computer systemsbull httpswwwcryptopolitancomchina-on-ryuk-virus-alert
Ryuk Sodinokibi Ransomware Responsible for Higher Average Ransomshttpswwwbleepingcomputercomnewssecurityryuk-sodinokibi-ransomware-responsible-for-higher-average-ransoms
Ryuk Related Malware Steals Confidential Military Financial Fileshttpswwwbleepingcomputercomnewssecurityryuk-related-malware-steals-confidential-military-financial-files
Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarehttpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
27
References
TLP WHITE ID 202001301000
bull Rolling back Ryuk Ransomwarebull httpsnewssophoscomen-us20191004rolling-back-ryuk-ransomware
bull DCH Hospital Pays Ryuk Ransomware for Decryption Keybull httpswwwbleepingcomputercomnewssecuritydch-hospital-pays-ryuk-ransomware-for-decryption-
key
bull Louisiana was hit by Ryuk triggering another cyber-emergencybull httpsarstechnicacominformation-technology201911louisiana-was-hit-by-ryuk-triggering-another-
cyber-emergency
bull Security firm Prosegur Weve shut our IT network after Ryuk ransomware attackbull httpswwwzdnetcomarticlesecurity-firm-prosegur-weve-shut-our-it-network-after-ryuk-ransomware-
attack
bull Cash-moving giant Prosegur knocked offline by Ryuk ransomwarebull httpswwwcsoonlinecomarticle3504492cash-moving-giant-prosegur-knocked-offline-by-ryuk-
ransomwarehtml
bull New ransomware rakes in $4 million by adopting a ldquobig game huntingrdquo strategy Ryuk lies in wait for as long as a year then pounces on only the biggest prey
bull httpsarstechnicacominformation-technology201901new-ransomware-rakes-in-4-million-by-adopting-a-big-game-hunting-strategy
bull A Nasty Trick From Credential Theft Malware to Business Disruptionbull httpswwwfireeyecomblogthreat-research201901a-nasty-trick-from-credential-theft-malware-to-
business-disruptionhtml
28
References
TLP WHITE ID 202001301000
bull Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarebull httpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
bull Hackers Demand Bitcoin Ransom in Cyberattack on Big Canadian Restaurantsbull qhttpswwwcbccanewsbusinessransomware-hack-recipe-unlimited-restaurant-cyberattack-
14847487
bull Ryuk Ransomware Is Making Victims Left and Rightbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-is-making-victims-left-and-right
bull Ryuk Cult Character to Ransomware Villainbull httpssecurityboulevardcom201912ryuk-cult-character-to-ransomware-villain
bull Hermes ransomware distributed to South Koreans via recent Flash zero-daybull httpsblogmalwarebytescomthreat-analysis201803hermes-ransomware-distributed-to-south-
koreans-via-recent-flash-zero-day
Questions
30
Questions
Upcoming Briefsbull Artificial Intelligence ndash Application to the Healthcare Industry
bull Electronic Health Record systems
bull PyXie RAT
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide feedback to HC3HHSGOV
Requests for InformationNeed information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
TLP WHITE ID 202001301000
31
About Us
HC3 works with private and public sector partners to improve cybersecurity throughout the Healthcare and Public Health (HPH) Sector
Sector amp Victim Notifications White PapersDirected communications to victims or potential victims of compromises vulnerable equipment or PIIPHI theft and general notifications to the HPH about currently impacting threats via the HHS OIG
Document that provides in-depth information on a cybersecurity topic to increase comprehensive situational awareness and provide risk recommendations to a wide audience
Threat Briefings amp WebinarBriefing document and presentation that provides actionable information on health sector cybersecurity threats and mitigations Analysts present current cybersecurity topics engage in discussions with participants on current threats and highlight best practices and mitigation tactics
Need information on a specific cybersecurity topic or want to join our listserv Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
Products
TLP WHITE ID 202001301000
Contact
Health Sector Cybersecurity Coordination Center (HC3)
(202) 691-2110 HC3HHSGOV
- Ryuk Update
- Agenda
- Overview
- Functionality
- Shifting Attribution
- Shifting Attribution
- Slide Number 7
- Threat Actors
- Threat Actors
- Slide Number 10
- Slide Number 11
- Ransom Demands
- Slide Number 13
- Slide Number 14
- Slide Number 15
- Slide Number 16
- Slide Number 17
- Slide Number 18
- Slide Number 19
- Slide Number 20
- References
- References
- References
- References
- References
- References
- References
- References
- Slide Number 29
- Questions
- About Us
- Slide Number 32
-
3
bull Ryukbull Ransomware
bull First identified in 2018bull Initially thought to be Hermes
bull Modified version of Hermes 21bull Similar codebull Similar functionality
bull Likely utilized by Russian criminal groupsbull Originally attributed to North Korea
bull Often deployed with other weaponsbull TrickBotbull Emotet
bull Used against big targets (big game hunting)bull Known for high ransom remandsbull Encryption scheme built for small-scale operations
bull Why the name ldquoRyukrdquobull Fictional character in Japanese comic book series
Death Note
Overview
First public disclosure of Ryuk (source Twittercom)
Photo credit httpwwwrayphillipscouk
TLP WHITE ID 202001301000
4
bull Establishes persistence by modifying registrybull Injects itself into running processes bull Encrypts files using RSA-2048 and AES-256bull Can download additional exploitation toolsbull Can steal credentialsbull In one case the ransomware appears to have used
unsecured or brute forced Remote Desktop Protocols (RDPs) to gain access
bull Stores keys in the executable using the proprietary Microsoft SIMPLEBLOB format
bull Capable of targeting beyond immediate system devices Encrypts network-connected devices mounted devices and remote hosts
bull Conceals its tracks - deletes many files related to the intrusion makes it challenging to identify infection vector
bull Most recently Wake-on-LAN allows for the targeting of systems that are in standbysleep mode and it would otherwise have no ability to reach and ARP pinging allows for the identification of more systems on a network
Functionality
TLP WHITE ID 202001301000
Image source Bankinfosecuritycom
Image source Reactionary Times
5
bull Original attribution North Koreabull Hermes-related code
bull Similar call flowsbull Marker code is identicalbull Lazarus Group and APT 38 has history of use
bull Targets International bankingSWIFT
bull Updated attribution linked to Russian cyber criminal groupsbull CrowdStrike medium-high confidence Ryuk is used by
Russian threat actorsbull FireEye ldquomost likely hypothesisrdquo Ryuk operators are
Russian cybercriminalsbull Why
bull Hermes has been seen for sale on the dark web
bull Uploaded files related to Ryuk to file-scanning website from Russian IP
bull Does not work on systems with Russian Ukrainian or Belarusian language enabled
bull Use by various APTs and criminal group threat actorsbull CrowdStrike Grim Spiderbull FireEye TEMPMixmaster
Shifting Attribution
TLP WHITE ID 202001301000
Source Forbes
6
Shifting Attribution
TLP WHITE ID 202001301000
bull A comparison of call flow diagram of the encryption functions of Ryuk and Hermes
bull Both instances of malware have similar code structure
bull Both instances of malware have similar flow
Source Checkpoint
7
Blacklisting Capabilities ndash Further Attribution
TLP WHITE ID 202001301000
bull June 2019 a new Ryuk variant was discovered which makes checks before encryption
bull Ryuk will not encrypt systems on the subnets 10304 10305 10306 or 103132
bull Ryuk will not encrypt systems that contain certain strings (SPB Spb spb MSK Msk and mskldquo)
bull These blacklisting capabilities were likely added to avoid encrypting systems in Russia
Images courtesy of Bleeping Computer
8
Threat Actors
TLP WHITE ID 202001301000
bull FireEye TEMPMixMaster
bull ldquohellipfinancially-motivated activity that involves the interactive deployment of Ryuk ransomware following TrickBot malware infectionsrdquo
bull Not concluded to be a single threat group
bull ldquohellipproven to be highly successful at soliciting large ransom payments from victim organizationsrdquo
bull CrowdStrike GRIM SPIDER
bull cell of WIZARD SPIDER bull Developer of TrickBotbull Wizard Spider cell of
Mummy Spider (Emotet)
Source Crowdstrikecom
9
Threat Actors
TLP WHITE ID 202001301000
bull Initial activitybull August 2018 to Jan 2019 $47M USD in BTC acquiredbull Used in cyberattacks targeting various newspapers in December (slight delays in delivery but no
significant operational impact) bull San Diego Union-Tribunebull Los Angeles Times and Tribune Publishing
bull Includes Chicago Tribune New York Daily News Baltimore Sun and Orlando Sentinelbull Used to attack cloud hosting provider Data Resolution Onslow Water and Sewer Authority in North
Carolina and an unnamed Canadian company that owns several restaurant chains
bull Combining Ryuk with Emotet and TrickBot
bull ldquoAlong with Emotet TrickBot has become one of the most versatile and dangerous pieces of modular malware hitting enterprise environmentsrdquo ndash HelpNet Security
bull ldquoInteractive deployment of ransomwarerdquo to conduct reconnaissance and ultimately ldquomaximize their disruption of business operationsrdquo - FireEye
SYSTEM(S) ENCRYPTED RANSOM DEMANDEDEmotet TrickBot Ryuk
10
Emotet TrickBot Ryuk Delivery
TLP WHITE ID 202001301000
Source Kryptoslogiccom
11TLP WHITE ID 202001301000
Emotet TrickBot Ryuk DeliveryAnother example of the workflow of Emotet TrickBot and Ryuk when used together
12TLP WHITE ID 202001301000
Ransom Demands
bull Ryuk is known to be one of the most costly ransomware familiesbull According to Coveware Ryuk payments are often 10 times more than its peers
13TLP WHITE ID 202001301000
bull March 2019bull IT systems for Jackson County Georgia attacked They paid $400000 (most IT systems except
website and 911 knocked down)
bull May 2019 bull Disrupted operations of CE Niehoff amp Co a manufacturing firm
bull April 2019 bull Stuart Florida attacked with Ryukbull Imperial County California refused to pay $12M Ryuk ransom demand but suffered downtime
bull June 2019bull Key Biscayne Florida attacked with Ryukbull Lake City Florida paid ~$460K in Ryuk attack ransombull British GCHQ releases warning about global Ryuk campaignbull Georgiarsquos Administrative Office of the Courts attacked
bull July 2019bull La Porte County Indiana attacked paid $130000 ransom bull Chinese company Tencent releases report on Ryuk attacking targets in Chinabull Coveware report notes dramatically increasing ransomware ransom demands identifies Ryuk as one
of the reasonsbull New Bedford Massachusetts attacked Refused to pay ransom and rebuiltbull Several Louisiana school districts attacked with Ryuk
Prominent Ryuk Activity and Alerts in the Last Year
14TLP WHITE ID 202001301000
Prominent Ryuk Activity and Alerts in the Last Yearbull August 2019
bull Rockville Centre school district (Long Island New York) paid nearly $100000 ransom for a Ryuk attack
bull September 2019bull Ryuk-related malware observed exfiltrating sensitive military and financial files
bull October 2019bull DCH Health System in Alabama were attacked shut down and temporarily stopped admitting new
non-emergency patients
bull November 2019bull Ransomware attack on Louisiana Office of Technology Services likely Ryuk based on publically-
releasedbull Multinational Spanish security company Prosegur temporarily shut down IT network after Ryuk attackbull Ryuk attack on Cadena SER (Spainrsquos largest radio station)bull Ryuk attack on T-System a provider of end-to-end IT solutions for emergency and urgent healthcare
providers allegedly the infection spread to public segments such as their demilitarized zone extranet and even their helpdesk
bull December 2019bull Ryuk used to attack IT network of a federally regulated maritime facility
bull January 2020bull Ryuk used to attack several oil and gas facilitiesbull Coveware again reports dramatically increasing ransomware demands identifies Ryuk as one of the
reasons
15TLP WHITE ID 202001301000
Prominent Ryuk Activity and Alerts in the Last Yearbull January 2020
bull Ryuk used to attack several oil and gas facilitiesbull Coveware again reports dramatically increasing ransomware demands identifies Ryuk as one of the
reasons
16
Ryuk Defense and Mitigations
TLP WHITE ID 202001301000
bull Provide social engineering and phishing training to employees [10SA] [1MD]
bull Develop and maintain policy on suspicious e-mails for end users Ensure suspicious e-mails are reported [10SA] [10MA]
bull Ensure emails originating from outside the organization are automatically marked before received [1SA] [1MA]
bull Apply applicable patches and updates immediately after testing Develop and maintain patching program if necessary [7SA] [7MD]
bull Implement Intrusion Detection System (IDS) [6SC] [6MC] [6LC]bull Implement spam filters at the email gateways [1SA] [1MA]bull Block suspicious IP addresses at the firewall [6SA] [6MA] [6LE]
bull Implement whitelisting technology on appropriate assets to ensure that only authorized software is allowed to execute [2SA] [2MA] [2LE]
bull Implement access control based on the principal of least privilege [3SA] [3MA] [3LC]
bull Implement and maintain anti-malware solution [2SA] [2MA] [2LD]
bull Conduct system hardening to ensure proper configurations [7SA] [7MD]bull Disable the use of Remote Desktop Protocol (RDP) or if absolutely needed
restrict its use applying the principle of least privilege and monitorlog its usage [7SA] [7MD]
We suggest contacting local law enforcement in the case of a cyberattack Also the FBIrsquos Internet Crime Complaint Center (IC3) can be reached herehttpswwwic3govcomplaintdefaultaspx
17TLP WHITE ID 202001301000
Prominent Ryuk Activity and Alerts in the Last Year
bull Please note several things about the indicators of compromise (IOCs) on the following slidesbull There is a significant quantity of indicators of compromise related to Ryuk available on the public
Internet We have attempted to include as many as possible in this presentation However there may be some available to the public not included here
bull Upon being released to the public IOCs may become ldquoburnedrdquo which is to say that the attackers will adjust their TTPs weapon and infrastructure so that the public IOCs are no longer used
bull There are instances of obsolete IOCs being reused so any organization attempting to defend themselves should consider all possibilities
bull New IOCs are constantly being released especially with a tool as prominent and frequently used as TrickBot It is therefore incumbent upon any organization attempting to defend themselves to remain vigilant maintain situational awareness and be ever on the lookout for new IOCs to operationalize in their cyber defense infrastructure
18
Indicators of Compromise
TLP WHITE ID 202001301000
Command and control
474916850 4211591177 199227126250 68417310
1901457484 1377415118 24113161184 7218912441
18525138208 719410125 1972325085 741345113
18868208240 206130141255 9423220113 10527171234
24247181155 923816339 1901457484 1822532066
174105235178 7414016033 474916850 17222297179
18580148162 6531241133 6412817537
18111317230 14019054187 242272224
17410523382 24247181226 21318363245
71141298 46149182112 10311091118
2161836243 21332122246 241196970
19
Indicators of Compromise (Continued)
TLP WHITE ID 202001301000
Hashes
1354ac0d5be0c8d03f4e3aba78d2223e 29340643ca2e6677c19e1d3bf351d654 5ac0f050f93f86e69026faea1fbb4450 86c314bc2dc37ba84f7364acd5108c2b 958c594909933d4c82e93c22850194aa c0202cf6aeab8437c638533d14563d35 cb0c1248d3899358a375888bb4e8f3fe d348f536e214a47655af387408b4fca5
Reference Materials
21
References
TLP WHITE ID 202001301000
bull Ryuk Ransomware Exploring the Technical and Human Connectionsbull httpswwwcovewarecomblog2019219ryuk-ransomware-exploring-the-technical-and-human-
connections
bull 2017 Cylance Threat Reportbull httpspagescylancecom2018-03CylanceThreatReport2017html
bull 2018 Global Threat Report Blurring the Lines Between Statecraft and Tradecraft Crowdstrikebull httpsgocrowdstrikecomrs281-OBQ-266imagesReport2018GlobalThreatReportpdf
bull TEMPMixMaster group infects with Trickbot and delayed Ryuk ransomware combobull httpswwwscmagazinecomhomesecurity-newsfinancially-motivated-threat-actorsreferred-to-as-
temp-mixmaster-are-infecting-victims-with-trickbot-malware-before-deploying-the-infamous-ryuk-ransomware
bull Ryuk ransomware linked to Emotet and TrickBot trojans suspicions shift to cybercriminal groupbull httpswwwscmagazinecomhomesecurity-newsryuk-ransomware-linked-to-emotet-and-trickbot-
trojans-suspicions-shift-to-cybercriminal-group
bull Ryuk ransomware earns hackers $37M in Bitcoin over 5 months - 52 known ransom transactions were recorded the highest worth 99 BTC
bull httpsthenextwebcomhardfork20190114ryuk-bitcoin-ransomware
bull Ryuk Ransomware Crew Makes $640000 in Recent Activity Surgebull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-crew-makes-640-000-in-recent-
activity-surge
22
References
TLP WHITE ID 202001301000
bull Ryuk ransomware gang probably Russian not North Koreanbull httpswwwzdnetcomarticleryuk-ransomware-gang-probably-russian-not-north-korean
bull Cloud Hosting Provider Dataresolutionnet Hit by Ryuk Ransomwarebull httpswwwsecurityswcomblogcloud-hosting-provider-dataresolution-net-hit-by-ryuk-ransomware
bull CrowdStrike 2018 Global Threat Report Blurring the Lines Between Statecraft and Tradecraftbull httpsgocrowdstrikecomrs281-OBQ-266imagesReport2018GlobalThreatReportpdf
bull TrojanTrickBotbull httpsblogmalwarebytescomdetectionstrojan-trickbot
bull TrickBot Banking Trojan Takes Center Stage in 2018bull httpsblogbarklycomtrickbot-trojan-2018-campaigns
bull HHS HCCIC cybersecurity alert New Ryuk ransomware quickly racking up damagebull httpswwwhealthcareitnewscomnewshhs-hccic-cybersecurity-alert-new-ryuk-ransomware-quickly-
racking-damage
bull Notorious Ryuk Ransomware Adds Trojans to Cyberattack Methodbull httpshealthitsecuritycomnewsnotorious-ryuk-ransomware-adds-trojans-to-cyberattack-method
bull Emotet re-emerges after the holidaysbull httpsblogtalosintelligencecom201901return-of-emotethtml
bull The Unholy Alliance of Emotet TrickBot and the Ryuk Ransomwarebull httpsduocomdecipherthe-unholy-alliance-of-emotet-trickbot-and-the-ryuk-ransomware
23
References
TLP WHITE ID 202001301000
bull Cybercrime and Other Threats Faced by the Healthcare Industrybull httpswwwtrendmicrocomcontentdamtrendmicroglobalensecurity-
intelligenceresearchreportswp-cybercrime-amp-other-threats-faced-by-the-healthcare-industrypdf
bull Ryuk ransomware targets big businesses New ransomware group waits and gathers intel before attacking large enterprises
bull httpswwwtechradarcomnewsryuk-ransomware-targets-big-businesses
bull Computer virus hits newspapers coast-to-coastbull httpswwwnbcnewscomnewsus-newscomputer-virus-hits-southern-california-newspapers-
n953001
bull Ryuk Ransomware A Targeted Campaign Break-Down CheckPoint Researchbull httpsresearchcheckpointcomryuk-ransomware-targeted-campaign-break
bull Ryuk ransomware targets big businessesbull httpswwwtechradarcomnewsryuk-ransomware-targets-big-businesses
bull United States Department of Homeland Security Cybersecurity and Infrastructure Security Agency Alert (TA18-201A) Emotet Malware
bull httpswwwus-certgovncasalertsTA18-201A
bull Research Suggests Russian-Based Hackers Behind Ryuk Ransomwarersquos $25 Million Gainsbull httpsfinanceyahoocomnewsresearch-suggests-russian-based-hackers-131700487html
bull Long Island Ransomware Attack New York School Pays $100000bull httpswwwmsspalertcomcybersecurity-breaches-and-attacksransomwareryuk-hits-rockville-centre
24
References
TLP WHITE ID 202001301000
bull Ransomware hits computer networks of North Carolina water utility CyberScoopbull httpswwwcyberscoopcomransomware-hits-onwasa-computer-network-north-carolina-water-utility
bull Media Release Cyber-Criminals Target Critical Utility in Hurricane-Ravaged Area Onslow Water and Sewer Authority
bull httpswwwonwasacomDocumentCenterView3701Scan-from-2018-10-15-08_08_13-Abull Origin of virus that hobbled newspapers still unclear - The origins of a suspected computer attack that
disrupted the Los Angeles Times and Tribune Publishing newspapers remain unclearbull httpsabcnewsgocomUSwireStoryorigin-virus-hobbled-newspapers-unclear-60083516
bull Meet CrowdStrikersquos Adversary of the Month for February MUMMY SPIDERbull httpswwwcrowdstrikecomblogmeet-crowdstrikes-adversary-of-the-month-for-february-mummy-
spider February 8 2018 bull North Korea APT() and recent Ryuk Ransomware attacks
bull httpsblogkryptoslogiccommalware20190110dprk-emotethtmlbull US Coast Guard Warns Over Ryuk Ransomware Attacks
bull httpswwwbankinfosecuritycomus-coast-guard-warns-over-ryuk-ransomware-attacks-a-13563bull Georgia county pays a whopping $400000 to get rid of a ransomware infection
bull httpswwwzdnetcomarticlegeorgia-county-pays-a-whopping-400000-to-get-rid-of-a-ransomware-infection
bull Informations Concernant Les Rancongiciels Lockergoga Et Ryukbull httpswwwcertssigouvfruploadsCERTFR-2019-ACT-005pdf
bull Cybereason Researchers Discover a Triple Threat Attack Utilizing Emotet to Deploy TrickBot Which Steals Data and Spreads Ryuk Ransomware
bull httpswwwbenzingacompressreleases1904p13470755cybereason-researchers-discover-a-triple-threat-attack-utilizing-emote
25
References
TLP WHITE ID 202001301000
bull Ryuk Ransomware Adds IP and Computer Name Blacklistingbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-adds-ip-and-computer-name-
blacklistingbull US Coast Guard - Marine Safety Information Bulletin
bull httpswwwdcouscgmilPortals9DCO20Documents5pMSIB2019MSIB_10_19pdfbull Wizard Spider Upgrades Ryuk Ransomware to Reach Deep into LANs
bull httpsthreatpostcomwizard-spider-upgrades-ryuk-ransomware149853bull US Coast Guard Says Ryuk Ransomware Took Down Maritime Facility
bull httpswwwbleepingcomputercomnewssecurityus-coast-guard-says-ryuk-ransomware-took-down-maritime-facility
bull Mistaken For North Koreans The Ryuk Ransomware Hackers Are Making Millionsbull httpswwwforbescomsitesthomasbrewster20190220mistaken-for-north-koreans-the-ryuk-
ransomware-hackers-are-making-millions6d47034775f4bull Ryuk Ransomware Exploring the Technical and Human Connections
bull httpswwwcovewarecomblog2019219ryuk-ransomware-exploring-the-technical-and-human-connections
bull Stuarts city hall ransomware attack more than likely caused by phishing email scambull httpswwwtcpalmcomstorynewslocalmartin-county20190422city-halls-ransomware-attack-
may-linked-phishing-email-scam-ryuk3540067002bull 7 Florida municipalities have fallen prey to cyber attacks since last year
bull httpswwwnaplesnewscomstorynewscrime201908207-florida-municipalities-have-fallen-prey-cyber-attacks-ryuk-ransomware-phishing2065063001
bull Tampa Bay Times hit with Ryuk ransomware attackbull httpsblogmalwarebytescomransomware202001tampa-bay-times-hit-with-ryuk-ransomware-
attack
26
References
TLP WHITE ID 202001301000
bull Cyber attack Virus Ryuk disrupts The Watertown Daily Times Sunday paper deliverybull httpswwwibtimessgcyber-attack-virus-ryuk-disrupts-watertown-daily-times-sunday-paper-delivery-
30503bull How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
bull httpswwwdarkreadingcomattacks-breacheshow-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attackdd-id1334760
bull Florida LAN Someone clicks link again giving Key Biscayne ransomwarebull httpsarstechnicacominformation-technology201906is-there-something-in-the-water-third-florida-
city-hit-by-ransomwarebull New Warning on Ryuk Ransomware
bull httpswwwdarkreadingcomdocumentaspdoc_id=1335101bull La Porte County Pays $130000 Ransom To Ryuk Ransomware
bull httpswwwbleepingcomputercomnewssecurityla-porte-county-pays-130-000-ransom-to-ryuk-ransomware
bull China on Ryuk Virus alert Deadly ransomware sneaks through the countryrsquos computer systemsbull httpswwwcryptopolitancomchina-on-ryuk-virus-alert
Ryuk Sodinokibi Ransomware Responsible for Higher Average Ransomshttpswwwbleepingcomputercomnewssecurityryuk-sodinokibi-ransomware-responsible-for-higher-average-ransoms
Ryuk Related Malware Steals Confidential Military Financial Fileshttpswwwbleepingcomputercomnewssecurityryuk-related-malware-steals-confidential-military-financial-files
Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarehttpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
27
References
TLP WHITE ID 202001301000
bull Rolling back Ryuk Ransomwarebull httpsnewssophoscomen-us20191004rolling-back-ryuk-ransomware
bull DCH Hospital Pays Ryuk Ransomware for Decryption Keybull httpswwwbleepingcomputercomnewssecuritydch-hospital-pays-ryuk-ransomware-for-decryption-
key
bull Louisiana was hit by Ryuk triggering another cyber-emergencybull httpsarstechnicacominformation-technology201911louisiana-was-hit-by-ryuk-triggering-another-
cyber-emergency
bull Security firm Prosegur Weve shut our IT network after Ryuk ransomware attackbull httpswwwzdnetcomarticlesecurity-firm-prosegur-weve-shut-our-it-network-after-ryuk-ransomware-
attack
bull Cash-moving giant Prosegur knocked offline by Ryuk ransomwarebull httpswwwcsoonlinecomarticle3504492cash-moving-giant-prosegur-knocked-offline-by-ryuk-
ransomwarehtml
bull New ransomware rakes in $4 million by adopting a ldquobig game huntingrdquo strategy Ryuk lies in wait for as long as a year then pounces on only the biggest prey
bull httpsarstechnicacominformation-technology201901new-ransomware-rakes-in-4-million-by-adopting-a-big-game-hunting-strategy
bull A Nasty Trick From Credential Theft Malware to Business Disruptionbull httpswwwfireeyecomblogthreat-research201901a-nasty-trick-from-credential-theft-malware-to-
business-disruptionhtml
28
References
TLP WHITE ID 202001301000
bull Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarebull httpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
bull Hackers Demand Bitcoin Ransom in Cyberattack on Big Canadian Restaurantsbull qhttpswwwcbccanewsbusinessransomware-hack-recipe-unlimited-restaurant-cyberattack-
14847487
bull Ryuk Ransomware Is Making Victims Left and Rightbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-is-making-victims-left-and-right
bull Ryuk Cult Character to Ransomware Villainbull httpssecurityboulevardcom201912ryuk-cult-character-to-ransomware-villain
bull Hermes ransomware distributed to South Koreans via recent Flash zero-daybull httpsblogmalwarebytescomthreat-analysis201803hermes-ransomware-distributed-to-south-
koreans-via-recent-flash-zero-day
Questions
30
Questions
Upcoming Briefsbull Artificial Intelligence ndash Application to the Healthcare Industry
bull Electronic Health Record systems
bull PyXie RAT
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide feedback to HC3HHSGOV
Requests for InformationNeed information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
TLP WHITE ID 202001301000
31
About Us
HC3 works with private and public sector partners to improve cybersecurity throughout the Healthcare and Public Health (HPH) Sector
Sector amp Victim Notifications White PapersDirected communications to victims or potential victims of compromises vulnerable equipment or PIIPHI theft and general notifications to the HPH about currently impacting threats via the HHS OIG
Document that provides in-depth information on a cybersecurity topic to increase comprehensive situational awareness and provide risk recommendations to a wide audience
Threat Briefings amp WebinarBriefing document and presentation that provides actionable information on health sector cybersecurity threats and mitigations Analysts present current cybersecurity topics engage in discussions with participants on current threats and highlight best practices and mitigation tactics
Need information on a specific cybersecurity topic or want to join our listserv Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
Products
TLP WHITE ID 202001301000
Contact
Health Sector Cybersecurity Coordination Center (HC3)
(202) 691-2110 HC3HHSGOV
- Ryuk Update
- Agenda
- Overview
- Functionality
- Shifting Attribution
- Shifting Attribution
- Slide Number 7
- Threat Actors
- Threat Actors
- Slide Number 10
- Slide Number 11
- Ransom Demands
- Slide Number 13
- Slide Number 14
- Slide Number 15
- Slide Number 16
- Slide Number 17
- Slide Number 18
- Slide Number 19
- Slide Number 20
- References
- References
- References
- References
- References
- References
- References
- References
- Slide Number 29
- Questions
- About Us
- Slide Number 32
-
4
bull Establishes persistence by modifying registrybull Injects itself into running processes bull Encrypts files using RSA-2048 and AES-256bull Can download additional exploitation toolsbull Can steal credentialsbull In one case the ransomware appears to have used
unsecured or brute forced Remote Desktop Protocols (RDPs) to gain access
bull Stores keys in the executable using the proprietary Microsoft SIMPLEBLOB format
bull Capable of targeting beyond immediate system devices Encrypts network-connected devices mounted devices and remote hosts
bull Conceals its tracks - deletes many files related to the intrusion makes it challenging to identify infection vector
bull Most recently Wake-on-LAN allows for the targeting of systems that are in standbysleep mode and it would otherwise have no ability to reach and ARP pinging allows for the identification of more systems on a network
Functionality
TLP WHITE ID 202001301000
Image source Bankinfosecuritycom
Image source Reactionary Times
5
bull Original attribution North Koreabull Hermes-related code
bull Similar call flowsbull Marker code is identicalbull Lazarus Group and APT 38 has history of use
bull Targets International bankingSWIFT
bull Updated attribution linked to Russian cyber criminal groupsbull CrowdStrike medium-high confidence Ryuk is used by
Russian threat actorsbull FireEye ldquomost likely hypothesisrdquo Ryuk operators are
Russian cybercriminalsbull Why
bull Hermes has been seen for sale on the dark web
bull Uploaded files related to Ryuk to file-scanning website from Russian IP
bull Does not work on systems with Russian Ukrainian or Belarusian language enabled
bull Use by various APTs and criminal group threat actorsbull CrowdStrike Grim Spiderbull FireEye TEMPMixmaster
Shifting Attribution
TLP WHITE ID 202001301000
Source Forbes
6
Shifting Attribution
TLP WHITE ID 202001301000
bull A comparison of call flow diagram of the encryption functions of Ryuk and Hermes
bull Both instances of malware have similar code structure
bull Both instances of malware have similar flow
Source Checkpoint
7
Blacklisting Capabilities ndash Further Attribution
TLP WHITE ID 202001301000
bull June 2019 a new Ryuk variant was discovered which makes checks before encryption
bull Ryuk will not encrypt systems on the subnets 10304 10305 10306 or 103132
bull Ryuk will not encrypt systems that contain certain strings (SPB Spb spb MSK Msk and mskldquo)
bull These blacklisting capabilities were likely added to avoid encrypting systems in Russia
Images courtesy of Bleeping Computer
8
Threat Actors
TLP WHITE ID 202001301000
bull FireEye TEMPMixMaster
bull ldquohellipfinancially-motivated activity that involves the interactive deployment of Ryuk ransomware following TrickBot malware infectionsrdquo
bull Not concluded to be a single threat group
bull ldquohellipproven to be highly successful at soliciting large ransom payments from victim organizationsrdquo
bull CrowdStrike GRIM SPIDER
bull cell of WIZARD SPIDER bull Developer of TrickBotbull Wizard Spider cell of
Mummy Spider (Emotet)
Source Crowdstrikecom
9
Threat Actors
TLP WHITE ID 202001301000
bull Initial activitybull August 2018 to Jan 2019 $47M USD in BTC acquiredbull Used in cyberattacks targeting various newspapers in December (slight delays in delivery but no
significant operational impact) bull San Diego Union-Tribunebull Los Angeles Times and Tribune Publishing
bull Includes Chicago Tribune New York Daily News Baltimore Sun and Orlando Sentinelbull Used to attack cloud hosting provider Data Resolution Onslow Water and Sewer Authority in North
Carolina and an unnamed Canadian company that owns several restaurant chains
bull Combining Ryuk with Emotet and TrickBot
bull ldquoAlong with Emotet TrickBot has become one of the most versatile and dangerous pieces of modular malware hitting enterprise environmentsrdquo ndash HelpNet Security
bull ldquoInteractive deployment of ransomwarerdquo to conduct reconnaissance and ultimately ldquomaximize their disruption of business operationsrdquo - FireEye
SYSTEM(S) ENCRYPTED RANSOM DEMANDEDEmotet TrickBot Ryuk
10
Emotet TrickBot Ryuk Delivery
TLP WHITE ID 202001301000
Source Kryptoslogiccom
11TLP WHITE ID 202001301000
Emotet TrickBot Ryuk DeliveryAnother example of the workflow of Emotet TrickBot and Ryuk when used together
12TLP WHITE ID 202001301000
Ransom Demands
bull Ryuk is known to be one of the most costly ransomware familiesbull According to Coveware Ryuk payments are often 10 times more than its peers
13TLP WHITE ID 202001301000
bull March 2019bull IT systems for Jackson County Georgia attacked They paid $400000 (most IT systems except
website and 911 knocked down)
bull May 2019 bull Disrupted operations of CE Niehoff amp Co a manufacturing firm
bull April 2019 bull Stuart Florida attacked with Ryukbull Imperial County California refused to pay $12M Ryuk ransom demand but suffered downtime
bull June 2019bull Key Biscayne Florida attacked with Ryukbull Lake City Florida paid ~$460K in Ryuk attack ransombull British GCHQ releases warning about global Ryuk campaignbull Georgiarsquos Administrative Office of the Courts attacked
bull July 2019bull La Porte County Indiana attacked paid $130000 ransom bull Chinese company Tencent releases report on Ryuk attacking targets in Chinabull Coveware report notes dramatically increasing ransomware ransom demands identifies Ryuk as one
of the reasonsbull New Bedford Massachusetts attacked Refused to pay ransom and rebuiltbull Several Louisiana school districts attacked with Ryuk
Prominent Ryuk Activity and Alerts in the Last Year
14TLP WHITE ID 202001301000
Prominent Ryuk Activity and Alerts in the Last Yearbull August 2019
bull Rockville Centre school district (Long Island New York) paid nearly $100000 ransom for a Ryuk attack
bull September 2019bull Ryuk-related malware observed exfiltrating sensitive military and financial files
bull October 2019bull DCH Health System in Alabama were attacked shut down and temporarily stopped admitting new
non-emergency patients
bull November 2019bull Ransomware attack on Louisiana Office of Technology Services likely Ryuk based on publically-
releasedbull Multinational Spanish security company Prosegur temporarily shut down IT network after Ryuk attackbull Ryuk attack on Cadena SER (Spainrsquos largest radio station)bull Ryuk attack on T-System a provider of end-to-end IT solutions for emergency and urgent healthcare
providers allegedly the infection spread to public segments such as their demilitarized zone extranet and even their helpdesk
bull December 2019bull Ryuk used to attack IT network of a federally regulated maritime facility
bull January 2020bull Ryuk used to attack several oil and gas facilitiesbull Coveware again reports dramatically increasing ransomware demands identifies Ryuk as one of the
reasons
15TLP WHITE ID 202001301000
Prominent Ryuk Activity and Alerts in the Last Yearbull January 2020
bull Ryuk used to attack several oil and gas facilitiesbull Coveware again reports dramatically increasing ransomware demands identifies Ryuk as one of the
reasons
16
Ryuk Defense and Mitigations
TLP WHITE ID 202001301000
bull Provide social engineering and phishing training to employees [10SA] [1MD]
bull Develop and maintain policy on suspicious e-mails for end users Ensure suspicious e-mails are reported [10SA] [10MA]
bull Ensure emails originating from outside the organization are automatically marked before received [1SA] [1MA]
bull Apply applicable patches and updates immediately after testing Develop and maintain patching program if necessary [7SA] [7MD]
bull Implement Intrusion Detection System (IDS) [6SC] [6MC] [6LC]bull Implement spam filters at the email gateways [1SA] [1MA]bull Block suspicious IP addresses at the firewall [6SA] [6MA] [6LE]
bull Implement whitelisting technology on appropriate assets to ensure that only authorized software is allowed to execute [2SA] [2MA] [2LE]
bull Implement access control based on the principal of least privilege [3SA] [3MA] [3LC]
bull Implement and maintain anti-malware solution [2SA] [2MA] [2LD]
bull Conduct system hardening to ensure proper configurations [7SA] [7MD]bull Disable the use of Remote Desktop Protocol (RDP) or if absolutely needed
restrict its use applying the principle of least privilege and monitorlog its usage [7SA] [7MD]
We suggest contacting local law enforcement in the case of a cyberattack Also the FBIrsquos Internet Crime Complaint Center (IC3) can be reached herehttpswwwic3govcomplaintdefaultaspx
17TLP WHITE ID 202001301000
Prominent Ryuk Activity and Alerts in the Last Year
bull Please note several things about the indicators of compromise (IOCs) on the following slidesbull There is a significant quantity of indicators of compromise related to Ryuk available on the public
Internet We have attempted to include as many as possible in this presentation However there may be some available to the public not included here
bull Upon being released to the public IOCs may become ldquoburnedrdquo which is to say that the attackers will adjust their TTPs weapon and infrastructure so that the public IOCs are no longer used
bull There are instances of obsolete IOCs being reused so any organization attempting to defend themselves should consider all possibilities
bull New IOCs are constantly being released especially with a tool as prominent and frequently used as TrickBot It is therefore incumbent upon any organization attempting to defend themselves to remain vigilant maintain situational awareness and be ever on the lookout for new IOCs to operationalize in their cyber defense infrastructure
18
Indicators of Compromise
TLP WHITE ID 202001301000
Command and control
474916850 4211591177 199227126250 68417310
1901457484 1377415118 24113161184 7218912441
18525138208 719410125 1972325085 741345113
18868208240 206130141255 9423220113 10527171234
24247181155 923816339 1901457484 1822532066
174105235178 7414016033 474916850 17222297179
18580148162 6531241133 6412817537
18111317230 14019054187 242272224
17410523382 24247181226 21318363245
71141298 46149182112 10311091118
2161836243 21332122246 241196970
19
Indicators of Compromise (Continued)
TLP WHITE ID 202001301000
Hashes
1354ac0d5be0c8d03f4e3aba78d2223e 29340643ca2e6677c19e1d3bf351d654 5ac0f050f93f86e69026faea1fbb4450 86c314bc2dc37ba84f7364acd5108c2b 958c594909933d4c82e93c22850194aa c0202cf6aeab8437c638533d14563d35 cb0c1248d3899358a375888bb4e8f3fe d348f536e214a47655af387408b4fca5
Reference Materials
21
References
TLP WHITE ID 202001301000
bull Ryuk Ransomware Exploring the Technical and Human Connectionsbull httpswwwcovewarecomblog2019219ryuk-ransomware-exploring-the-technical-and-human-
connections
bull 2017 Cylance Threat Reportbull httpspagescylancecom2018-03CylanceThreatReport2017html
bull 2018 Global Threat Report Blurring the Lines Between Statecraft and Tradecraft Crowdstrikebull httpsgocrowdstrikecomrs281-OBQ-266imagesReport2018GlobalThreatReportpdf
bull TEMPMixMaster group infects with Trickbot and delayed Ryuk ransomware combobull httpswwwscmagazinecomhomesecurity-newsfinancially-motivated-threat-actorsreferred-to-as-
temp-mixmaster-are-infecting-victims-with-trickbot-malware-before-deploying-the-infamous-ryuk-ransomware
bull Ryuk ransomware linked to Emotet and TrickBot trojans suspicions shift to cybercriminal groupbull httpswwwscmagazinecomhomesecurity-newsryuk-ransomware-linked-to-emotet-and-trickbot-
trojans-suspicions-shift-to-cybercriminal-group
bull Ryuk ransomware earns hackers $37M in Bitcoin over 5 months - 52 known ransom transactions were recorded the highest worth 99 BTC
bull httpsthenextwebcomhardfork20190114ryuk-bitcoin-ransomware
bull Ryuk Ransomware Crew Makes $640000 in Recent Activity Surgebull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-crew-makes-640-000-in-recent-
activity-surge
22
References
TLP WHITE ID 202001301000
bull Ryuk ransomware gang probably Russian not North Koreanbull httpswwwzdnetcomarticleryuk-ransomware-gang-probably-russian-not-north-korean
bull Cloud Hosting Provider Dataresolutionnet Hit by Ryuk Ransomwarebull httpswwwsecurityswcomblogcloud-hosting-provider-dataresolution-net-hit-by-ryuk-ransomware
bull CrowdStrike 2018 Global Threat Report Blurring the Lines Between Statecraft and Tradecraftbull httpsgocrowdstrikecomrs281-OBQ-266imagesReport2018GlobalThreatReportpdf
bull TrojanTrickBotbull httpsblogmalwarebytescomdetectionstrojan-trickbot
bull TrickBot Banking Trojan Takes Center Stage in 2018bull httpsblogbarklycomtrickbot-trojan-2018-campaigns
bull HHS HCCIC cybersecurity alert New Ryuk ransomware quickly racking up damagebull httpswwwhealthcareitnewscomnewshhs-hccic-cybersecurity-alert-new-ryuk-ransomware-quickly-
racking-damage
bull Notorious Ryuk Ransomware Adds Trojans to Cyberattack Methodbull httpshealthitsecuritycomnewsnotorious-ryuk-ransomware-adds-trojans-to-cyberattack-method
bull Emotet re-emerges after the holidaysbull httpsblogtalosintelligencecom201901return-of-emotethtml
bull The Unholy Alliance of Emotet TrickBot and the Ryuk Ransomwarebull httpsduocomdecipherthe-unholy-alliance-of-emotet-trickbot-and-the-ryuk-ransomware
23
References
TLP WHITE ID 202001301000
bull Cybercrime and Other Threats Faced by the Healthcare Industrybull httpswwwtrendmicrocomcontentdamtrendmicroglobalensecurity-
intelligenceresearchreportswp-cybercrime-amp-other-threats-faced-by-the-healthcare-industrypdf
bull Ryuk ransomware targets big businesses New ransomware group waits and gathers intel before attacking large enterprises
bull httpswwwtechradarcomnewsryuk-ransomware-targets-big-businesses
bull Computer virus hits newspapers coast-to-coastbull httpswwwnbcnewscomnewsus-newscomputer-virus-hits-southern-california-newspapers-
n953001
bull Ryuk Ransomware A Targeted Campaign Break-Down CheckPoint Researchbull httpsresearchcheckpointcomryuk-ransomware-targeted-campaign-break
bull Ryuk ransomware targets big businessesbull httpswwwtechradarcomnewsryuk-ransomware-targets-big-businesses
bull United States Department of Homeland Security Cybersecurity and Infrastructure Security Agency Alert (TA18-201A) Emotet Malware
bull httpswwwus-certgovncasalertsTA18-201A
bull Research Suggests Russian-Based Hackers Behind Ryuk Ransomwarersquos $25 Million Gainsbull httpsfinanceyahoocomnewsresearch-suggests-russian-based-hackers-131700487html
bull Long Island Ransomware Attack New York School Pays $100000bull httpswwwmsspalertcomcybersecurity-breaches-and-attacksransomwareryuk-hits-rockville-centre
24
References
TLP WHITE ID 202001301000
bull Ransomware hits computer networks of North Carolina water utility CyberScoopbull httpswwwcyberscoopcomransomware-hits-onwasa-computer-network-north-carolina-water-utility
bull Media Release Cyber-Criminals Target Critical Utility in Hurricane-Ravaged Area Onslow Water and Sewer Authority
bull httpswwwonwasacomDocumentCenterView3701Scan-from-2018-10-15-08_08_13-Abull Origin of virus that hobbled newspapers still unclear - The origins of a suspected computer attack that
disrupted the Los Angeles Times and Tribune Publishing newspapers remain unclearbull httpsabcnewsgocomUSwireStoryorigin-virus-hobbled-newspapers-unclear-60083516
bull Meet CrowdStrikersquos Adversary of the Month for February MUMMY SPIDERbull httpswwwcrowdstrikecomblogmeet-crowdstrikes-adversary-of-the-month-for-february-mummy-
spider February 8 2018 bull North Korea APT() and recent Ryuk Ransomware attacks
bull httpsblogkryptoslogiccommalware20190110dprk-emotethtmlbull US Coast Guard Warns Over Ryuk Ransomware Attacks
bull httpswwwbankinfosecuritycomus-coast-guard-warns-over-ryuk-ransomware-attacks-a-13563bull Georgia county pays a whopping $400000 to get rid of a ransomware infection
bull httpswwwzdnetcomarticlegeorgia-county-pays-a-whopping-400000-to-get-rid-of-a-ransomware-infection
bull Informations Concernant Les Rancongiciels Lockergoga Et Ryukbull httpswwwcertssigouvfruploadsCERTFR-2019-ACT-005pdf
bull Cybereason Researchers Discover a Triple Threat Attack Utilizing Emotet to Deploy TrickBot Which Steals Data and Spreads Ryuk Ransomware
bull httpswwwbenzingacompressreleases1904p13470755cybereason-researchers-discover-a-triple-threat-attack-utilizing-emote
25
References
TLP WHITE ID 202001301000
bull Ryuk Ransomware Adds IP and Computer Name Blacklistingbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-adds-ip-and-computer-name-
blacklistingbull US Coast Guard - Marine Safety Information Bulletin
bull httpswwwdcouscgmilPortals9DCO20Documents5pMSIB2019MSIB_10_19pdfbull Wizard Spider Upgrades Ryuk Ransomware to Reach Deep into LANs
bull httpsthreatpostcomwizard-spider-upgrades-ryuk-ransomware149853bull US Coast Guard Says Ryuk Ransomware Took Down Maritime Facility
bull httpswwwbleepingcomputercomnewssecurityus-coast-guard-says-ryuk-ransomware-took-down-maritime-facility
bull Mistaken For North Koreans The Ryuk Ransomware Hackers Are Making Millionsbull httpswwwforbescomsitesthomasbrewster20190220mistaken-for-north-koreans-the-ryuk-
ransomware-hackers-are-making-millions6d47034775f4bull Ryuk Ransomware Exploring the Technical and Human Connections
bull httpswwwcovewarecomblog2019219ryuk-ransomware-exploring-the-technical-and-human-connections
bull Stuarts city hall ransomware attack more than likely caused by phishing email scambull httpswwwtcpalmcomstorynewslocalmartin-county20190422city-halls-ransomware-attack-
may-linked-phishing-email-scam-ryuk3540067002bull 7 Florida municipalities have fallen prey to cyber attacks since last year
bull httpswwwnaplesnewscomstorynewscrime201908207-florida-municipalities-have-fallen-prey-cyber-attacks-ryuk-ransomware-phishing2065063001
bull Tampa Bay Times hit with Ryuk ransomware attackbull httpsblogmalwarebytescomransomware202001tampa-bay-times-hit-with-ryuk-ransomware-
attack
26
References
TLP WHITE ID 202001301000
bull Cyber attack Virus Ryuk disrupts The Watertown Daily Times Sunday paper deliverybull httpswwwibtimessgcyber-attack-virus-ryuk-disrupts-watertown-daily-times-sunday-paper-delivery-
30503bull How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
bull httpswwwdarkreadingcomattacks-breacheshow-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attackdd-id1334760
bull Florida LAN Someone clicks link again giving Key Biscayne ransomwarebull httpsarstechnicacominformation-technology201906is-there-something-in-the-water-third-florida-
city-hit-by-ransomwarebull New Warning on Ryuk Ransomware
bull httpswwwdarkreadingcomdocumentaspdoc_id=1335101bull La Porte County Pays $130000 Ransom To Ryuk Ransomware
bull httpswwwbleepingcomputercomnewssecurityla-porte-county-pays-130-000-ransom-to-ryuk-ransomware
bull China on Ryuk Virus alert Deadly ransomware sneaks through the countryrsquos computer systemsbull httpswwwcryptopolitancomchina-on-ryuk-virus-alert
Ryuk Sodinokibi Ransomware Responsible for Higher Average Ransomshttpswwwbleepingcomputercomnewssecurityryuk-sodinokibi-ransomware-responsible-for-higher-average-ransoms
Ryuk Related Malware Steals Confidential Military Financial Fileshttpswwwbleepingcomputercomnewssecurityryuk-related-malware-steals-confidential-military-financial-files
Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarehttpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
27
References
TLP WHITE ID 202001301000
bull Rolling back Ryuk Ransomwarebull httpsnewssophoscomen-us20191004rolling-back-ryuk-ransomware
bull DCH Hospital Pays Ryuk Ransomware for Decryption Keybull httpswwwbleepingcomputercomnewssecuritydch-hospital-pays-ryuk-ransomware-for-decryption-
key
bull Louisiana was hit by Ryuk triggering another cyber-emergencybull httpsarstechnicacominformation-technology201911louisiana-was-hit-by-ryuk-triggering-another-
cyber-emergency
bull Security firm Prosegur Weve shut our IT network after Ryuk ransomware attackbull httpswwwzdnetcomarticlesecurity-firm-prosegur-weve-shut-our-it-network-after-ryuk-ransomware-
attack
bull Cash-moving giant Prosegur knocked offline by Ryuk ransomwarebull httpswwwcsoonlinecomarticle3504492cash-moving-giant-prosegur-knocked-offline-by-ryuk-
ransomwarehtml
bull New ransomware rakes in $4 million by adopting a ldquobig game huntingrdquo strategy Ryuk lies in wait for as long as a year then pounces on only the biggest prey
bull httpsarstechnicacominformation-technology201901new-ransomware-rakes-in-4-million-by-adopting-a-big-game-hunting-strategy
bull A Nasty Trick From Credential Theft Malware to Business Disruptionbull httpswwwfireeyecomblogthreat-research201901a-nasty-trick-from-credential-theft-malware-to-
business-disruptionhtml
28
References
TLP WHITE ID 202001301000
bull Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarebull httpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
bull Hackers Demand Bitcoin Ransom in Cyberattack on Big Canadian Restaurantsbull qhttpswwwcbccanewsbusinessransomware-hack-recipe-unlimited-restaurant-cyberattack-
14847487
bull Ryuk Ransomware Is Making Victims Left and Rightbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-is-making-victims-left-and-right
bull Ryuk Cult Character to Ransomware Villainbull httpssecurityboulevardcom201912ryuk-cult-character-to-ransomware-villain
bull Hermes ransomware distributed to South Koreans via recent Flash zero-daybull httpsblogmalwarebytescomthreat-analysis201803hermes-ransomware-distributed-to-south-
koreans-via-recent-flash-zero-day
Questions
30
Questions
Upcoming Briefsbull Artificial Intelligence ndash Application to the Healthcare Industry
bull Electronic Health Record systems
bull PyXie RAT
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide feedback to HC3HHSGOV
Requests for InformationNeed information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
TLP WHITE ID 202001301000
31
About Us
HC3 works with private and public sector partners to improve cybersecurity throughout the Healthcare and Public Health (HPH) Sector
Sector amp Victim Notifications White PapersDirected communications to victims or potential victims of compromises vulnerable equipment or PIIPHI theft and general notifications to the HPH about currently impacting threats via the HHS OIG
Document that provides in-depth information on a cybersecurity topic to increase comprehensive situational awareness and provide risk recommendations to a wide audience
Threat Briefings amp WebinarBriefing document and presentation that provides actionable information on health sector cybersecurity threats and mitigations Analysts present current cybersecurity topics engage in discussions with participants on current threats and highlight best practices and mitigation tactics
Need information on a specific cybersecurity topic or want to join our listserv Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
Products
TLP WHITE ID 202001301000
Contact
Health Sector Cybersecurity Coordination Center (HC3)
(202) 691-2110 HC3HHSGOV
- Ryuk Update
- Agenda
- Overview
- Functionality
- Shifting Attribution
- Shifting Attribution
- Slide Number 7
- Threat Actors
- Threat Actors
- Slide Number 10
- Slide Number 11
- Ransom Demands
- Slide Number 13
- Slide Number 14
- Slide Number 15
- Slide Number 16
- Slide Number 17
- Slide Number 18
- Slide Number 19
- Slide Number 20
- References
- References
- References
- References
- References
- References
- References
- References
- Slide Number 29
- Questions
- About Us
- Slide Number 32
-
5
bull Original attribution North Koreabull Hermes-related code
bull Similar call flowsbull Marker code is identicalbull Lazarus Group and APT 38 has history of use
bull Targets International bankingSWIFT
bull Updated attribution linked to Russian cyber criminal groupsbull CrowdStrike medium-high confidence Ryuk is used by
Russian threat actorsbull FireEye ldquomost likely hypothesisrdquo Ryuk operators are
Russian cybercriminalsbull Why
bull Hermes has been seen for sale on the dark web
bull Uploaded files related to Ryuk to file-scanning website from Russian IP
bull Does not work on systems with Russian Ukrainian or Belarusian language enabled
bull Use by various APTs and criminal group threat actorsbull CrowdStrike Grim Spiderbull FireEye TEMPMixmaster
Shifting Attribution
TLP WHITE ID 202001301000
Source Forbes
6
Shifting Attribution
TLP WHITE ID 202001301000
bull A comparison of call flow diagram of the encryption functions of Ryuk and Hermes
bull Both instances of malware have similar code structure
bull Both instances of malware have similar flow
Source Checkpoint
7
Blacklisting Capabilities ndash Further Attribution
TLP WHITE ID 202001301000
bull June 2019 a new Ryuk variant was discovered which makes checks before encryption
bull Ryuk will not encrypt systems on the subnets 10304 10305 10306 or 103132
bull Ryuk will not encrypt systems that contain certain strings (SPB Spb spb MSK Msk and mskldquo)
bull These blacklisting capabilities were likely added to avoid encrypting systems in Russia
Images courtesy of Bleeping Computer
8
Threat Actors
TLP WHITE ID 202001301000
bull FireEye TEMPMixMaster
bull ldquohellipfinancially-motivated activity that involves the interactive deployment of Ryuk ransomware following TrickBot malware infectionsrdquo
bull Not concluded to be a single threat group
bull ldquohellipproven to be highly successful at soliciting large ransom payments from victim organizationsrdquo
bull CrowdStrike GRIM SPIDER
bull cell of WIZARD SPIDER bull Developer of TrickBotbull Wizard Spider cell of
Mummy Spider (Emotet)
Source Crowdstrikecom
9
Threat Actors
TLP WHITE ID 202001301000
bull Initial activitybull August 2018 to Jan 2019 $47M USD in BTC acquiredbull Used in cyberattacks targeting various newspapers in December (slight delays in delivery but no
significant operational impact) bull San Diego Union-Tribunebull Los Angeles Times and Tribune Publishing
bull Includes Chicago Tribune New York Daily News Baltimore Sun and Orlando Sentinelbull Used to attack cloud hosting provider Data Resolution Onslow Water and Sewer Authority in North
Carolina and an unnamed Canadian company that owns several restaurant chains
bull Combining Ryuk with Emotet and TrickBot
bull ldquoAlong with Emotet TrickBot has become one of the most versatile and dangerous pieces of modular malware hitting enterprise environmentsrdquo ndash HelpNet Security
bull ldquoInteractive deployment of ransomwarerdquo to conduct reconnaissance and ultimately ldquomaximize their disruption of business operationsrdquo - FireEye
SYSTEM(S) ENCRYPTED RANSOM DEMANDEDEmotet TrickBot Ryuk
10
Emotet TrickBot Ryuk Delivery
TLP WHITE ID 202001301000
Source Kryptoslogiccom
11TLP WHITE ID 202001301000
Emotet TrickBot Ryuk DeliveryAnother example of the workflow of Emotet TrickBot and Ryuk when used together
12TLP WHITE ID 202001301000
Ransom Demands
bull Ryuk is known to be one of the most costly ransomware familiesbull According to Coveware Ryuk payments are often 10 times more than its peers
13TLP WHITE ID 202001301000
bull March 2019bull IT systems for Jackson County Georgia attacked They paid $400000 (most IT systems except
website and 911 knocked down)
bull May 2019 bull Disrupted operations of CE Niehoff amp Co a manufacturing firm
bull April 2019 bull Stuart Florida attacked with Ryukbull Imperial County California refused to pay $12M Ryuk ransom demand but suffered downtime
bull June 2019bull Key Biscayne Florida attacked with Ryukbull Lake City Florida paid ~$460K in Ryuk attack ransombull British GCHQ releases warning about global Ryuk campaignbull Georgiarsquos Administrative Office of the Courts attacked
bull July 2019bull La Porte County Indiana attacked paid $130000 ransom bull Chinese company Tencent releases report on Ryuk attacking targets in Chinabull Coveware report notes dramatically increasing ransomware ransom demands identifies Ryuk as one
of the reasonsbull New Bedford Massachusetts attacked Refused to pay ransom and rebuiltbull Several Louisiana school districts attacked with Ryuk
Prominent Ryuk Activity and Alerts in the Last Year
14TLP WHITE ID 202001301000
Prominent Ryuk Activity and Alerts in the Last Yearbull August 2019
bull Rockville Centre school district (Long Island New York) paid nearly $100000 ransom for a Ryuk attack
bull September 2019bull Ryuk-related malware observed exfiltrating sensitive military and financial files
bull October 2019bull DCH Health System in Alabama were attacked shut down and temporarily stopped admitting new
non-emergency patients
bull November 2019bull Ransomware attack on Louisiana Office of Technology Services likely Ryuk based on publically-
releasedbull Multinational Spanish security company Prosegur temporarily shut down IT network after Ryuk attackbull Ryuk attack on Cadena SER (Spainrsquos largest radio station)bull Ryuk attack on T-System a provider of end-to-end IT solutions for emergency and urgent healthcare
providers allegedly the infection spread to public segments such as their demilitarized zone extranet and even their helpdesk
bull December 2019bull Ryuk used to attack IT network of a federally regulated maritime facility
bull January 2020bull Ryuk used to attack several oil and gas facilitiesbull Coveware again reports dramatically increasing ransomware demands identifies Ryuk as one of the
reasons
15TLP WHITE ID 202001301000
Prominent Ryuk Activity and Alerts in the Last Yearbull January 2020
bull Ryuk used to attack several oil and gas facilitiesbull Coveware again reports dramatically increasing ransomware demands identifies Ryuk as one of the
reasons
16
Ryuk Defense and Mitigations
TLP WHITE ID 202001301000
bull Provide social engineering and phishing training to employees [10SA] [1MD]
bull Develop and maintain policy on suspicious e-mails for end users Ensure suspicious e-mails are reported [10SA] [10MA]
bull Ensure emails originating from outside the organization are automatically marked before received [1SA] [1MA]
bull Apply applicable patches and updates immediately after testing Develop and maintain patching program if necessary [7SA] [7MD]
bull Implement Intrusion Detection System (IDS) [6SC] [6MC] [6LC]bull Implement spam filters at the email gateways [1SA] [1MA]bull Block suspicious IP addresses at the firewall [6SA] [6MA] [6LE]
bull Implement whitelisting technology on appropriate assets to ensure that only authorized software is allowed to execute [2SA] [2MA] [2LE]
bull Implement access control based on the principal of least privilege [3SA] [3MA] [3LC]
bull Implement and maintain anti-malware solution [2SA] [2MA] [2LD]
bull Conduct system hardening to ensure proper configurations [7SA] [7MD]bull Disable the use of Remote Desktop Protocol (RDP) or if absolutely needed
restrict its use applying the principle of least privilege and monitorlog its usage [7SA] [7MD]
We suggest contacting local law enforcement in the case of a cyberattack Also the FBIrsquos Internet Crime Complaint Center (IC3) can be reached herehttpswwwic3govcomplaintdefaultaspx
17TLP WHITE ID 202001301000
Prominent Ryuk Activity and Alerts in the Last Year
bull Please note several things about the indicators of compromise (IOCs) on the following slidesbull There is a significant quantity of indicators of compromise related to Ryuk available on the public
Internet We have attempted to include as many as possible in this presentation However there may be some available to the public not included here
bull Upon being released to the public IOCs may become ldquoburnedrdquo which is to say that the attackers will adjust their TTPs weapon and infrastructure so that the public IOCs are no longer used
bull There are instances of obsolete IOCs being reused so any organization attempting to defend themselves should consider all possibilities
bull New IOCs are constantly being released especially with a tool as prominent and frequently used as TrickBot It is therefore incumbent upon any organization attempting to defend themselves to remain vigilant maintain situational awareness and be ever on the lookout for new IOCs to operationalize in their cyber defense infrastructure
18
Indicators of Compromise
TLP WHITE ID 202001301000
Command and control
474916850 4211591177 199227126250 68417310
1901457484 1377415118 24113161184 7218912441
18525138208 719410125 1972325085 741345113
18868208240 206130141255 9423220113 10527171234
24247181155 923816339 1901457484 1822532066
174105235178 7414016033 474916850 17222297179
18580148162 6531241133 6412817537
18111317230 14019054187 242272224
17410523382 24247181226 21318363245
71141298 46149182112 10311091118
2161836243 21332122246 241196970
19
Indicators of Compromise (Continued)
TLP WHITE ID 202001301000
Hashes
1354ac0d5be0c8d03f4e3aba78d2223e 29340643ca2e6677c19e1d3bf351d654 5ac0f050f93f86e69026faea1fbb4450 86c314bc2dc37ba84f7364acd5108c2b 958c594909933d4c82e93c22850194aa c0202cf6aeab8437c638533d14563d35 cb0c1248d3899358a375888bb4e8f3fe d348f536e214a47655af387408b4fca5
Reference Materials
21
References
TLP WHITE ID 202001301000
bull Ryuk Ransomware Exploring the Technical and Human Connectionsbull httpswwwcovewarecomblog2019219ryuk-ransomware-exploring-the-technical-and-human-
connections
bull 2017 Cylance Threat Reportbull httpspagescylancecom2018-03CylanceThreatReport2017html
bull 2018 Global Threat Report Blurring the Lines Between Statecraft and Tradecraft Crowdstrikebull httpsgocrowdstrikecomrs281-OBQ-266imagesReport2018GlobalThreatReportpdf
bull TEMPMixMaster group infects with Trickbot and delayed Ryuk ransomware combobull httpswwwscmagazinecomhomesecurity-newsfinancially-motivated-threat-actorsreferred-to-as-
temp-mixmaster-are-infecting-victims-with-trickbot-malware-before-deploying-the-infamous-ryuk-ransomware
bull Ryuk ransomware linked to Emotet and TrickBot trojans suspicions shift to cybercriminal groupbull httpswwwscmagazinecomhomesecurity-newsryuk-ransomware-linked-to-emotet-and-trickbot-
trojans-suspicions-shift-to-cybercriminal-group
bull Ryuk ransomware earns hackers $37M in Bitcoin over 5 months - 52 known ransom transactions were recorded the highest worth 99 BTC
bull httpsthenextwebcomhardfork20190114ryuk-bitcoin-ransomware
bull Ryuk Ransomware Crew Makes $640000 in Recent Activity Surgebull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-crew-makes-640-000-in-recent-
activity-surge
22
References
TLP WHITE ID 202001301000
bull Ryuk ransomware gang probably Russian not North Koreanbull httpswwwzdnetcomarticleryuk-ransomware-gang-probably-russian-not-north-korean
bull Cloud Hosting Provider Dataresolutionnet Hit by Ryuk Ransomwarebull httpswwwsecurityswcomblogcloud-hosting-provider-dataresolution-net-hit-by-ryuk-ransomware
bull CrowdStrike 2018 Global Threat Report Blurring the Lines Between Statecraft and Tradecraftbull httpsgocrowdstrikecomrs281-OBQ-266imagesReport2018GlobalThreatReportpdf
bull TrojanTrickBotbull httpsblogmalwarebytescomdetectionstrojan-trickbot
bull TrickBot Banking Trojan Takes Center Stage in 2018bull httpsblogbarklycomtrickbot-trojan-2018-campaigns
bull HHS HCCIC cybersecurity alert New Ryuk ransomware quickly racking up damagebull httpswwwhealthcareitnewscomnewshhs-hccic-cybersecurity-alert-new-ryuk-ransomware-quickly-
racking-damage
bull Notorious Ryuk Ransomware Adds Trojans to Cyberattack Methodbull httpshealthitsecuritycomnewsnotorious-ryuk-ransomware-adds-trojans-to-cyberattack-method
bull Emotet re-emerges after the holidaysbull httpsblogtalosintelligencecom201901return-of-emotethtml
bull The Unholy Alliance of Emotet TrickBot and the Ryuk Ransomwarebull httpsduocomdecipherthe-unholy-alliance-of-emotet-trickbot-and-the-ryuk-ransomware
23
References
TLP WHITE ID 202001301000
bull Cybercrime and Other Threats Faced by the Healthcare Industrybull httpswwwtrendmicrocomcontentdamtrendmicroglobalensecurity-
intelligenceresearchreportswp-cybercrime-amp-other-threats-faced-by-the-healthcare-industrypdf
bull Ryuk ransomware targets big businesses New ransomware group waits and gathers intel before attacking large enterprises
bull httpswwwtechradarcomnewsryuk-ransomware-targets-big-businesses
bull Computer virus hits newspapers coast-to-coastbull httpswwwnbcnewscomnewsus-newscomputer-virus-hits-southern-california-newspapers-
n953001
bull Ryuk Ransomware A Targeted Campaign Break-Down CheckPoint Researchbull httpsresearchcheckpointcomryuk-ransomware-targeted-campaign-break
bull Ryuk ransomware targets big businessesbull httpswwwtechradarcomnewsryuk-ransomware-targets-big-businesses
bull United States Department of Homeland Security Cybersecurity and Infrastructure Security Agency Alert (TA18-201A) Emotet Malware
bull httpswwwus-certgovncasalertsTA18-201A
bull Research Suggests Russian-Based Hackers Behind Ryuk Ransomwarersquos $25 Million Gainsbull httpsfinanceyahoocomnewsresearch-suggests-russian-based-hackers-131700487html
bull Long Island Ransomware Attack New York School Pays $100000bull httpswwwmsspalertcomcybersecurity-breaches-and-attacksransomwareryuk-hits-rockville-centre
24
References
TLP WHITE ID 202001301000
bull Ransomware hits computer networks of North Carolina water utility CyberScoopbull httpswwwcyberscoopcomransomware-hits-onwasa-computer-network-north-carolina-water-utility
bull Media Release Cyber-Criminals Target Critical Utility in Hurricane-Ravaged Area Onslow Water and Sewer Authority
bull httpswwwonwasacomDocumentCenterView3701Scan-from-2018-10-15-08_08_13-Abull Origin of virus that hobbled newspapers still unclear - The origins of a suspected computer attack that
disrupted the Los Angeles Times and Tribune Publishing newspapers remain unclearbull httpsabcnewsgocomUSwireStoryorigin-virus-hobbled-newspapers-unclear-60083516
bull Meet CrowdStrikersquos Adversary of the Month for February MUMMY SPIDERbull httpswwwcrowdstrikecomblogmeet-crowdstrikes-adversary-of-the-month-for-february-mummy-
spider February 8 2018 bull North Korea APT() and recent Ryuk Ransomware attacks
bull httpsblogkryptoslogiccommalware20190110dprk-emotethtmlbull US Coast Guard Warns Over Ryuk Ransomware Attacks
bull httpswwwbankinfosecuritycomus-coast-guard-warns-over-ryuk-ransomware-attacks-a-13563bull Georgia county pays a whopping $400000 to get rid of a ransomware infection
bull httpswwwzdnetcomarticlegeorgia-county-pays-a-whopping-400000-to-get-rid-of-a-ransomware-infection
bull Informations Concernant Les Rancongiciels Lockergoga Et Ryukbull httpswwwcertssigouvfruploadsCERTFR-2019-ACT-005pdf
bull Cybereason Researchers Discover a Triple Threat Attack Utilizing Emotet to Deploy TrickBot Which Steals Data and Spreads Ryuk Ransomware
bull httpswwwbenzingacompressreleases1904p13470755cybereason-researchers-discover-a-triple-threat-attack-utilizing-emote
25
References
TLP WHITE ID 202001301000
bull Ryuk Ransomware Adds IP and Computer Name Blacklistingbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-adds-ip-and-computer-name-
blacklistingbull US Coast Guard - Marine Safety Information Bulletin
bull httpswwwdcouscgmilPortals9DCO20Documents5pMSIB2019MSIB_10_19pdfbull Wizard Spider Upgrades Ryuk Ransomware to Reach Deep into LANs
bull httpsthreatpostcomwizard-spider-upgrades-ryuk-ransomware149853bull US Coast Guard Says Ryuk Ransomware Took Down Maritime Facility
bull httpswwwbleepingcomputercomnewssecurityus-coast-guard-says-ryuk-ransomware-took-down-maritime-facility
bull Mistaken For North Koreans The Ryuk Ransomware Hackers Are Making Millionsbull httpswwwforbescomsitesthomasbrewster20190220mistaken-for-north-koreans-the-ryuk-
ransomware-hackers-are-making-millions6d47034775f4bull Ryuk Ransomware Exploring the Technical and Human Connections
bull httpswwwcovewarecomblog2019219ryuk-ransomware-exploring-the-technical-and-human-connections
bull Stuarts city hall ransomware attack more than likely caused by phishing email scambull httpswwwtcpalmcomstorynewslocalmartin-county20190422city-halls-ransomware-attack-
may-linked-phishing-email-scam-ryuk3540067002bull 7 Florida municipalities have fallen prey to cyber attacks since last year
bull httpswwwnaplesnewscomstorynewscrime201908207-florida-municipalities-have-fallen-prey-cyber-attacks-ryuk-ransomware-phishing2065063001
bull Tampa Bay Times hit with Ryuk ransomware attackbull httpsblogmalwarebytescomransomware202001tampa-bay-times-hit-with-ryuk-ransomware-
attack
26
References
TLP WHITE ID 202001301000
bull Cyber attack Virus Ryuk disrupts The Watertown Daily Times Sunday paper deliverybull httpswwwibtimessgcyber-attack-virus-ryuk-disrupts-watertown-daily-times-sunday-paper-delivery-
30503bull How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
bull httpswwwdarkreadingcomattacks-breacheshow-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attackdd-id1334760
bull Florida LAN Someone clicks link again giving Key Biscayne ransomwarebull httpsarstechnicacominformation-technology201906is-there-something-in-the-water-third-florida-
city-hit-by-ransomwarebull New Warning on Ryuk Ransomware
bull httpswwwdarkreadingcomdocumentaspdoc_id=1335101bull La Porte County Pays $130000 Ransom To Ryuk Ransomware
bull httpswwwbleepingcomputercomnewssecurityla-porte-county-pays-130-000-ransom-to-ryuk-ransomware
bull China on Ryuk Virus alert Deadly ransomware sneaks through the countryrsquos computer systemsbull httpswwwcryptopolitancomchina-on-ryuk-virus-alert
Ryuk Sodinokibi Ransomware Responsible for Higher Average Ransomshttpswwwbleepingcomputercomnewssecurityryuk-sodinokibi-ransomware-responsible-for-higher-average-ransoms
Ryuk Related Malware Steals Confidential Military Financial Fileshttpswwwbleepingcomputercomnewssecurityryuk-related-malware-steals-confidential-military-financial-files
Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarehttpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
27
References
TLP WHITE ID 202001301000
bull Rolling back Ryuk Ransomwarebull httpsnewssophoscomen-us20191004rolling-back-ryuk-ransomware
bull DCH Hospital Pays Ryuk Ransomware for Decryption Keybull httpswwwbleepingcomputercomnewssecuritydch-hospital-pays-ryuk-ransomware-for-decryption-
key
bull Louisiana was hit by Ryuk triggering another cyber-emergencybull httpsarstechnicacominformation-technology201911louisiana-was-hit-by-ryuk-triggering-another-
cyber-emergency
bull Security firm Prosegur Weve shut our IT network after Ryuk ransomware attackbull httpswwwzdnetcomarticlesecurity-firm-prosegur-weve-shut-our-it-network-after-ryuk-ransomware-
attack
bull Cash-moving giant Prosegur knocked offline by Ryuk ransomwarebull httpswwwcsoonlinecomarticle3504492cash-moving-giant-prosegur-knocked-offline-by-ryuk-
ransomwarehtml
bull New ransomware rakes in $4 million by adopting a ldquobig game huntingrdquo strategy Ryuk lies in wait for as long as a year then pounces on only the biggest prey
bull httpsarstechnicacominformation-technology201901new-ransomware-rakes-in-4-million-by-adopting-a-big-game-hunting-strategy
bull A Nasty Trick From Credential Theft Malware to Business Disruptionbull httpswwwfireeyecomblogthreat-research201901a-nasty-trick-from-credential-theft-malware-to-
business-disruptionhtml
28
References
TLP WHITE ID 202001301000
bull Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarebull httpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
bull Hackers Demand Bitcoin Ransom in Cyberattack on Big Canadian Restaurantsbull qhttpswwwcbccanewsbusinessransomware-hack-recipe-unlimited-restaurant-cyberattack-
14847487
bull Ryuk Ransomware Is Making Victims Left and Rightbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-is-making-victims-left-and-right
bull Ryuk Cult Character to Ransomware Villainbull httpssecurityboulevardcom201912ryuk-cult-character-to-ransomware-villain
bull Hermes ransomware distributed to South Koreans via recent Flash zero-daybull httpsblogmalwarebytescomthreat-analysis201803hermes-ransomware-distributed-to-south-
koreans-via-recent-flash-zero-day
Questions
30
Questions
Upcoming Briefsbull Artificial Intelligence ndash Application to the Healthcare Industry
bull Electronic Health Record systems
bull PyXie RAT
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide feedback to HC3HHSGOV
Requests for InformationNeed information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
TLP WHITE ID 202001301000
31
About Us
HC3 works with private and public sector partners to improve cybersecurity throughout the Healthcare and Public Health (HPH) Sector
Sector amp Victim Notifications White PapersDirected communications to victims or potential victims of compromises vulnerable equipment or PIIPHI theft and general notifications to the HPH about currently impacting threats via the HHS OIG
Document that provides in-depth information on a cybersecurity topic to increase comprehensive situational awareness and provide risk recommendations to a wide audience
Threat Briefings amp WebinarBriefing document and presentation that provides actionable information on health sector cybersecurity threats and mitigations Analysts present current cybersecurity topics engage in discussions with participants on current threats and highlight best practices and mitigation tactics
Need information on a specific cybersecurity topic or want to join our listserv Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
Products
TLP WHITE ID 202001301000
Contact
Health Sector Cybersecurity Coordination Center (HC3)
(202) 691-2110 HC3HHSGOV
- Ryuk Update
- Agenda
- Overview
- Functionality
- Shifting Attribution
- Shifting Attribution
- Slide Number 7
- Threat Actors
- Threat Actors
- Slide Number 10
- Slide Number 11
- Ransom Demands
- Slide Number 13
- Slide Number 14
- Slide Number 15
- Slide Number 16
- Slide Number 17
- Slide Number 18
- Slide Number 19
- Slide Number 20
- References
- References
- References
- References
- References
- References
- References
- References
- Slide Number 29
- Questions
- About Us
- Slide Number 32
-
6
Shifting Attribution
TLP WHITE ID 202001301000
bull A comparison of call flow diagram of the encryption functions of Ryuk and Hermes
bull Both instances of malware have similar code structure
bull Both instances of malware have similar flow
Source Checkpoint
7
Blacklisting Capabilities ndash Further Attribution
TLP WHITE ID 202001301000
bull June 2019 a new Ryuk variant was discovered which makes checks before encryption
bull Ryuk will not encrypt systems on the subnets 10304 10305 10306 or 103132
bull Ryuk will not encrypt systems that contain certain strings (SPB Spb spb MSK Msk and mskldquo)
bull These blacklisting capabilities were likely added to avoid encrypting systems in Russia
Images courtesy of Bleeping Computer
8
Threat Actors
TLP WHITE ID 202001301000
bull FireEye TEMPMixMaster
bull ldquohellipfinancially-motivated activity that involves the interactive deployment of Ryuk ransomware following TrickBot malware infectionsrdquo
bull Not concluded to be a single threat group
bull ldquohellipproven to be highly successful at soliciting large ransom payments from victim organizationsrdquo
bull CrowdStrike GRIM SPIDER
bull cell of WIZARD SPIDER bull Developer of TrickBotbull Wizard Spider cell of
Mummy Spider (Emotet)
Source Crowdstrikecom
9
Threat Actors
TLP WHITE ID 202001301000
bull Initial activitybull August 2018 to Jan 2019 $47M USD in BTC acquiredbull Used in cyberattacks targeting various newspapers in December (slight delays in delivery but no
significant operational impact) bull San Diego Union-Tribunebull Los Angeles Times and Tribune Publishing
bull Includes Chicago Tribune New York Daily News Baltimore Sun and Orlando Sentinelbull Used to attack cloud hosting provider Data Resolution Onslow Water and Sewer Authority in North
Carolina and an unnamed Canadian company that owns several restaurant chains
bull Combining Ryuk with Emotet and TrickBot
bull ldquoAlong with Emotet TrickBot has become one of the most versatile and dangerous pieces of modular malware hitting enterprise environmentsrdquo ndash HelpNet Security
bull ldquoInteractive deployment of ransomwarerdquo to conduct reconnaissance and ultimately ldquomaximize their disruption of business operationsrdquo - FireEye
SYSTEM(S) ENCRYPTED RANSOM DEMANDEDEmotet TrickBot Ryuk
10
Emotet TrickBot Ryuk Delivery
TLP WHITE ID 202001301000
Source Kryptoslogiccom
11TLP WHITE ID 202001301000
Emotet TrickBot Ryuk DeliveryAnother example of the workflow of Emotet TrickBot and Ryuk when used together
12TLP WHITE ID 202001301000
Ransom Demands
bull Ryuk is known to be one of the most costly ransomware familiesbull According to Coveware Ryuk payments are often 10 times more than its peers
13TLP WHITE ID 202001301000
bull March 2019bull IT systems for Jackson County Georgia attacked They paid $400000 (most IT systems except
website and 911 knocked down)
bull May 2019 bull Disrupted operations of CE Niehoff amp Co a manufacturing firm
bull April 2019 bull Stuart Florida attacked with Ryukbull Imperial County California refused to pay $12M Ryuk ransom demand but suffered downtime
bull June 2019bull Key Biscayne Florida attacked with Ryukbull Lake City Florida paid ~$460K in Ryuk attack ransombull British GCHQ releases warning about global Ryuk campaignbull Georgiarsquos Administrative Office of the Courts attacked
bull July 2019bull La Porte County Indiana attacked paid $130000 ransom bull Chinese company Tencent releases report on Ryuk attacking targets in Chinabull Coveware report notes dramatically increasing ransomware ransom demands identifies Ryuk as one
of the reasonsbull New Bedford Massachusetts attacked Refused to pay ransom and rebuiltbull Several Louisiana school districts attacked with Ryuk
Prominent Ryuk Activity and Alerts in the Last Year
14TLP WHITE ID 202001301000
Prominent Ryuk Activity and Alerts in the Last Yearbull August 2019
bull Rockville Centre school district (Long Island New York) paid nearly $100000 ransom for a Ryuk attack
bull September 2019bull Ryuk-related malware observed exfiltrating sensitive military and financial files
bull October 2019bull DCH Health System in Alabama were attacked shut down and temporarily stopped admitting new
non-emergency patients
bull November 2019bull Ransomware attack on Louisiana Office of Technology Services likely Ryuk based on publically-
releasedbull Multinational Spanish security company Prosegur temporarily shut down IT network after Ryuk attackbull Ryuk attack on Cadena SER (Spainrsquos largest radio station)bull Ryuk attack on T-System a provider of end-to-end IT solutions for emergency and urgent healthcare
providers allegedly the infection spread to public segments such as their demilitarized zone extranet and even their helpdesk
bull December 2019bull Ryuk used to attack IT network of a federally regulated maritime facility
bull January 2020bull Ryuk used to attack several oil and gas facilitiesbull Coveware again reports dramatically increasing ransomware demands identifies Ryuk as one of the
reasons
15TLP WHITE ID 202001301000
Prominent Ryuk Activity and Alerts in the Last Yearbull January 2020
bull Ryuk used to attack several oil and gas facilitiesbull Coveware again reports dramatically increasing ransomware demands identifies Ryuk as one of the
reasons
16
Ryuk Defense and Mitigations
TLP WHITE ID 202001301000
bull Provide social engineering and phishing training to employees [10SA] [1MD]
bull Develop and maintain policy on suspicious e-mails for end users Ensure suspicious e-mails are reported [10SA] [10MA]
bull Ensure emails originating from outside the organization are automatically marked before received [1SA] [1MA]
bull Apply applicable patches and updates immediately after testing Develop and maintain patching program if necessary [7SA] [7MD]
bull Implement Intrusion Detection System (IDS) [6SC] [6MC] [6LC]bull Implement spam filters at the email gateways [1SA] [1MA]bull Block suspicious IP addresses at the firewall [6SA] [6MA] [6LE]
bull Implement whitelisting technology on appropriate assets to ensure that only authorized software is allowed to execute [2SA] [2MA] [2LE]
bull Implement access control based on the principal of least privilege [3SA] [3MA] [3LC]
bull Implement and maintain anti-malware solution [2SA] [2MA] [2LD]
bull Conduct system hardening to ensure proper configurations [7SA] [7MD]bull Disable the use of Remote Desktop Protocol (RDP) or if absolutely needed
restrict its use applying the principle of least privilege and monitorlog its usage [7SA] [7MD]
We suggest contacting local law enforcement in the case of a cyberattack Also the FBIrsquos Internet Crime Complaint Center (IC3) can be reached herehttpswwwic3govcomplaintdefaultaspx
17TLP WHITE ID 202001301000
Prominent Ryuk Activity and Alerts in the Last Year
bull Please note several things about the indicators of compromise (IOCs) on the following slidesbull There is a significant quantity of indicators of compromise related to Ryuk available on the public
Internet We have attempted to include as many as possible in this presentation However there may be some available to the public not included here
bull Upon being released to the public IOCs may become ldquoburnedrdquo which is to say that the attackers will adjust their TTPs weapon and infrastructure so that the public IOCs are no longer used
bull There are instances of obsolete IOCs being reused so any organization attempting to defend themselves should consider all possibilities
bull New IOCs are constantly being released especially with a tool as prominent and frequently used as TrickBot It is therefore incumbent upon any organization attempting to defend themselves to remain vigilant maintain situational awareness and be ever on the lookout for new IOCs to operationalize in their cyber defense infrastructure
18
Indicators of Compromise
TLP WHITE ID 202001301000
Command and control
474916850 4211591177 199227126250 68417310
1901457484 1377415118 24113161184 7218912441
18525138208 719410125 1972325085 741345113
18868208240 206130141255 9423220113 10527171234
24247181155 923816339 1901457484 1822532066
174105235178 7414016033 474916850 17222297179
18580148162 6531241133 6412817537
18111317230 14019054187 242272224
17410523382 24247181226 21318363245
71141298 46149182112 10311091118
2161836243 21332122246 241196970
19
Indicators of Compromise (Continued)
TLP WHITE ID 202001301000
Hashes
1354ac0d5be0c8d03f4e3aba78d2223e 29340643ca2e6677c19e1d3bf351d654 5ac0f050f93f86e69026faea1fbb4450 86c314bc2dc37ba84f7364acd5108c2b 958c594909933d4c82e93c22850194aa c0202cf6aeab8437c638533d14563d35 cb0c1248d3899358a375888bb4e8f3fe d348f536e214a47655af387408b4fca5
Reference Materials
21
References
TLP WHITE ID 202001301000
bull Ryuk Ransomware Exploring the Technical and Human Connectionsbull httpswwwcovewarecomblog2019219ryuk-ransomware-exploring-the-technical-and-human-
connections
bull 2017 Cylance Threat Reportbull httpspagescylancecom2018-03CylanceThreatReport2017html
bull 2018 Global Threat Report Blurring the Lines Between Statecraft and Tradecraft Crowdstrikebull httpsgocrowdstrikecomrs281-OBQ-266imagesReport2018GlobalThreatReportpdf
bull TEMPMixMaster group infects with Trickbot and delayed Ryuk ransomware combobull httpswwwscmagazinecomhomesecurity-newsfinancially-motivated-threat-actorsreferred-to-as-
temp-mixmaster-are-infecting-victims-with-trickbot-malware-before-deploying-the-infamous-ryuk-ransomware
bull Ryuk ransomware linked to Emotet and TrickBot trojans suspicions shift to cybercriminal groupbull httpswwwscmagazinecomhomesecurity-newsryuk-ransomware-linked-to-emotet-and-trickbot-
trojans-suspicions-shift-to-cybercriminal-group
bull Ryuk ransomware earns hackers $37M in Bitcoin over 5 months - 52 known ransom transactions were recorded the highest worth 99 BTC
bull httpsthenextwebcomhardfork20190114ryuk-bitcoin-ransomware
bull Ryuk Ransomware Crew Makes $640000 in Recent Activity Surgebull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-crew-makes-640-000-in-recent-
activity-surge
22
References
TLP WHITE ID 202001301000
bull Ryuk ransomware gang probably Russian not North Koreanbull httpswwwzdnetcomarticleryuk-ransomware-gang-probably-russian-not-north-korean
bull Cloud Hosting Provider Dataresolutionnet Hit by Ryuk Ransomwarebull httpswwwsecurityswcomblogcloud-hosting-provider-dataresolution-net-hit-by-ryuk-ransomware
bull CrowdStrike 2018 Global Threat Report Blurring the Lines Between Statecraft and Tradecraftbull httpsgocrowdstrikecomrs281-OBQ-266imagesReport2018GlobalThreatReportpdf
bull TrojanTrickBotbull httpsblogmalwarebytescomdetectionstrojan-trickbot
bull TrickBot Banking Trojan Takes Center Stage in 2018bull httpsblogbarklycomtrickbot-trojan-2018-campaigns
bull HHS HCCIC cybersecurity alert New Ryuk ransomware quickly racking up damagebull httpswwwhealthcareitnewscomnewshhs-hccic-cybersecurity-alert-new-ryuk-ransomware-quickly-
racking-damage
bull Notorious Ryuk Ransomware Adds Trojans to Cyberattack Methodbull httpshealthitsecuritycomnewsnotorious-ryuk-ransomware-adds-trojans-to-cyberattack-method
bull Emotet re-emerges after the holidaysbull httpsblogtalosintelligencecom201901return-of-emotethtml
bull The Unholy Alliance of Emotet TrickBot and the Ryuk Ransomwarebull httpsduocomdecipherthe-unholy-alliance-of-emotet-trickbot-and-the-ryuk-ransomware
23
References
TLP WHITE ID 202001301000
bull Cybercrime and Other Threats Faced by the Healthcare Industrybull httpswwwtrendmicrocomcontentdamtrendmicroglobalensecurity-
intelligenceresearchreportswp-cybercrime-amp-other-threats-faced-by-the-healthcare-industrypdf
bull Ryuk ransomware targets big businesses New ransomware group waits and gathers intel before attacking large enterprises
bull httpswwwtechradarcomnewsryuk-ransomware-targets-big-businesses
bull Computer virus hits newspapers coast-to-coastbull httpswwwnbcnewscomnewsus-newscomputer-virus-hits-southern-california-newspapers-
n953001
bull Ryuk Ransomware A Targeted Campaign Break-Down CheckPoint Researchbull httpsresearchcheckpointcomryuk-ransomware-targeted-campaign-break
bull Ryuk ransomware targets big businessesbull httpswwwtechradarcomnewsryuk-ransomware-targets-big-businesses
bull United States Department of Homeland Security Cybersecurity and Infrastructure Security Agency Alert (TA18-201A) Emotet Malware
bull httpswwwus-certgovncasalertsTA18-201A
bull Research Suggests Russian-Based Hackers Behind Ryuk Ransomwarersquos $25 Million Gainsbull httpsfinanceyahoocomnewsresearch-suggests-russian-based-hackers-131700487html
bull Long Island Ransomware Attack New York School Pays $100000bull httpswwwmsspalertcomcybersecurity-breaches-and-attacksransomwareryuk-hits-rockville-centre
24
References
TLP WHITE ID 202001301000
bull Ransomware hits computer networks of North Carolina water utility CyberScoopbull httpswwwcyberscoopcomransomware-hits-onwasa-computer-network-north-carolina-water-utility
bull Media Release Cyber-Criminals Target Critical Utility in Hurricane-Ravaged Area Onslow Water and Sewer Authority
bull httpswwwonwasacomDocumentCenterView3701Scan-from-2018-10-15-08_08_13-Abull Origin of virus that hobbled newspapers still unclear - The origins of a suspected computer attack that
disrupted the Los Angeles Times and Tribune Publishing newspapers remain unclearbull httpsabcnewsgocomUSwireStoryorigin-virus-hobbled-newspapers-unclear-60083516
bull Meet CrowdStrikersquos Adversary of the Month for February MUMMY SPIDERbull httpswwwcrowdstrikecomblogmeet-crowdstrikes-adversary-of-the-month-for-february-mummy-
spider February 8 2018 bull North Korea APT() and recent Ryuk Ransomware attacks
bull httpsblogkryptoslogiccommalware20190110dprk-emotethtmlbull US Coast Guard Warns Over Ryuk Ransomware Attacks
bull httpswwwbankinfosecuritycomus-coast-guard-warns-over-ryuk-ransomware-attacks-a-13563bull Georgia county pays a whopping $400000 to get rid of a ransomware infection
bull httpswwwzdnetcomarticlegeorgia-county-pays-a-whopping-400000-to-get-rid-of-a-ransomware-infection
bull Informations Concernant Les Rancongiciels Lockergoga Et Ryukbull httpswwwcertssigouvfruploadsCERTFR-2019-ACT-005pdf
bull Cybereason Researchers Discover a Triple Threat Attack Utilizing Emotet to Deploy TrickBot Which Steals Data and Spreads Ryuk Ransomware
bull httpswwwbenzingacompressreleases1904p13470755cybereason-researchers-discover-a-triple-threat-attack-utilizing-emote
25
References
TLP WHITE ID 202001301000
bull Ryuk Ransomware Adds IP and Computer Name Blacklistingbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-adds-ip-and-computer-name-
blacklistingbull US Coast Guard - Marine Safety Information Bulletin
bull httpswwwdcouscgmilPortals9DCO20Documents5pMSIB2019MSIB_10_19pdfbull Wizard Spider Upgrades Ryuk Ransomware to Reach Deep into LANs
bull httpsthreatpostcomwizard-spider-upgrades-ryuk-ransomware149853bull US Coast Guard Says Ryuk Ransomware Took Down Maritime Facility
bull httpswwwbleepingcomputercomnewssecurityus-coast-guard-says-ryuk-ransomware-took-down-maritime-facility
bull Mistaken For North Koreans The Ryuk Ransomware Hackers Are Making Millionsbull httpswwwforbescomsitesthomasbrewster20190220mistaken-for-north-koreans-the-ryuk-
ransomware-hackers-are-making-millions6d47034775f4bull Ryuk Ransomware Exploring the Technical and Human Connections
bull httpswwwcovewarecomblog2019219ryuk-ransomware-exploring-the-technical-and-human-connections
bull Stuarts city hall ransomware attack more than likely caused by phishing email scambull httpswwwtcpalmcomstorynewslocalmartin-county20190422city-halls-ransomware-attack-
may-linked-phishing-email-scam-ryuk3540067002bull 7 Florida municipalities have fallen prey to cyber attacks since last year
bull httpswwwnaplesnewscomstorynewscrime201908207-florida-municipalities-have-fallen-prey-cyber-attacks-ryuk-ransomware-phishing2065063001
bull Tampa Bay Times hit with Ryuk ransomware attackbull httpsblogmalwarebytescomransomware202001tampa-bay-times-hit-with-ryuk-ransomware-
attack
26
References
TLP WHITE ID 202001301000
bull Cyber attack Virus Ryuk disrupts The Watertown Daily Times Sunday paper deliverybull httpswwwibtimessgcyber-attack-virus-ryuk-disrupts-watertown-daily-times-sunday-paper-delivery-
30503bull How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
bull httpswwwdarkreadingcomattacks-breacheshow-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attackdd-id1334760
bull Florida LAN Someone clicks link again giving Key Biscayne ransomwarebull httpsarstechnicacominformation-technology201906is-there-something-in-the-water-third-florida-
city-hit-by-ransomwarebull New Warning on Ryuk Ransomware
bull httpswwwdarkreadingcomdocumentaspdoc_id=1335101bull La Porte County Pays $130000 Ransom To Ryuk Ransomware
bull httpswwwbleepingcomputercomnewssecurityla-porte-county-pays-130-000-ransom-to-ryuk-ransomware
bull China on Ryuk Virus alert Deadly ransomware sneaks through the countryrsquos computer systemsbull httpswwwcryptopolitancomchina-on-ryuk-virus-alert
Ryuk Sodinokibi Ransomware Responsible for Higher Average Ransomshttpswwwbleepingcomputercomnewssecurityryuk-sodinokibi-ransomware-responsible-for-higher-average-ransoms
Ryuk Related Malware Steals Confidential Military Financial Fileshttpswwwbleepingcomputercomnewssecurityryuk-related-malware-steals-confidential-military-financial-files
Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarehttpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
27
References
TLP WHITE ID 202001301000
bull Rolling back Ryuk Ransomwarebull httpsnewssophoscomen-us20191004rolling-back-ryuk-ransomware
bull DCH Hospital Pays Ryuk Ransomware for Decryption Keybull httpswwwbleepingcomputercomnewssecuritydch-hospital-pays-ryuk-ransomware-for-decryption-
key
bull Louisiana was hit by Ryuk triggering another cyber-emergencybull httpsarstechnicacominformation-technology201911louisiana-was-hit-by-ryuk-triggering-another-
cyber-emergency
bull Security firm Prosegur Weve shut our IT network after Ryuk ransomware attackbull httpswwwzdnetcomarticlesecurity-firm-prosegur-weve-shut-our-it-network-after-ryuk-ransomware-
attack
bull Cash-moving giant Prosegur knocked offline by Ryuk ransomwarebull httpswwwcsoonlinecomarticle3504492cash-moving-giant-prosegur-knocked-offline-by-ryuk-
ransomwarehtml
bull New ransomware rakes in $4 million by adopting a ldquobig game huntingrdquo strategy Ryuk lies in wait for as long as a year then pounces on only the biggest prey
bull httpsarstechnicacominformation-technology201901new-ransomware-rakes-in-4-million-by-adopting-a-big-game-hunting-strategy
bull A Nasty Trick From Credential Theft Malware to Business Disruptionbull httpswwwfireeyecomblogthreat-research201901a-nasty-trick-from-credential-theft-malware-to-
business-disruptionhtml
28
References
TLP WHITE ID 202001301000
bull Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarebull httpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
bull Hackers Demand Bitcoin Ransom in Cyberattack on Big Canadian Restaurantsbull qhttpswwwcbccanewsbusinessransomware-hack-recipe-unlimited-restaurant-cyberattack-
14847487
bull Ryuk Ransomware Is Making Victims Left and Rightbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-is-making-victims-left-and-right
bull Ryuk Cult Character to Ransomware Villainbull httpssecurityboulevardcom201912ryuk-cult-character-to-ransomware-villain
bull Hermes ransomware distributed to South Koreans via recent Flash zero-daybull httpsblogmalwarebytescomthreat-analysis201803hermes-ransomware-distributed-to-south-
koreans-via-recent-flash-zero-day
Questions
30
Questions
Upcoming Briefsbull Artificial Intelligence ndash Application to the Healthcare Industry
bull Electronic Health Record systems
bull PyXie RAT
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide feedback to HC3HHSGOV
Requests for InformationNeed information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
TLP WHITE ID 202001301000
31
About Us
HC3 works with private and public sector partners to improve cybersecurity throughout the Healthcare and Public Health (HPH) Sector
Sector amp Victim Notifications White PapersDirected communications to victims or potential victims of compromises vulnerable equipment or PIIPHI theft and general notifications to the HPH about currently impacting threats via the HHS OIG
Document that provides in-depth information on a cybersecurity topic to increase comprehensive situational awareness and provide risk recommendations to a wide audience
Threat Briefings amp WebinarBriefing document and presentation that provides actionable information on health sector cybersecurity threats and mitigations Analysts present current cybersecurity topics engage in discussions with participants on current threats and highlight best practices and mitigation tactics
Need information on a specific cybersecurity topic or want to join our listserv Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
Products
TLP WHITE ID 202001301000
Contact
Health Sector Cybersecurity Coordination Center (HC3)
(202) 691-2110 HC3HHSGOV
- Ryuk Update
- Agenda
- Overview
- Functionality
- Shifting Attribution
- Shifting Attribution
- Slide Number 7
- Threat Actors
- Threat Actors
- Slide Number 10
- Slide Number 11
- Ransom Demands
- Slide Number 13
- Slide Number 14
- Slide Number 15
- Slide Number 16
- Slide Number 17
- Slide Number 18
- Slide Number 19
- Slide Number 20
- References
- References
- References
- References
- References
- References
- References
- References
- Slide Number 29
- Questions
- About Us
- Slide Number 32
-
7
Blacklisting Capabilities ndash Further Attribution
TLP WHITE ID 202001301000
bull June 2019 a new Ryuk variant was discovered which makes checks before encryption
bull Ryuk will not encrypt systems on the subnets 10304 10305 10306 or 103132
bull Ryuk will not encrypt systems that contain certain strings (SPB Spb spb MSK Msk and mskldquo)
bull These blacklisting capabilities were likely added to avoid encrypting systems in Russia
Images courtesy of Bleeping Computer
8
Threat Actors
TLP WHITE ID 202001301000
bull FireEye TEMPMixMaster
bull ldquohellipfinancially-motivated activity that involves the interactive deployment of Ryuk ransomware following TrickBot malware infectionsrdquo
bull Not concluded to be a single threat group
bull ldquohellipproven to be highly successful at soliciting large ransom payments from victim organizationsrdquo
bull CrowdStrike GRIM SPIDER
bull cell of WIZARD SPIDER bull Developer of TrickBotbull Wizard Spider cell of
Mummy Spider (Emotet)
Source Crowdstrikecom
9
Threat Actors
TLP WHITE ID 202001301000
bull Initial activitybull August 2018 to Jan 2019 $47M USD in BTC acquiredbull Used in cyberattacks targeting various newspapers in December (slight delays in delivery but no
significant operational impact) bull San Diego Union-Tribunebull Los Angeles Times and Tribune Publishing
bull Includes Chicago Tribune New York Daily News Baltimore Sun and Orlando Sentinelbull Used to attack cloud hosting provider Data Resolution Onslow Water and Sewer Authority in North
Carolina and an unnamed Canadian company that owns several restaurant chains
bull Combining Ryuk with Emotet and TrickBot
bull ldquoAlong with Emotet TrickBot has become one of the most versatile and dangerous pieces of modular malware hitting enterprise environmentsrdquo ndash HelpNet Security
bull ldquoInteractive deployment of ransomwarerdquo to conduct reconnaissance and ultimately ldquomaximize their disruption of business operationsrdquo - FireEye
SYSTEM(S) ENCRYPTED RANSOM DEMANDEDEmotet TrickBot Ryuk
10
Emotet TrickBot Ryuk Delivery
TLP WHITE ID 202001301000
Source Kryptoslogiccom
11TLP WHITE ID 202001301000
Emotet TrickBot Ryuk DeliveryAnother example of the workflow of Emotet TrickBot and Ryuk when used together
12TLP WHITE ID 202001301000
Ransom Demands
bull Ryuk is known to be one of the most costly ransomware familiesbull According to Coveware Ryuk payments are often 10 times more than its peers
13TLP WHITE ID 202001301000
bull March 2019bull IT systems for Jackson County Georgia attacked They paid $400000 (most IT systems except
website and 911 knocked down)
bull May 2019 bull Disrupted operations of CE Niehoff amp Co a manufacturing firm
bull April 2019 bull Stuart Florida attacked with Ryukbull Imperial County California refused to pay $12M Ryuk ransom demand but suffered downtime
bull June 2019bull Key Biscayne Florida attacked with Ryukbull Lake City Florida paid ~$460K in Ryuk attack ransombull British GCHQ releases warning about global Ryuk campaignbull Georgiarsquos Administrative Office of the Courts attacked
bull July 2019bull La Porte County Indiana attacked paid $130000 ransom bull Chinese company Tencent releases report on Ryuk attacking targets in Chinabull Coveware report notes dramatically increasing ransomware ransom demands identifies Ryuk as one
of the reasonsbull New Bedford Massachusetts attacked Refused to pay ransom and rebuiltbull Several Louisiana school districts attacked with Ryuk
Prominent Ryuk Activity and Alerts in the Last Year
14TLP WHITE ID 202001301000
Prominent Ryuk Activity and Alerts in the Last Yearbull August 2019
bull Rockville Centre school district (Long Island New York) paid nearly $100000 ransom for a Ryuk attack
bull September 2019bull Ryuk-related malware observed exfiltrating sensitive military and financial files
bull October 2019bull DCH Health System in Alabama were attacked shut down and temporarily stopped admitting new
non-emergency patients
bull November 2019bull Ransomware attack on Louisiana Office of Technology Services likely Ryuk based on publically-
releasedbull Multinational Spanish security company Prosegur temporarily shut down IT network after Ryuk attackbull Ryuk attack on Cadena SER (Spainrsquos largest radio station)bull Ryuk attack on T-System a provider of end-to-end IT solutions for emergency and urgent healthcare
providers allegedly the infection spread to public segments such as their demilitarized zone extranet and even their helpdesk
bull December 2019bull Ryuk used to attack IT network of a federally regulated maritime facility
bull January 2020bull Ryuk used to attack several oil and gas facilitiesbull Coveware again reports dramatically increasing ransomware demands identifies Ryuk as one of the
reasons
15TLP WHITE ID 202001301000
Prominent Ryuk Activity and Alerts in the Last Yearbull January 2020
bull Ryuk used to attack several oil and gas facilitiesbull Coveware again reports dramatically increasing ransomware demands identifies Ryuk as one of the
reasons
16
Ryuk Defense and Mitigations
TLP WHITE ID 202001301000
bull Provide social engineering and phishing training to employees [10SA] [1MD]
bull Develop and maintain policy on suspicious e-mails for end users Ensure suspicious e-mails are reported [10SA] [10MA]
bull Ensure emails originating from outside the organization are automatically marked before received [1SA] [1MA]
bull Apply applicable patches and updates immediately after testing Develop and maintain patching program if necessary [7SA] [7MD]
bull Implement Intrusion Detection System (IDS) [6SC] [6MC] [6LC]bull Implement spam filters at the email gateways [1SA] [1MA]bull Block suspicious IP addresses at the firewall [6SA] [6MA] [6LE]
bull Implement whitelisting technology on appropriate assets to ensure that only authorized software is allowed to execute [2SA] [2MA] [2LE]
bull Implement access control based on the principal of least privilege [3SA] [3MA] [3LC]
bull Implement and maintain anti-malware solution [2SA] [2MA] [2LD]
bull Conduct system hardening to ensure proper configurations [7SA] [7MD]bull Disable the use of Remote Desktop Protocol (RDP) or if absolutely needed
restrict its use applying the principle of least privilege and monitorlog its usage [7SA] [7MD]
We suggest contacting local law enforcement in the case of a cyberattack Also the FBIrsquos Internet Crime Complaint Center (IC3) can be reached herehttpswwwic3govcomplaintdefaultaspx
17TLP WHITE ID 202001301000
Prominent Ryuk Activity and Alerts in the Last Year
bull Please note several things about the indicators of compromise (IOCs) on the following slidesbull There is a significant quantity of indicators of compromise related to Ryuk available on the public
Internet We have attempted to include as many as possible in this presentation However there may be some available to the public not included here
bull Upon being released to the public IOCs may become ldquoburnedrdquo which is to say that the attackers will adjust their TTPs weapon and infrastructure so that the public IOCs are no longer used
bull There are instances of obsolete IOCs being reused so any organization attempting to defend themselves should consider all possibilities
bull New IOCs are constantly being released especially with a tool as prominent and frequently used as TrickBot It is therefore incumbent upon any organization attempting to defend themselves to remain vigilant maintain situational awareness and be ever on the lookout for new IOCs to operationalize in their cyber defense infrastructure
18
Indicators of Compromise
TLP WHITE ID 202001301000
Command and control
474916850 4211591177 199227126250 68417310
1901457484 1377415118 24113161184 7218912441
18525138208 719410125 1972325085 741345113
18868208240 206130141255 9423220113 10527171234
24247181155 923816339 1901457484 1822532066
174105235178 7414016033 474916850 17222297179
18580148162 6531241133 6412817537
18111317230 14019054187 242272224
17410523382 24247181226 21318363245
71141298 46149182112 10311091118
2161836243 21332122246 241196970
19
Indicators of Compromise (Continued)
TLP WHITE ID 202001301000
Hashes
1354ac0d5be0c8d03f4e3aba78d2223e 29340643ca2e6677c19e1d3bf351d654 5ac0f050f93f86e69026faea1fbb4450 86c314bc2dc37ba84f7364acd5108c2b 958c594909933d4c82e93c22850194aa c0202cf6aeab8437c638533d14563d35 cb0c1248d3899358a375888bb4e8f3fe d348f536e214a47655af387408b4fca5
Reference Materials
21
References
TLP WHITE ID 202001301000
bull Ryuk Ransomware Exploring the Technical and Human Connectionsbull httpswwwcovewarecomblog2019219ryuk-ransomware-exploring-the-technical-and-human-
connections
bull 2017 Cylance Threat Reportbull httpspagescylancecom2018-03CylanceThreatReport2017html
bull 2018 Global Threat Report Blurring the Lines Between Statecraft and Tradecraft Crowdstrikebull httpsgocrowdstrikecomrs281-OBQ-266imagesReport2018GlobalThreatReportpdf
bull TEMPMixMaster group infects with Trickbot and delayed Ryuk ransomware combobull httpswwwscmagazinecomhomesecurity-newsfinancially-motivated-threat-actorsreferred-to-as-
temp-mixmaster-are-infecting-victims-with-trickbot-malware-before-deploying-the-infamous-ryuk-ransomware
bull Ryuk ransomware linked to Emotet and TrickBot trojans suspicions shift to cybercriminal groupbull httpswwwscmagazinecomhomesecurity-newsryuk-ransomware-linked-to-emotet-and-trickbot-
trojans-suspicions-shift-to-cybercriminal-group
bull Ryuk ransomware earns hackers $37M in Bitcoin over 5 months - 52 known ransom transactions were recorded the highest worth 99 BTC
bull httpsthenextwebcomhardfork20190114ryuk-bitcoin-ransomware
bull Ryuk Ransomware Crew Makes $640000 in Recent Activity Surgebull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-crew-makes-640-000-in-recent-
activity-surge
22
References
TLP WHITE ID 202001301000
bull Ryuk ransomware gang probably Russian not North Koreanbull httpswwwzdnetcomarticleryuk-ransomware-gang-probably-russian-not-north-korean
bull Cloud Hosting Provider Dataresolutionnet Hit by Ryuk Ransomwarebull httpswwwsecurityswcomblogcloud-hosting-provider-dataresolution-net-hit-by-ryuk-ransomware
bull CrowdStrike 2018 Global Threat Report Blurring the Lines Between Statecraft and Tradecraftbull httpsgocrowdstrikecomrs281-OBQ-266imagesReport2018GlobalThreatReportpdf
bull TrojanTrickBotbull httpsblogmalwarebytescomdetectionstrojan-trickbot
bull TrickBot Banking Trojan Takes Center Stage in 2018bull httpsblogbarklycomtrickbot-trojan-2018-campaigns
bull HHS HCCIC cybersecurity alert New Ryuk ransomware quickly racking up damagebull httpswwwhealthcareitnewscomnewshhs-hccic-cybersecurity-alert-new-ryuk-ransomware-quickly-
racking-damage
bull Notorious Ryuk Ransomware Adds Trojans to Cyberattack Methodbull httpshealthitsecuritycomnewsnotorious-ryuk-ransomware-adds-trojans-to-cyberattack-method
bull Emotet re-emerges after the holidaysbull httpsblogtalosintelligencecom201901return-of-emotethtml
bull The Unholy Alliance of Emotet TrickBot and the Ryuk Ransomwarebull httpsduocomdecipherthe-unholy-alliance-of-emotet-trickbot-and-the-ryuk-ransomware
23
References
TLP WHITE ID 202001301000
bull Cybercrime and Other Threats Faced by the Healthcare Industrybull httpswwwtrendmicrocomcontentdamtrendmicroglobalensecurity-
intelligenceresearchreportswp-cybercrime-amp-other-threats-faced-by-the-healthcare-industrypdf
bull Ryuk ransomware targets big businesses New ransomware group waits and gathers intel before attacking large enterprises
bull httpswwwtechradarcomnewsryuk-ransomware-targets-big-businesses
bull Computer virus hits newspapers coast-to-coastbull httpswwwnbcnewscomnewsus-newscomputer-virus-hits-southern-california-newspapers-
n953001
bull Ryuk Ransomware A Targeted Campaign Break-Down CheckPoint Researchbull httpsresearchcheckpointcomryuk-ransomware-targeted-campaign-break
bull Ryuk ransomware targets big businessesbull httpswwwtechradarcomnewsryuk-ransomware-targets-big-businesses
bull United States Department of Homeland Security Cybersecurity and Infrastructure Security Agency Alert (TA18-201A) Emotet Malware
bull httpswwwus-certgovncasalertsTA18-201A
bull Research Suggests Russian-Based Hackers Behind Ryuk Ransomwarersquos $25 Million Gainsbull httpsfinanceyahoocomnewsresearch-suggests-russian-based-hackers-131700487html
bull Long Island Ransomware Attack New York School Pays $100000bull httpswwwmsspalertcomcybersecurity-breaches-and-attacksransomwareryuk-hits-rockville-centre
24
References
TLP WHITE ID 202001301000
bull Ransomware hits computer networks of North Carolina water utility CyberScoopbull httpswwwcyberscoopcomransomware-hits-onwasa-computer-network-north-carolina-water-utility
bull Media Release Cyber-Criminals Target Critical Utility in Hurricane-Ravaged Area Onslow Water and Sewer Authority
bull httpswwwonwasacomDocumentCenterView3701Scan-from-2018-10-15-08_08_13-Abull Origin of virus that hobbled newspapers still unclear - The origins of a suspected computer attack that
disrupted the Los Angeles Times and Tribune Publishing newspapers remain unclearbull httpsabcnewsgocomUSwireStoryorigin-virus-hobbled-newspapers-unclear-60083516
bull Meet CrowdStrikersquos Adversary of the Month for February MUMMY SPIDERbull httpswwwcrowdstrikecomblogmeet-crowdstrikes-adversary-of-the-month-for-february-mummy-
spider February 8 2018 bull North Korea APT() and recent Ryuk Ransomware attacks
bull httpsblogkryptoslogiccommalware20190110dprk-emotethtmlbull US Coast Guard Warns Over Ryuk Ransomware Attacks
bull httpswwwbankinfosecuritycomus-coast-guard-warns-over-ryuk-ransomware-attacks-a-13563bull Georgia county pays a whopping $400000 to get rid of a ransomware infection
bull httpswwwzdnetcomarticlegeorgia-county-pays-a-whopping-400000-to-get-rid-of-a-ransomware-infection
bull Informations Concernant Les Rancongiciels Lockergoga Et Ryukbull httpswwwcertssigouvfruploadsCERTFR-2019-ACT-005pdf
bull Cybereason Researchers Discover a Triple Threat Attack Utilizing Emotet to Deploy TrickBot Which Steals Data and Spreads Ryuk Ransomware
bull httpswwwbenzingacompressreleases1904p13470755cybereason-researchers-discover-a-triple-threat-attack-utilizing-emote
25
References
TLP WHITE ID 202001301000
bull Ryuk Ransomware Adds IP and Computer Name Blacklistingbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-adds-ip-and-computer-name-
blacklistingbull US Coast Guard - Marine Safety Information Bulletin
bull httpswwwdcouscgmilPortals9DCO20Documents5pMSIB2019MSIB_10_19pdfbull Wizard Spider Upgrades Ryuk Ransomware to Reach Deep into LANs
bull httpsthreatpostcomwizard-spider-upgrades-ryuk-ransomware149853bull US Coast Guard Says Ryuk Ransomware Took Down Maritime Facility
bull httpswwwbleepingcomputercomnewssecurityus-coast-guard-says-ryuk-ransomware-took-down-maritime-facility
bull Mistaken For North Koreans The Ryuk Ransomware Hackers Are Making Millionsbull httpswwwforbescomsitesthomasbrewster20190220mistaken-for-north-koreans-the-ryuk-
ransomware-hackers-are-making-millions6d47034775f4bull Ryuk Ransomware Exploring the Technical and Human Connections
bull httpswwwcovewarecomblog2019219ryuk-ransomware-exploring-the-technical-and-human-connections
bull Stuarts city hall ransomware attack more than likely caused by phishing email scambull httpswwwtcpalmcomstorynewslocalmartin-county20190422city-halls-ransomware-attack-
may-linked-phishing-email-scam-ryuk3540067002bull 7 Florida municipalities have fallen prey to cyber attacks since last year
bull httpswwwnaplesnewscomstorynewscrime201908207-florida-municipalities-have-fallen-prey-cyber-attacks-ryuk-ransomware-phishing2065063001
bull Tampa Bay Times hit with Ryuk ransomware attackbull httpsblogmalwarebytescomransomware202001tampa-bay-times-hit-with-ryuk-ransomware-
attack
26
References
TLP WHITE ID 202001301000
bull Cyber attack Virus Ryuk disrupts The Watertown Daily Times Sunday paper deliverybull httpswwwibtimessgcyber-attack-virus-ryuk-disrupts-watertown-daily-times-sunday-paper-delivery-
30503bull How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
bull httpswwwdarkreadingcomattacks-breacheshow-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attackdd-id1334760
bull Florida LAN Someone clicks link again giving Key Biscayne ransomwarebull httpsarstechnicacominformation-technology201906is-there-something-in-the-water-third-florida-
city-hit-by-ransomwarebull New Warning on Ryuk Ransomware
bull httpswwwdarkreadingcomdocumentaspdoc_id=1335101bull La Porte County Pays $130000 Ransom To Ryuk Ransomware
bull httpswwwbleepingcomputercomnewssecurityla-porte-county-pays-130-000-ransom-to-ryuk-ransomware
bull China on Ryuk Virus alert Deadly ransomware sneaks through the countryrsquos computer systemsbull httpswwwcryptopolitancomchina-on-ryuk-virus-alert
Ryuk Sodinokibi Ransomware Responsible for Higher Average Ransomshttpswwwbleepingcomputercomnewssecurityryuk-sodinokibi-ransomware-responsible-for-higher-average-ransoms
Ryuk Related Malware Steals Confidential Military Financial Fileshttpswwwbleepingcomputercomnewssecurityryuk-related-malware-steals-confidential-military-financial-files
Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarehttpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
27
References
TLP WHITE ID 202001301000
bull Rolling back Ryuk Ransomwarebull httpsnewssophoscomen-us20191004rolling-back-ryuk-ransomware
bull DCH Hospital Pays Ryuk Ransomware for Decryption Keybull httpswwwbleepingcomputercomnewssecuritydch-hospital-pays-ryuk-ransomware-for-decryption-
key
bull Louisiana was hit by Ryuk triggering another cyber-emergencybull httpsarstechnicacominformation-technology201911louisiana-was-hit-by-ryuk-triggering-another-
cyber-emergency
bull Security firm Prosegur Weve shut our IT network after Ryuk ransomware attackbull httpswwwzdnetcomarticlesecurity-firm-prosegur-weve-shut-our-it-network-after-ryuk-ransomware-
attack
bull Cash-moving giant Prosegur knocked offline by Ryuk ransomwarebull httpswwwcsoonlinecomarticle3504492cash-moving-giant-prosegur-knocked-offline-by-ryuk-
ransomwarehtml
bull New ransomware rakes in $4 million by adopting a ldquobig game huntingrdquo strategy Ryuk lies in wait for as long as a year then pounces on only the biggest prey
bull httpsarstechnicacominformation-technology201901new-ransomware-rakes-in-4-million-by-adopting-a-big-game-hunting-strategy
bull A Nasty Trick From Credential Theft Malware to Business Disruptionbull httpswwwfireeyecomblogthreat-research201901a-nasty-trick-from-credential-theft-malware-to-
business-disruptionhtml
28
References
TLP WHITE ID 202001301000
bull Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarebull httpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
bull Hackers Demand Bitcoin Ransom in Cyberattack on Big Canadian Restaurantsbull qhttpswwwcbccanewsbusinessransomware-hack-recipe-unlimited-restaurant-cyberattack-
14847487
bull Ryuk Ransomware Is Making Victims Left and Rightbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-is-making-victims-left-and-right
bull Ryuk Cult Character to Ransomware Villainbull httpssecurityboulevardcom201912ryuk-cult-character-to-ransomware-villain
bull Hermes ransomware distributed to South Koreans via recent Flash zero-daybull httpsblogmalwarebytescomthreat-analysis201803hermes-ransomware-distributed-to-south-
koreans-via-recent-flash-zero-day
Questions
30
Questions
Upcoming Briefsbull Artificial Intelligence ndash Application to the Healthcare Industry
bull Electronic Health Record systems
bull PyXie RAT
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide feedback to HC3HHSGOV
Requests for InformationNeed information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
TLP WHITE ID 202001301000
31
About Us
HC3 works with private and public sector partners to improve cybersecurity throughout the Healthcare and Public Health (HPH) Sector
Sector amp Victim Notifications White PapersDirected communications to victims or potential victims of compromises vulnerable equipment or PIIPHI theft and general notifications to the HPH about currently impacting threats via the HHS OIG
Document that provides in-depth information on a cybersecurity topic to increase comprehensive situational awareness and provide risk recommendations to a wide audience
Threat Briefings amp WebinarBriefing document and presentation that provides actionable information on health sector cybersecurity threats and mitigations Analysts present current cybersecurity topics engage in discussions with participants on current threats and highlight best practices and mitigation tactics
Need information on a specific cybersecurity topic or want to join our listserv Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
Products
TLP WHITE ID 202001301000
Contact
Health Sector Cybersecurity Coordination Center (HC3)
(202) 691-2110 HC3HHSGOV
- Ryuk Update
- Agenda
- Overview
- Functionality
- Shifting Attribution
- Shifting Attribution
- Slide Number 7
- Threat Actors
- Threat Actors
- Slide Number 10
- Slide Number 11
- Ransom Demands
- Slide Number 13
- Slide Number 14
- Slide Number 15
- Slide Number 16
- Slide Number 17
- Slide Number 18
- Slide Number 19
- Slide Number 20
- References
- References
- References
- References
- References
- References
- References
- References
- Slide Number 29
- Questions
- About Us
- Slide Number 32
-
8
Threat Actors
TLP WHITE ID 202001301000
bull FireEye TEMPMixMaster
bull ldquohellipfinancially-motivated activity that involves the interactive deployment of Ryuk ransomware following TrickBot malware infectionsrdquo
bull Not concluded to be a single threat group
bull ldquohellipproven to be highly successful at soliciting large ransom payments from victim organizationsrdquo
bull CrowdStrike GRIM SPIDER
bull cell of WIZARD SPIDER bull Developer of TrickBotbull Wizard Spider cell of
Mummy Spider (Emotet)
Source Crowdstrikecom
9
Threat Actors
TLP WHITE ID 202001301000
bull Initial activitybull August 2018 to Jan 2019 $47M USD in BTC acquiredbull Used in cyberattacks targeting various newspapers in December (slight delays in delivery but no
significant operational impact) bull San Diego Union-Tribunebull Los Angeles Times and Tribune Publishing
bull Includes Chicago Tribune New York Daily News Baltimore Sun and Orlando Sentinelbull Used to attack cloud hosting provider Data Resolution Onslow Water and Sewer Authority in North
Carolina and an unnamed Canadian company that owns several restaurant chains
bull Combining Ryuk with Emotet and TrickBot
bull ldquoAlong with Emotet TrickBot has become one of the most versatile and dangerous pieces of modular malware hitting enterprise environmentsrdquo ndash HelpNet Security
bull ldquoInteractive deployment of ransomwarerdquo to conduct reconnaissance and ultimately ldquomaximize their disruption of business operationsrdquo - FireEye
SYSTEM(S) ENCRYPTED RANSOM DEMANDEDEmotet TrickBot Ryuk
10
Emotet TrickBot Ryuk Delivery
TLP WHITE ID 202001301000
Source Kryptoslogiccom
11TLP WHITE ID 202001301000
Emotet TrickBot Ryuk DeliveryAnother example of the workflow of Emotet TrickBot and Ryuk when used together
12TLP WHITE ID 202001301000
Ransom Demands
bull Ryuk is known to be one of the most costly ransomware familiesbull According to Coveware Ryuk payments are often 10 times more than its peers
13TLP WHITE ID 202001301000
bull March 2019bull IT systems for Jackson County Georgia attacked They paid $400000 (most IT systems except
website and 911 knocked down)
bull May 2019 bull Disrupted operations of CE Niehoff amp Co a manufacturing firm
bull April 2019 bull Stuart Florida attacked with Ryukbull Imperial County California refused to pay $12M Ryuk ransom demand but suffered downtime
bull June 2019bull Key Biscayne Florida attacked with Ryukbull Lake City Florida paid ~$460K in Ryuk attack ransombull British GCHQ releases warning about global Ryuk campaignbull Georgiarsquos Administrative Office of the Courts attacked
bull July 2019bull La Porte County Indiana attacked paid $130000 ransom bull Chinese company Tencent releases report on Ryuk attacking targets in Chinabull Coveware report notes dramatically increasing ransomware ransom demands identifies Ryuk as one
of the reasonsbull New Bedford Massachusetts attacked Refused to pay ransom and rebuiltbull Several Louisiana school districts attacked with Ryuk
Prominent Ryuk Activity and Alerts in the Last Year
14TLP WHITE ID 202001301000
Prominent Ryuk Activity and Alerts in the Last Yearbull August 2019
bull Rockville Centre school district (Long Island New York) paid nearly $100000 ransom for a Ryuk attack
bull September 2019bull Ryuk-related malware observed exfiltrating sensitive military and financial files
bull October 2019bull DCH Health System in Alabama were attacked shut down and temporarily stopped admitting new
non-emergency patients
bull November 2019bull Ransomware attack on Louisiana Office of Technology Services likely Ryuk based on publically-
releasedbull Multinational Spanish security company Prosegur temporarily shut down IT network after Ryuk attackbull Ryuk attack on Cadena SER (Spainrsquos largest radio station)bull Ryuk attack on T-System a provider of end-to-end IT solutions for emergency and urgent healthcare
providers allegedly the infection spread to public segments such as their demilitarized zone extranet and even their helpdesk
bull December 2019bull Ryuk used to attack IT network of a federally regulated maritime facility
bull January 2020bull Ryuk used to attack several oil and gas facilitiesbull Coveware again reports dramatically increasing ransomware demands identifies Ryuk as one of the
reasons
15TLP WHITE ID 202001301000
Prominent Ryuk Activity and Alerts in the Last Yearbull January 2020
bull Ryuk used to attack several oil and gas facilitiesbull Coveware again reports dramatically increasing ransomware demands identifies Ryuk as one of the
reasons
16
Ryuk Defense and Mitigations
TLP WHITE ID 202001301000
bull Provide social engineering and phishing training to employees [10SA] [1MD]
bull Develop and maintain policy on suspicious e-mails for end users Ensure suspicious e-mails are reported [10SA] [10MA]
bull Ensure emails originating from outside the organization are automatically marked before received [1SA] [1MA]
bull Apply applicable patches and updates immediately after testing Develop and maintain patching program if necessary [7SA] [7MD]
bull Implement Intrusion Detection System (IDS) [6SC] [6MC] [6LC]bull Implement spam filters at the email gateways [1SA] [1MA]bull Block suspicious IP addresses at the firewall [6SA] [6MA] [6LE]
bull Implement whitelisting technology on appropriate assets to ensure that only authorized software is allowed to execute [2SA] [2MA] [2LE]
bull Implement access control based on the principal of least privilege [3SA] [3MA] [3LC]
bull Implement and maintain anti-malware solution [2SA] [2MA] [2LD]
bull Conduct system hardening to ensure proper configurations [7SA] [7MD]bull Disable the use of Remote Desktop Protocol (RDP) or if absolutely needed
restrict its use applying the principle of least privilege and monitorlog its usage [7SA] [7MD]
We suggest contacting local law enforcement in the case of a cyberattack Also the FBIrsquos Internet Crime Complaint Center (IC3) can be reached herehttpswwwic3govcomplaintdefaultaspx
17TLP WHITE ID 202001301000
Prominent Ryuk Activity and Alerts in the Last Year
bull Please note several things about the indicators of compromise (IOCs) on the following slidesbull There is a significant quantity of indicators of compromise related to Ryuk available on the public
Internet We have attempted to include as many as possible in this presentation However there may be some available to the public not included here
bull Upon being released to the public IOCs may become ldquoburnedrdquo which is to say that the attackers will adjust their TTPs weapon and infrastructure so that the public IOCs are no longer used
bull There are instances of obsolete IOCs being reused so any organization attempting to defend themselves should consider all possibilities
bull New IOCs are constantly being released especially with a tool as prominent and frequently used as TrickBot It is therefore incumbent upon any organization attempting to defend themselves to remain vigilant maintain situational awareness and be ever on the lookout for new IOCs to operationalize in their cyber defense infrastructure
18
Indicators of Compromise
TLP WHITE ID 202001301000
Command and control
474916850 4211591177 199227126250 68417310
1901457484 1377415118 24113161184 7218912441
18525138208 719410125 1972325085 741345113
18868208240 206130141255 9423220113 10527171234
24247181155 923816339 1901457484 1822532066
174105235178 7414016033 474916850 17222297179
18580148162 6531241133 6412817537
18111317230 14019054187 242272224
17410523382 24247181226 21318363245
71141298 46149182112 10311091118
2161836243 21332122246 241196970
19
Indicators of Compromise (Continued)
TLP WHITE ID 202001301000
Hashes
1354ac0d5be0c8d03f4e3aba78d2223e 29340643ca2e6677c19e1d3bf351d654 5ac0f050f93f86e69026faea1fbb4450 86c314bc2dc37ba84f7364acd5108c2b 958c594909933d4c82e93c22850194aa c0202cf6aeab8437c638533d14563d35 cb0c1248d3899358a375888bb4e8f3fe d348f536e214a47655af387408b4fca5
Reference Materials
21
References
TLP WHITE ID 202001301000
bull Ryuk Ransomware Exploring the Technical and Human Connectionsbull httpswwwcovewarecomblog2019219ryuk-ransomware-exploring-the-technical-and-human-
connections
bull 2017 Cylance Threat Reportbull httpspagescylancecom2018-03CylanceThreatReport2017html
bull 2018 Global Threat Report Blurring the Lines Between Statecraft and Tradecraft Crowdstrikebull httpsgocrowdstrikecomrs281-OBQ-266imagesReport2018GlobalThreatReportpdf
bull TEMPMixMaster group infects with Trickbot and delayed Ryuk ransomware combobull httpswwwscmagazinecomhomesecurity-newsfinancially-motivated-threat-actorsreferred-to-as-
temp-mixmaster-are-infecting-victims-with-trickbot-malware-before-deploying-the-infamous-ryuk-ransomware
bull Ryuk ransomware linked to Emotet and TrickBot trojans suspicions shift to cybercriminal groupbull httpswwwscmagazinecomhomesecurity-newsryuk-ransomware-linked-to-emotet-and-trickbot-
trojans-suspicions-shift-to-cybercriminal-group
bull Ryuk ransomware earns hackers $37M in Bitcoin over 5 months - 52 known ransom transactions were recorded the highest worth 99 BTC
bull httpsthenextwebcomhardfork20190114ryuk-bitcoin-ransomware
bull Ryuk Ransomware Crew Makes $640000 in Recent Activity Surgebull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-crew-makes-640-000-in-recent-
activity-surge
22
References
TLP WHITE ID 202001301000
bull Ryuk ransomware gang probably Russian not North Koreanbull httpswwwzdnetcomarticleryuk-ransomware-gang-probably-russian-not-north-korean
bull Cloud Hosting Provider Dataresolutionnet Hit by Ryuk Ransomwarebull httpswwwsecurityswcomblogcloud-hosting-provider-dataresolution-net-hit-by-ryuk-ransomware
bull CrowdStrike 2018 Global Threat Report Blurring the Lines Between Statecraft and Tradecraftbull httpsgocrowdstrikecomrs281-OBQ-266imagesReport2018GlobalThreatReportpdf
bull TrojanTrickBotbull httpsblogmalwarebytescomdetectionstrojan-trickbot
bull TrickBot Banking Trojan Takes Center Stage in 2018bull httpsblogbarklycomtrickbot-trojan-2018-campaigns
bull HHS HCCIC cybersecurity alert New Ryuk ransomware quickly racking up damagebull httpswwwhealthcareitnewscomnewshhs-hccic-cybersecurity-alert-new-ryuk-ransomware-quickly-
racking-damage
bull Notorious Ryuk Ransomware Adds Trojans to Cyberattack Methodbull httpshealthitsecuritycomnewsnotorious-ryuk-ransomware-adds-trojans-to-cyberattack-method
bull Emotet re-emerges after the holidaysbull httpsblogtalosintelligencecom201901return-of-emotethtml
bull The Unholy Alliance of Emotet TrickBot and the Ryuk Ransomwarebull httpsduocomdecipherthe-unholy-alliance-of-emotet-trickbot-and-the-ryuk-ransomware
23
References
TLP WHITE ID 202001301000
bull Cybercrime and Other Threats Faced by the Healthcare Industrybull httpswwwtrendmicrocomcontentdamtrendmicroglobalensecurity-
intelligenceresearchreportswp-cybercrime-amp-other-threats-faced-by-the-healthcare-industrypdf
bull Ryuk ransomware targets big businesses New ransomware group waits and gathers intel before attacking large enterprises
bull httpswwwtechradarcomnewsryuk-ransomware-targets-big-businesses
bull Computer virus hits newspapers coast-to-coastbull httpswwwnbcnewscomnewsus-newscomputer-virus-hits-southern-california-newspapers-
n953001
bull Ryuk Ransomware A Targeted Campaign Break-Down CheckPoint Researchbull httpsresearchcheckpointcomryuk-ransomware-targeted-campaign-break
bull Ryuk ransomware targets big businessesbull httpswwwtechradarcomnewsryuk-ransomware-targets-big-businesses
bull United States Department of Homeland Security Cybersecurity and Infrastructure Security Agency Alert (TA18-201A) Emotet Malware
bull httpswwwus-certgovncasalertsTA18-201A
bull Research Suggests Russian-Based Hackers Behind Ryuk Ransomwarersquos $25 Million Gainsbull httpsfinanceyahoocomnewsresearch-suggests-russian-based-hackers-131700487html
bull Long Island Ransomware Attack New York School Pays $100000bull httpswwwmsspalertcomcybersecurity-breaches-and-attacksransomwareryuk-hits-rockville-centre
24
References
TLP WHITE ID 202001301000
bull Ransomware hits computer networks of North Carolina water utility CyberScoopbull httpswwwcyberscoopcomransomware-hits-onwasa-computer-network-north-carolina-water-utility
bull Media Release Cyber-Criminals Target Critical Utility in Hurricane-Ravaged Area Onslow Water and Sewer Authority
bull httpswwwonwasacomDocumentCenterView3701Scan-from-2018-10-15-08_08_13-Abull Origin of virus that hobbled newspapers still unclear - The origins of a suspected computer attack that
disrupted the Los Angeles Times and Tribune Publishing newspapers remain unclearbull httpsabcnewsgocomUSwireStoryorigin-virus-hobbled-newspapers-unclear-60083516
bull Meet CrowdStrikersquos Adversary of the Month for February MUMMY SPIDERbull httpswwwcrowdstrikecomblogmeet-crowdstrikes-adversary-of-the-month-for-february-mummy-
spider February 8 2018 bull North Korea APT() and recent Ryuk Ransomware attacks
bull httpsblogkryptoslogiccommalware20190110dprk-emotethtmlbull US Coast Guard Warns Over Ryuk Ransomware Attacks
bull httpswwwbankinfosecuritycomus-coast-guard-warns-over-ryuk-ransomware-attacks-a-13563bull Georgia county pays a whopping $400000 to get rid of a ransomware infection
bull httpswwwzdnetcomarticlegeorgia-county-pays-a-whopping-400000-to-get-rid-of-a-ransomware-infection
bull Informations Concernant Les Rancongiciels Lockergoga Et Ryukbull httpswwwcertssigouvfruploadsCERTFR-2019-ACT-005pdf
bull Cybereason Researchers Discover a Triple Threat Attack Utilizing Emotet to Deploy TrickBot Which Steals Data and Spreads Ryuk Ransomware
bull httpswwwbenzingacompressreleases1904p13470755cybereason-researchers-discover-a-triple-threat-attack-utilizing-emote
25
References
TLP WHITE ID 202001301000
bull Ryuk Ransomware Adds IP and Computer Name Blacklistingbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-adds-ip-and-computer-name-
blacklistingbull US Coast Guard - Marine Safety Information Bulletin
bull httpswwwdcouscgmilPortals9DCO20Documents5pMSIB2019MSIB_10_19pdfbull Wizard Spider Upgrades Ryuk Ransomware to Reach Deep into LANs
bull httpsthreatpostcomwizard-spider-upgrades-ryuk-ransomware149853bull US Coast Guard Says Ryuk Ransomware Took Down Maritime Facility
bull httpswwwbleepingcomputercomnewssecurityus-coast-guard-says-ryuk-ransomware-took-down-maritime-facility
bull Mistaken For North Koreans The Ryuk Ransomware Hackers Are Making Millionsbull httpswwwforbescomsitesthomasbrewster20190220mistaken-for-north-koreans-the-ryuk-
ransomware-hackers-are-making-millions6d47034775f4bull Ryuk Ransomware Exploring the Technical and Human Connections
bull httpswwwcovewarecomblog2019219ryuk-ransomware-exploring-the-technical-and-human-connections
bull Stuarts city hall ransomware attack more than likely caused by phishing email scambull httpswwwtcpalmcomstorynewslocalmartin-county20190422city-halls-ransomware-attack-
may-linked-phishing-email-scam-ryuk3540067002bull 7 Florida municipalities have fallen prey to cyber attacks since last year
bull httpswwwnaplesnewscomstorynewscrime201908207-florida-municipalities-have-fallen-prey-cyber-attacks-ryuk-ransomware-phishing2065063001
bull Tampa Bay Times hit with Ryuk ransomware attackbull httpsblogmalwarebytescomransomware202001tampa-bay-times-hit-with-ryuk-ransomware-
attack
26
References
TLP WHITE ID 202001301000
bull Cyber attack Virus Ryuk disrupts The Watertown Daily Times Sunday paper deliverybull httpswwwibtimessgcyber-attack-virus-ryuk-disrupts-watertown-daily-times-sunday-paper-delivery-
30503bull How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
bull httpswwwdarkreadingcomattacks-breacheshow-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attackdd-id1334760
bull Florida LAN Someone clicks link again giving Key Biscayne ransomwarebull httpsarstechnicacominformation-technology201906is-there-something-in-the-water-third-florida-
city-hit-by-ransomwarebull New Warning on Ryuk Ransomware
bull httpswwwdarkreadingcomdocumentaspdoc_id=1335101bull La Porte County Pays $130000 Ransom To Ryuk Ransomware
bull httpswwwbleepingcomputercomnewssecurityla-porte-county-pays-130-000-ransom-to-ryuk-ransomware
bull China on Ryuk Virus alert Deadly ransomware sneaks through the countryrsquos computer systemsbull httpswwwcryptopolitancomchina-on-ryuk-virus-alert
Ryuk Sodinokibi Ransomware Responsible for Higher Average Ransomshttpswwwbleepingcomputercomnewssecurityryuk-sodinokibi-ransomware-responsible-for-higher-average-ransoms
Ryuk Related Malware Steals Confidential Military Financial Fileshttpswwwbleepingcomputercomnewssecurityryuk-related-malware-steals-confidential-military-financial-files
Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarehttpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
27
References
TLP WHITE ID 202001301000
bull Rolling back Ryuk Ransomwarebull httpsnewssophoscomen-us20191004rolling-back-ryuk-ransomware
bull DCH Hospital Pays Ryuk Ransomware for Decryption Keybull httpswwwbleepingcomputercomnewssecuritydch-hospital-pays-ryuk-ransomware-for-decryption-
key
bull Louisiana was hit by Ryuk triggering another cyber-emergencybull httpsarstechnicacominformation-technology201911louisiana-was-hit-by-ryuk-triggering-another-
cyber-emergency
bull Security firm Prosegur Weve shut our IT network after Ryuk ransomware attackbull httpswwwzdnetcomarticlesecurity-firm-prosegur-weve-shut-our-it-network-after-ryuk-ransomware-
attack
bull Cash-moving giant Prosegur knocked offline by Ryuk ransomwarebull httpswwwcsoonlinecomarticle3504492cash-moving-giant-prosegur-knocked-offline-by-ryuk-
ransomwarehtml
bull New ransomware rakes in $4 million by adopting a ldquobig game huntingrdquo strategy Ryuk lies in wait for as long as a year then pounces on only the biggest prey
bull httpsarstechnicacominformation-technology201901new-ransomware-rakes-in-4-million-by-adopting-a-big-game-hunting-strategy
bull A Nasty Trick From Credential Theft Malware to Business Disruptionbull httpswwwfireeyecomblogthreat-research201901a-nasty-trick-from-credential-theft-malware-to-
business-disruptionhtml
28
References
TLP WHITE ID 202001301000
bull Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarebull httpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
bull Hackers Demand Bitcoin Ransom in Cyberattack on Big Canadian Restaurantsbull qhttpswwwcbccanewsbusinessransomware-hack-recipe-unlimited-restaurant-cyberattack-
14847487
bull Ryuk Ransomware Is Making Victims Left and Rightbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-is-making-victims-left-and-right
bull Ryuk Cult Character to Ransomware Villainbull httpssecurityboulevardcom201912ryuk-cult-character-to-ransomware-villain
bull Hermes ransomware distributed to South Koreans via recent Flash zero-daybull httpsblogmalwarebytescomthreat-analysis201803hermes-ransomware-distributed-to-south-
koreans-via-recent-flash-zero-day
Questions
30
Questions
Upcoming Briefsbull Artificial Intelligence ndash Application to the Healthcare Industry
bull Electronic Health Record systems
bull PyXie RAT
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide feedback to HC3HHSGOV
Requests for InformationNeed information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
TLP WHITE ID 202001301000
31
About Us
HC3 works with private and public sector partners to improve cybersecurity throughout the Healthcare and Public Health (HPH) Sector
Sector amp Victim Notifications White PapersDirected communications to victims or potential victims of compromises vulnerable equipment or PIIPHI theft and general notifications to the HPH about currently impacting threats via the HHS OIG
Document that provides in-depth information on a cybersecurity topic to increase comprehensive situational awareness and provide risk recommendations to a wide audience
Threat Briefings amp WebinarBriefing document and presentation that provides actionable information on health sector cybersecurity threats and mitigations Analysts present current cybersecurity topics engage in discussions with participants on current threats and highlight best practices and mitigation tactics
Need information on a specific cybersecurity topic or want to join our listserv Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
Products
TLP WHITE ID 202001301000
Contact
Health Sector Cybersecurity Coordination Center (HC3)
(202) 691-2110 HC3HHSGOV
- Ryuk Update
- Agenda
- Overview
- Functionality
- Shifting Attribution
- Shifting Attribution
- Slide Number 7
- Threat Actors
- Threat Actors
- Slide Number 10
- Slide Number 11
- Ransom Demands
- Slide Number 13
- Slide Number 14
- Slide Number 15
- Slide Number 16
- Slide Number 17
- Slide Number 18
- Slide Number 19
- Slide Number 20
- References
- References
- References
- References
- References
- References
- References
- References
- Slide Number 29
- Questions
- About Us
- Slide Number 32
-
9
Threat Actors
TLP WHITE ID 202001301000
bull Initial activitybull August 2018 to Jan 2019 $47M USD in BTC acquiredbull Used in cyberattacks targeting various newspapers in December (slight delays in delivery but no
significant operational impact) bull San Diego Union-Tribunebull Los Angeles Times and Tribune Publishing
bull Includes Chicago Tribune New York Daily News Baltimore Sun and Orlando Sentinelbull Used to attack cloud hosting provider Data Resolution Onslow Water and Sewer Authority in North
Carolina and an unnamed Canadian company that owns several restaurant chains
bull Combining Ryuk with Emotet and TrickBot
bull ldquoAlong with Emotet TrickBot has become one of the most versatile and dangerous pieces of modular malware hitting enterprise environmentsrdquo ndash HelpNet Security
bull ldquoInteractive deployment of ransomwarerdquo to conduct reconnaissance and ultimately ldquomaximize their disruption of business operationsrdquo - FireEye
SYSTEM(S) ENCRYPTED RANSOM DEMANDEDEmotet TrickBot Ryuk
10
Emotet TrickBot Ryuk Delivery
TLP WHITE ID 202001301000
Source Kryptoslogiccom
11TLP WHITE ID 202001301000
Emotet TrickBot Ryuk DeliveryAnother example of the workflow of Emotet TrickBot and Ryuk when used together
12TLP WHITE ID 202001301000
Ransom Demands
bull Ryuk is known to be one of the most costly ransomware familiesbull According to Coveware Ryuk payments are often 10 times more than its peers
13TLP WHITE ID 202001301000
bull March 2019bull IT systems for Jackson County Georgia attacked They paid $400000 (most IT systems except
website and 911 knocked down)
bull May 2019 bull Disrupted operations of CE Niehoff amp Co a manufacturing firm
bull April 2019 bull Stuart Florida attacked with Ryukbull Imperial County California refused to pay $12M Ryuk ransom demand but suffered downtime
bull June 2019bull Key Biscayne Florida attacked with Ryukbull Lake City Florida paid ~$460K in Ryuk attack ransombull British GCHQ releases warning about global Ryuk campaignbull Georgiarsquos Administrative Office of the Courts attacked
bull July 2019bull La Porte County Indiana attacked paid $130000 ransom bull Chinese company Tencent releases report on Ryuk attacking targets in Chinabull Coveware report notes dramatically increasing ransomware ransom demands identifies Ryuk as one
of the reasonsbull New Bedford Massachusetts attacked Refused to pay ransom and rebuiltbull Several Louisiana school districts attacked with Ryuk
Prominent Ryuk Activity and Alerts in the Last Year
14TLP WHITE ID 202001301000
Prominent Ryuk Activity and Alerts in the Last Yearbull August 2019
bull Rockville Centre school district (Long Island New York) paid nearly $100000 ransom for a Ryuk attack
bull September 2019bull Ryuk-related malware observed exfiltrating sensitive military and financial files
bull October 2019bull DCH Health System in Alabama were attacked shut down and temporarily stopped admitting new
non-emergency patients
bull November 2019bull Ransomware attack on Louisiana Office of Technology Services likely Ryuk based on publically-
releasedbull Multinational Spanish security company Prosegur temporarily shut down IT network after Ryuk attackbull Ryuk attack on Cadena SER (Spainrsquos largest radio station)bull Ryuk attack on T-System a provider of end-to-end IT solutions for emergency and urgent healthcare
providers allegedly the infection spread to public segments such as their demilitarized zone extranet and even their helpdesk
bull December 2019bull Ryuk used to attack IT network of a federally regulated maritime facility
bull January 2020bull Ryuk used to attack several oil and gas facilitiesbull Coveware again reports dramatically increasing ransomware demands identifies Ryuk as one of the
reasons
15TLP WHITE ID 202001301000
Prominent Ryuk Activity and Alerts in the Last Yearbull January 2020
bull Ryuk used to attack several oil and gas facilitiesbull Coveware again reports dramatically increasing ransomware demands identifies Ryuk as one of the
reasons
16
Ryuk Defense and Mitigations
TLP WHITE ID 202001301000
bull Provide social engineering and phishing training to employees [10SA] [1MD]
bull Develop and maintain policy on suspicious e-mails for end users Ensure suspicious e-mails are reported [10SA] [10MA]
bull Ensure emails originating from outside the organization are automatically marked before received [1SA] [1MA]
bull Apply applicable patches and updates immediately after testing Develop and maintain patching program if necessary [7SA] [7MD]
bull Implement Intrusion Detection System (IDS) [6SC] [6MC] [6LC]bull Implement spam filters at the email gateways [1SA] [1MA]bull Block suspicious IP addresses at the firewall [6SA] [6MA] [6LE]
bull Implement whitelisting technology on appropriate assets to ensure that only authorized software is allowed to execute [2SA] [2MA] [2LE]
bull Implement access control based on the principal of least privilege [3SA] [3MA] [3LC]
bull Implement and maintain anti-malware solution [2SA] [2MA] [2LD]
bull Conduct system hardening to ensure proper configurations [7SA] [7MD]bull Disable the use of Remote Desktop Protocol (RDP) or if absolutely needed
restrict its use applying the principle of least privilege and monitorlog its usage [7SA] [7MD]
We suggest contacting local law enforcement in the case of a cyberattack Also the FBIrsquos Internet Crime Complaint Center (IC3) can be reached herehttpswwwic3govcomplaintdefaultaspx
17TLP WHITE ID 202001301000
Prominent Ryuk Activity and Alerts in the Last Year
bull Please note several things about the indicators of compromise (IOCs) on the following slidesbull There is a significant quantity of indicators of compromise related to Ryuk available on the public
Internet We have attempted to include as many as possible in this presentation However there may be some available to the public not included here
bull Upon being released to the public IOCs may become ldquoburnedrdquo which is to say that the attackers will adjust their TTPs weapon and infrastructure so that the public IOCs are no longer used
bull There are instances of obsolete IOCs being reused so any organization attempting to defend themselves should consider all possibilities
bull New IOCs are constantly being released especially with a tool as prominent and frequently used as TrickBot It is therefore incumbent upon any organization attempting to defend themselves to remain vigilant maintain situational awareness and be ever on the lookout for new IOCs to operationalize in their cyber defense infrastructure
18
Indicators of Compromise
TLP WHITE ID 202001301000
Command and control
474916850 4211591177 199227126250 68417310
1901457484 1377415118 24113161184 7218912441
18525138208 719410125 1972325085 741345113
18868208240 206130141255 9423220113 10527171234
24247181155 923816339 1901457484 1822532066
174105235178 7414016033 474916850 17222297179
18580148162 6531241133 6412817537
18111317230 14019054187 242272224
17410523382 24247181226 21318363245
71141298 46149182112 10311091118
2161836243 21332122246 241196970
19
Indicators of Compromise (Continued)
TLP WHITE ID 202001301000
Hashes
1354ac0d5be0c8d03f4e3aba78d2223e 29340643ca2e6677c19e1d3bf351d654 5ac0f050f93f86e69026faea1fbb4450 86c314bc2dc37ba84f7364acd5108c2b 958c594909933d4c82e93c22850194aa c0202cf6aeab8437c638533d14563d35 cb0c1248d3899358a375888bb4e8f3fe d348f536e214a47655af387408b4fca5
Reference Materials
21
References
TLP WHITE ID 202001301000
bull Ryuk Ransomware Exploring the Technical and Human Connectionsbull httpswwwcovewarecomblog2019219ryuk-ransomware-exploring-the-technical-and-human-
connections
bull 2017 Cylance Threat Reportbull httpspagescylancecom2018-03CylanceThreatReport2017html
bull 2018 Global Threat Report Blurring the Lines Between Statecraft and Tradecraft Crowdstrikebull httpsgocrowdstrikecomrs281-OBQ-266imagesReport2018GlobalThreatReportpdf
bull TEMPMixMaster group infects with Trickbot and delayed Ryuk ransomware combobull httpswwwscmagazinecomhomesecurity-newsfinancially-motivated-threat-actorsreferred-to-as-
temp-mixmaster-are-infecting-victims-with-trickbot-malware-before-deploying-the-infamous-ryuk-ransomware
bull Ryuk ransomware linked to Emotet and TrickBot trojans suspicions shift to cybercriminal groupbull httpswwwscmagazinecomhomesecurity-newsryuk-ransomware-linked-to-emotet-and-trickbot-
trojans-suspicions-shift-to-cybercriminal-group
bull Ryuk ransomware earns hackers $37M in Bitcoin over 5 months - 52 known ransom transactions were recorded the highest worth 99 BTC
bull httpsthenextwebcomhardfork20190114ryuk-bitcoin-ransomware
bull Ryuk Ransomware Crew Makes $640000 in Recent Activity Surgebull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-crew-makes-640-000-in-recent-
activity-surge
22
References
TLP WHITE ID 202001301000
bull Ryuk ransomware gang probably Russian not North Koreanbull httpswwwzdnetcomarticleryuk-ransomware-gang-probably-russian-not-north-korean
bull Cloud Hosting Provider Dataresolutionnet Hit by Ryuk Ransomwarebull httpswwwsecurityswcomblogcloud-hosting-provider-dataresolution-net-hit-by-ryuk-ransomware
bull CrowdStrike 2018 Global Threat Report Blurring the Lines Between Statecraft and Tradecraftbull httpsgocrowdstrikecomrs281-OBQ-266imagesReport2018GlobalThreatReportpdf
bull TrojanTrickBotbull httpsblogmalwarebytescomdetectionstrojan-trickbot
bull TrickBot Banking Trojan Takes Center Stage in 2018bull httpsblogbarklycomtrickbot-trojan-2018-campaigns
bull HHS HCCIC cybersecurity alert New Ryuk ransomware quickly racking up damagebull httpswwwhealthcareitnewscomnewshhs-hccic-cybersecurity-alert-new-ryuk-ransomware-quickly-
racking-damage
bull Notorious Ryuk Ransomware Adds Trojans to Cyberattack Methodbull httpshealthitsecuritycomnewsnotorious-ryuk-ransomware-adds-trojans-to-cyberattack-method
bull Emotet re-emerges after the holidaysbull httpsblogtalosintelligencecom201901return-of-emotethtml
bull The Unholy Alliance of Emotet TrickBot and the Ryuk Ransomwarebull httpsduocomdecipherthe-unholy-alliance-of-emotet-trickbot-and-the-ryuk-ransomware
23
References
TLP WHITE ID 202001301000
bull Cybercrime and Other Threats Faced by the Healthcare Industrybull httpswwwtrendmicrocomcontentdamtrendmicroglobalensecurity-
intelligenceresearchreportswp-cybercrime-amp-other-threats-faced-by-the-healthcare-industrypdf
bull Ryuk ransomware targets big businesses New ransomware group waits and gathers intel before attacking large enterprises
bull httpswwwtechradarcomnewsryuk-ransomware-targets-big-businesses
bull Computer virus hits newspapers coast-to-coastbull httpswwwnbcnewscomnewsus-newscomputer-virus-hits-southern-california-newspapers-
n953001
bull Ryuk Ransomware A Targeted Campaign Break-Down CheckPoint Researchbull httpsresearchcheckpointcomryuk-ransomware-targeted-campaign-break
bull Ryuk ransomware targets big businessesbull httpswwwtechradarcomnewsryuk-ransomware-targets-big-businesses
bull United States Department of Homeland Security Cybersecurity and Infrastructure Security Agency Alert (TA18-201A) Emotet Malware
bull httpswwwus-certgovncasalertsTA18-201A
bull Research Suggests Russian-Based Hackers Behind Ryuk Ransomwarersquos $25 Million Gainsbull httpsfinanceyahoocomnewsresearch-suggests-russian-based-hackers-131700487html
bull Long Island Ransomware Attack New York School Pays $100000bull httpswwwmsspalertcomcybersecurity-breaches-and-attacksransomwareryuk-hits-rockville-centre
24
References
TLP WHITE ID 202001301000
bull Ransomware hits computer networks of North Carolina water utility CyberScoopbull httpswwwcyberscoopcomransomware-hits-onwasa-computer-network-north-carolina-water-utility
bull Media Release Cyber-Criminals Target Critical Utility in Hurricane-Ravaged Area Onslow Water and Sewer Authority
bull httpswwwonwasacomDocumentCenterView3701Scan-from-2018-10-15-08_08_13-Abull Origin of virus that hobbled newspapers still unclear - The origins of a suspected computer attack that
disrupted the Los Angeles Times and Tribune Publishing newspapers remain unclearbull httpsabcnewsgocomUSwireStoryorigin-virus-hobbled-newspapers-unclear-60083516
bull Meet CrowdStrikersquos Adversary of the Month for February MUMMY SPIDERbull httpswwwcrowdstrikecomblogmeet-crowdstrikes-adversary-of-the-month-for-february-mummy-
spider February 8 2018 bull North Korea APT() and recent Ryuk Ransomware attacks
bull httpsblogkryptoslogiccommalware20190110dprk-emotethtmlbull US Coast Guard Warns Over Ryuk Ransomware Attacks
bull httpswwwbankinfosecuritycomus-coast-guard-warns-over-ryuk-ransomware-attacks-a-13563bull Georgia county pays a whopping $400000 to get rid of a ransomware infection
bull httpswwwzdnetcomarticlegeorgia-county-pays-a-whopping-400000-to-get-rid-of-a-ransomware-infection
bull Informations Concernant Les Rancongiciels Lockergoga Et Ryukbull httpswwwcertssigouvfruploadsCERTFR-2019-ACT-005pdf
bull Cybereason Researchers Discover a Triple Threat Attack Utilizing Emotet to Deploy TrickBot Which Steals Data and Spreads Ryuk Ransomware
bull httpswwwbenzingacompressreleases1904p13470755cybereason-researchers-discover-a-triple-threat-attack-utilizing-emote
25
References
TLP WHITE ID 202001301000
bull Ryuk Ransomware Adds IP and Computer Name Blacklistingbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-adds-ip-and-computer-name-
blacklistingbull US Coast Guard - Marine Safety Information Bulletin
bull httpswwwdcouscgmilPortals9DCO20Documents5pMSIB2019MSIB_10_19pdfbull Wizard Spider Upgrades Ryuk Ransomware to Reach Deep into LANs
bull httpsthreatpostcomwizard-spider-upgrades-ryuk-ransomware149853bull US Coast Guard Says Ryuk Ransomware Took Down Maritime Facility
bull httpswwwbleepingcomputercomnewssecurityus-coast-guard-says-ryuk-ransomware-took-down-maritime-facility
bull Mistaken For North Koreans The Ryuk Ransomware Hackers Are Making Millionsbull httpswwwforbescomsitesthomasbrewster20190220mistaken-for-north-koreans-the-ryuk-
ransomware-hackers-are-making-millions6d47034775f4bull Ryuk Ransomware Exploring the Technical and Human Connections
bull httpswwwcovewarecomblog2019219ryuk-ransomware-exploring-the-technical-and-human-connections
bull Stuarts city hall ransomware attack more than likely caused by phishing email scambull httpswwwtcpalmcomstorynewslocalmartin-county20190422city-halls-ransomware-attack-
may-linked-phishing-email-scam-ryuk3540067002bull 7 Florida municipalities have fallen prey to cyber attacks since last year
bull httpswwwnaplesnewscomstorynewscrime201908207-florida-municipalities-have-fallen-prey-cyber-attacks-ryuk-ransomware-phishing2065063001
bull Tampa Bay Times hit with Ryuk ransomware attackbull httpsblogmalwarebytescomransomware202001tampa-bay-times-hit-with-ryuk-ransomware-
attack
26
References
TLP WHITE ID 202001301000
bull Cyber attack Virus Ryuk disrupts The Watertown Daily Times Sunday paper deliverybull httpswwwibtimessgcyber-attack-virus-ryuk-disrupts-watertown-daily-times-sunday-paper-delivery-
30503bull How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
bull httpswwwdarkreadingcomattacks-breacheshow-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attackdd-id1334760
bull Florida LAN Someone clicks link again giving Key Biscayne ransomwarebull httpsarstechnicacominformation-technology201906is-there-something-in-the-water-third-florida-
city-hit-by-ransomwarebull New Warning on Ryuk Ransomware
bull httpswwwdarkreadingcomdocumentaspdoc_id=1335101bull La Porte County Pays $130000 Ransom To Ryuk Ransomware
bull httpswwwbleepingcomputercomnewssecurityla-porte-county-pays-130-000-ransom-to-ryuk-ransomware
bull China on Ryuk Virus alert Deadly ransomware sneaks through the countryrsquos computer systemsbull httpswwwcryptopolitancomchina-on-ryuk-virus-alert
Ryuk Sodinokibi Ransomware Responsible for Higher Average Ransomshttpswwwbleepingcomputercomnewssecurityryuk-sodinokibi-ransomware-responsible-for-higher-average-ransoms
Ryuk Related Malware Steals Confidential Military Financial Fileshttpswwwbleepingcomputercomnewssecurityryuk-related-malware-steals-confidential-military-financial-files
Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarehttpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
27
References
TLP WHITE ID 202001301000
bull Rolling back Ryuk Ransomwarebull httpsnewssophoscomen-us20191004rolling-back-ryuk-ransomware
bull DCH Hospital Pays Ryuk Ransomware for Decryption Keybull httpswwwbleepingcomputercomnewssecuritydch-hospital-pays-ryuk-ransomware-for-decryption-
key
bull Louisiana was hit by Ryuk triggering another cyber-emergencybull httpsarstechnicacominformation-technology201911louisiana-was-hit-by-ryuk-triggering-another-
cyber-emergency
bull Security firm Prosegur Weve shut our IT network after Ryuk ransomware attackbull httpswwwzdnetcomarticlesecurity-firm-prosegur-weve-shut-our-it-network-after-ryuk-ransomware-
attack
bull Cash-moving giant Prosegur knocked offline by Ryuk ransomwarebull httpswwwcsoonlinecomarticle3504492cash-moving-giant-prosegur-knocked-offline-by-ryuk-
ransomwarehtml
bull New ransomware rakes in $4 million by adopting a ldquobig game huntingrdquo strategy Ryuk lies in wait for as long as a year then pounces on only the biggest prey
bull httpsarstechnicacominformation-technology201901new-ransomware-rakes-in-4-million-by-adopting-a-big-game-hunting-strategy
bull A Nasty Trick From Credential Theft Malware to Business Disruptionbull httpswwwfireeyecomblogthreat-research201901a-nasty-trick-from-credential-theft-malware-to-
business-disruptionhtml
28
References
TLP WHITE ID 202001301000
bull Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarebull httpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
bull Hackers Demand Bitcoin Ransom in Cyberattack on Big Canadian Restaurantsbull qhttpswwwcbccanewsbusinessransomware-hack-recipe-unlimited-restaurant-cyberattack-
14847487
bull Ryuk Ransomware Is Making Victims Left and Rightbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-is-making-victims-left-and-right
bull Ryuk Cult Character to Ransomware Villainbull httpssecurityboulevardcom201912ryuk-cult-character-to-ransomware-villain
bull Hermes ransomware distributed to South Koreans via recent Flash zero-daybull httpsblogmalwarebytescomthreat-analysis201803hermes-ransomware-distributed-to-south-
koreans-via-recent-flash-zero-day
Questions
30
Questions
Upcoming Briefsbull Artificial Intelligence ndash Application to the Healthcare Industry
bull Electronic Health Record systems
bull PyXie RAT
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide feedback to HC3HHSGOV
Requests for InformationNeed information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
TLP WHITE ID 202001301000
31
About Us
HC3 works with private and public sector partners to improve cybersecurity throughout the Healthcare and Public Health (HPH) Sector
Sector amp Victim Notifications White PapersDirected communications to victims or potential victims of compromises vulnerable equipment or PIIPHI theft and general notifications to the HPH about currently impacting threats via the HHS OIG
Document that provides in-depth information on a cybersecurity topic to increase comprehensive situational awareness and provide risk recommendations to a wide audience
Threat Briefings amp WebinarBriefing document and presentation that provides actionable information on health sector cybersecurity threats and mitigations Analysts present current cybersecurity topics engage in discussions with participants on current threats and highlight best practices and mitigation tactics
Need information on a specific cybersecurity topic or want to join our listserv Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
Products
TLP WHITE ID 202001301000
Contact
Health Sector Cybersecurity Coordination Center (HC3)
(202) 691-2110 HC3HHSGOV
- Ryuk Update
- Agenda
- Overview
- Functionality
- Shifting Attribution
- Shifting Attribution
- Slide Number 7
- Threat Actors
- Threat Actors
- Slide Number 10
- Slide Number 11
- Ransom Demands
- Slide Number 13
- Slide Number 14
- Slide Number 15
- Slide Number 16
- Slide Number 17
- Slide Number 18
- Slide Number 19
- Slide Number 20
- References
- References
- References
- References
- References
- References
- References
- References
- Slide Number 29
- Questions
- About Us
- Slide Number 32
-
10
Emotet TrickBot Ryuk Delivery
TLP WHITE ID 202001301000
Source Kryptoslogiccom
11TLP WHITE ID 202001301000
Emotet TrickBot Ryuk DeliveryAnother example of the workflow of Emotet TrickBot and Ryuk when used together
12TLP WHITE ID 202001301000
Ransom Demands
bull Ryuk is known to be one of the most costly ransomware familiesbull According to Coveware Ryuk payments are often 10 times more than its peers
13TLP WHITE ID 202001301000
bull March 2019bull IT systems for Jackson County Georgia attacked They paid $400000 (most IT systems except
website and 911 knocked down)
bull May 2019 bull Disrupted operations of CE Niehoff amp Co a manufacturing firm
bull April 2019 bull Stuart Florida attacked with Ryukbull Imperial County California refused to pay $12M Ryuk ransom demand but suffered downtime
bull June 2019bull Key Biscayne Florida attacked with Ryukbull Lake City Florida paid ~$460K in Ryuk attack ransombull British GCHQ releases warning about global Ryuk campaignbull Georgiarsquos Administrative Office of the Courts attacked
bull July 2019bull La Porte County Indiana attacked paid $130000 ransom bull Chinese company Tencent releases report on Ryuk attacking targets in Chinabull Coveware report notes dramatically increasing ransomware ransom demands identifies Ryuk as one
of the reasonsbull New Bedford Massachusetts attacked Refused to pay ransom and rebuiltbull Several Louisiana school districts attacked with Ryuk
Prominent Ryuk Activity and Alerts in the Last Year
14TLP WHITE ID 202001301000
Prominent Ryuk Activity and Alerts in the Last Yearbull August 2019
bull Rockville Centre school district (Long Island New York) paid nearly $100000 ransom for a Ryuk attack
bull September 2019bull Ryuk-related malware observed exfiltrating sensitive military and financial files
bull October 2019bull DCH Health System in Alabama were attacked shut down and temporarily stopped admitting new
non-emergency patients
bull November 2019bull Ransomware attack on Louisiana Office of Technology Services likely Ryuk based on publically-
releasedbull Multinational Spanish security company Prosegur temporarily shut down IT network after Ryuk attackbull Ryuk attack on Cadena SER (Spainrsquos largest radio station)bull Ryuk attack on T-System a provider of end-to-end IT solutions for emergency and urgent healthcare
providers allegedly the infection spread to public segments such as their demilitarized zone extranet and even their helpdesk
bull December 2019bull Ryuk used to attack IT network of a federally regulated maritime facility
bull January 2020bull Ryuk used to attack several oil and gas facilitiesbull Coveware again reports dramatically increasing ransomware demands identifies Ryuk as one of the
reasons
15TLP WHITE ID 202001301000
Prominent Ryuk Activity and Alerts in the Last Yearbull January 2020
bull Ryuk used to attack several oil and gas facilitiesbull Coveware again reports dramatically increasing ransomware demands identifies Ryuk as one of the
reasons
16
Ryuk Defense and Mitigations
TLP WHITE ID 202001301000
bull Provide social engineering and phishing training to employees [10SA] [1MD]
bull Develop and maintain policy on suspicious e-mails for end users Ensure suspicious e-mails are reported [10SA] [10MA]
bull Ensure emails originating from outside the organization are automatically marked before received [1SA] [1MA]
bull Apply applicable patches and updates immediately after testing Develop and maintain patching program if necessary [7SA] [7MD]
bull Implement Intrusion Detection System (IDS) [6SC] [6MC] [6LC]bull Implement spam filters at the email gateways [1SA] [1MA]bull Block suspicious IP addresses at the firewall [6SA] [6MA] [6LE]
bull Implement whitelisting technology on appropriate assets to ensure that only authorized software is allowed to execute [2SA] [2MA] [2LE]
bull Implement access control based on the principal of least privilege [3SA] [3MA] [3LC]
bull Implement and maintain anti-malware solution [2SA] [2MA] [2LD]
bull Conduct system hardening to ensure proper configurations [7SA] [7MD]bull Disable the use of Remote Desktop Protocol (RDP) or if absolutely needed
restrict its use applying the principle of least privilege and monitorlog its usage [7SA] [7MD]
We suggest contacting local law enforcement in the case of a cyberattack Also the FBIrsquos Internet Crime Complaint Center (IC3) can be reached herehttpswwwic3govcomplaintdefaultaspx
17TLP WHITE ID 202001301000
Prominent Ryuk Activity and Alerts in the Last Year
bull Please note several things about the indicators of compromise (IOCs) on the following slidesbull There is a significant quantity of indicators of compromise related to Ryuk available on the public
Internet We have attempted to include as many as possible in this presentation However there may be some available to the public not included here
bull Upon being released to the public IOCs may become ldquoburnedrdquo which is to say that the attackers will adjust their TTPs weapon and infrastructure so that the public IOCs are no longer used
bull There are instances of obsolete IOCs being reused so any organization attempting to defend themselves should consider all possibilities
bull New IOCs are constantly being released especially with a tool as prominent and frequently used as TrickBot It is therefore incumbent upon any organization attempting to defend themselves to remain vigilant maintain situational awareness and be ever on the lookout for new IOCs to operationalize in their cyber defense infrastructure
18
Indicators of Compromise
TLP WHITE ID 202001301000
Command and control
474916850 4211591177 199227126250 68417310
1901457484 1377415118 24113161184 7218912441
18525138208 719410125 1972325085 741345113
18868208240 206130141255 9423220113 10527171234
24247181155 923816339 1901457484 1822532066
174105235178 7414016033 474916850 17222297179
18580148162 6531241133 6412817537
18111317230 14019054187 242272224
17410523382 24247181226 21318363245
71141298 46149182112 10311091118
2161836243 21332122246 241196970
19
Indicators of Compromise (Continued)
TLP WHITE ID 202001301000
Hashes
1354ac0d5be0c8d03f4e3aba78d2223e 29340643ca2e6677c19e1d3bf351d654 5ac0f050f93f86e69026faea1fbb4450 86c314bc2dc37ba84f7364acd5108c2b 958c594909933d4c82e93c22850194aa c0202cf6aeab8437c638533d14563d35 cb0c1248d3899358a375888bb4e8f3fe d348f536e214a47655af387408b4fca5
Reference Materials
21
References
TLP WHITE ID 202001301000
bull Ryuk Ransomware Exploring the Technical and Human Connectionsbull httpswwwcovewarecomblog2019219ryuk-ransomware-exploring-the-technical-and-human-
connections
bull 2017 Cylance Threat Reportbull httpspagescylancecom2018-03CylanceThreatReport2017html
bull 2018 Global Threat Report Blurring the Lines Between Statecraft and Tradecraft Crowdstrikebull httpsgocrowdstrikecomrs281-OBQ-266imagesReport2018GlobalThreatReportpdf
bull TEMPMixMaster group infects with Trickbot and delayed Ryuk ransomware combobull httpswwwscmagazinecomhomesecurity-newsfinancially-motivated-threat-actorsreferred-to-as-
temp-mixmaster-are-infecting-victims-with-trickbot-malware-before-deploying-the-infamous-ryuk-ransomware
bull Ryuk ransomware linked to Emotet and TrickBot trojans suspicions shift to cybercriminal groupbull httpswwwscmagazinecomhomesecurity-newsryuk-ransomware-linked-to-emotet-and-trickbot-
trojans-suspicions-shift-to-cybercriminal-group
bull Ryuk ransomware earns hackers $37M in Bitcoin over 5 months - 52 known ransom transactions were recorded the highest worth 99 BTC
bull httpsthenextwebcomhardfork20190114ryuk-bitcoin-ransomware
bull Ryuk Ransomware Crew Makes $640000 in Recent Activity Surgebull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-crew-makes-640-000-in-recent-
activity-surge
22
References
TLP WHITE ID 202001301000
bull Ryuk ransomware gang probably Russian not North Koreanbull httpswwwzdnetcomarticleryuk-ransomware-gang-probably-russian-not-north-korean
bull Cloud Hosting Provider Dataresolutionnet Hit by Ryuk Ransomwarebull httpswwwsecurityswcomblogcloud-hosting-provider-dataresolution-net-hit-by-ryuk-ransomware
bull CrowdStrike 2018 Global Threat Report Blurring the Lines Between Statecraft and Tradecraftbull httpsgocrowdstrikecomrs281-OBQ-266imagesReport2018GlobalThreatReportpdf
bull TrojanTrickBotbull httpsblogmalwarebytescomdetectionstrojan-trickbot
bull TrickBot Banking Trojan Takes Center Stage in 2018bull httpsblogbarklycomtrickbot-trojan-2018-campaigns
bull HHS HCCIC cybersecurity alert New Ryuk ransomware quickly racking up damagebull httpswwwhealthcareitnewscomnewshhs-hccic-cybersecurity-alert-new-ryuk-ransomware-quickly-
racking-damage
bull Notorious Ryuk Ransomware Adds Trojans to Cyberattack Methodbull httpshealthitsecuritycomnewsnotorious-ryuk-ransomware-adds-trojans-to-cyberattack-method
bull Emotet re-emerges after the holidaysbull httpsblogtalosintelligencecom201901return-of-emotethtml
bull The Unholy Alliance of Emotet TrickBot and the Ryuk Ransomwarebull httpsduocomdecipherthe-unholy-alliance-of-emotet-trickbot-and-the-ryuk-ransomware
23
References
TLP WHITE ID 202001301000
bull Cybercrime and Other Threats Faced by the Healthcare Industrybull httpswwwtrendmicrocomcontentdamtrendmicroglobalensecurity-
intelligenceresearchreportswp-cybercrime-amp-other-threats-faced-by-the-healthcare-industrypdf
bull Ryuk ransomware targets big businesses New ransomware group waits and gathers intel before attacking large enterprises
bull httpswwwtechradarcomnewsryuk-ransomware-targets-big-businesses
bull Computer virus hits newspapers coast-to-coastbull httpswwwnbcnewscomnewsus-newscomputer-virus-hits-southern-california-newspapers-
n953001
bull Ryuk Ransomware A Targeted Campaign Break-Down CheckPoint Researchbull httpsresearchcheckpointcomryuk-ransomware-targeted-campaign-break
bull Ryuk ransomware targets big businessesbull httpswwwtechradarcomnewsryuk-ransomware-targets-big-businesses
bull United States Department of Homeland Security Cybersecurity and Infrastructure Security Agency Alert (TA18-201A) Emotet Malware
bull httpswwwus-certgovncasalertsTA18-201A
bull Research Suggests Russian-Based Hackers Behind Ryuk Ransomwarersquos $25 Million Gainsbull httpsfinanceyahoocomnewsresearch-suggests-russian-based-hackers-131700487html
bull Long Island Ransomware Attack New York School Pays $100000bull httpswwwmsspalertcomcybersecurity-breaches-and-attacksransomwareryuk-hits-rockville-centre
24
References
TLP WHITE ID 202001301000
bull Ransomware hits computer networks of North Carolina water utility CyberScoopbull httpswwwcyberscoopcomransomware-hits-onwasa-computer-network-north-carolina-water-utility
bull Media Release Cyber-Criminals Target Critical Utility in Hurricane-Ravaged Area Onslow Water and Sewer Authority
bull httpswwwonwasacomDocumentCenterView3701Scan-from-2018-10-15-08_08_13-Abull Origin of virus that hobbled newspapers still unclear - The origins of a suspected computer attack that
disrupted the Los Angeles Times and Tribune Publishing newspapers remain unclearbull httpsabcnewsgocomUSwireStoryorigin-virus-hobbled-newspapers-unclear-60083516
bull Meet CrowdStrikersquos Adversary of the Month for February MUMMY SPIDERbull httpswwwcrowdstrikecomblogmeet-crowdstrikes-adversary-of-the-month-for-february-mummy-
spider February 8 2018 bull North Korea APT() and recent Ryuk Ransomware attacks
bull httpsblogkryptoslogiccommalware20190110dprk-emotethtmlbull US Coast Guard Warns Over Ryuk Ransomware Attacks
bull httpswwwbankinfosecuritycomus-coast-guard-warns-over-ryuk-ransomware-attacks-a-13563bull Georgia county pays a whopping $400000 to get rid of a ransomware infection
bull httpswwwzdnetcomarticlegeorgia-county-pays-a-whopping-400000-to-get-rid-of-a-ransomware-infection
bull Informations Concernant Les Rancongiciels Lockergoga Et Ryukbull httpswwwcertssigouvfruploadsCERTFR-2019-ACT-005pdf
bull Cybereason Researchers Discover a Triple Threat Attack Utilizing Emotet to Deploy TrickBot Which Steals Data and Spreads Ryuk Ransomware
bull httpswwwbenzingacompressreleases1904p13470755cybereason-researchers-discover-a-triple-threat-attack-utilizing-emote
25
References
TLP WHITE ID 202001301000
bull Ryuk Ransomware Adds IP and Computer Name Blacklistingbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-adds-ip-and-computer-name-
blacklistingbull US Coast Guard - Marine Safety Information Bulletin
bull httpswwwdcouscgmilPortals9DCO20Documents5pMSIB2019MSIB_10_19pdfbull Wizard Spider Upgrades Ryuk Ransomware to Reach Deep into LANs
bull httpsthreatpostcomwizard-spider-upgrades-ryuk-ransomware149853bull US Coast Guard Says Ryuk Ransomware Took Down Maritime Facility
bull httpswwwbleepingcomputercomnewssecurityus-coast-guard-says-ryuk-ransomware-took-down-maritime-facility
bull Mistaken For North Koreans The Ryuk Ransomware Hackers Are Making Millionsbull httpswwwforbescomsitesthomasbrewster20190220mistaken-for-north-koreans-the-ryuk-
ransomware-hackers-are-making-millions6d47034775f4bull Ryuk Ransomware Exploring the Technical and Human Connections
bull httpswwwcovewarecomblog2019219ryuk-ransomware-exploring-the-technical-and-human-connections
bull Stuarts city hall ransomware attack more than likely caused by phishing email scambull httpswwwtcpalmcomstorynewslocalmartin-county20190422city-halls-ransomware-attack-
may-linked-phishing-email-scam-ryuk3540067002bull 7 Florida municipalities have fallen prey to cyber attacks since last year
bull httpswwwnaplesnewscomstorynewscrime201908207-florida-municipalities-have-fallen-prey-cyber-attacks-ryuk-ransomware-phishing2065063001
bull Tampa Bay Times hit with Ryuk ransomware attackbull httpsblogmalwarebytescomransomware202001tampa-bay-times-hit-with-ryuk-ransomware-
attack
26
References
TLP WHITE ID 202001301000
bull Cyber attack Virus Ryuk disrupts The Watertown Daily Times Sunday paper deliverybull httpswwwibtimessgcyber-attack-virus-ryuk-disrupts-watertown-daily-times-sunday-paper-delivery-
30503bull How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
bull httpswwwdarkreadingcomattacks-breacheshow-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attackdd-id1334760
bull Florida LAN Someone clicks link again giving Key Biscayne ransomwarebull httpsarstechnicacominformation-technology201906is-there-something-in-the-water-third-florida-
city-hit-by-ransomwarebull New Warning on Ryuk Ransomware
bull httpswwwdarkreadingcomdocumentaspdoc_id=1335101bull La Porte County Pays $130000 Ransom To Ryuk Ransomware
bull httpswwwbleepingcomputercomnewssecurityla-porte-county-pays-130-000-ransom-to-ryuk-ransomware
bull China on Ryuk Virus alert Deadly ransomware sneaks through the countryrsquos computer systemsbull httpswwwcryptopolitancomchina-on-ryuk-virus-alert
Ryuk Sodinokibi Ransomware Responsible for Higher Average Ransomshttpswwwbleepingcomputercomnewssecurityryuk-sodinokibi-ransomware-responsible-for-higher-average-ransoms
Ryuk Related Malware Steals Confidential Military Financial Fileshttpswwwbleepingcomputercomnewssecurityryuk-related-malware-steals-confidential-military-financial-files
Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarehttpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
27
References
TLP WHITE ID 202001301000
bull Rolling back Ryuk Ransomwarebull httpsnewssophoscomen-us20191004rolling-back-ryuk-ransomware
bull DCH Hospital Pays Ryuk Ransomware for Decryption Keybull httpswwwbleepingcomputercomnewssecuritydch-hospital-pays-ryuk-ransomware-for-decryption-
key
bull Louisiana was hit by Ryuk triggering another cyber-emergencybull httpsarstechnicacominformation-technology201911louisiana-was-hit-by-ryuk-triggering-another-
cyber-emergency
bull Security firm Prosegur Weve shut our IT network after Ryuk ransomware attackbull httpswwwzdnetcomarticlesecurity-firm-prosegur-weve-shut-our-it-network-after-ryuk-ransomware-
attack
bull Cash-moving giant Prosegur knocked offline by Ryuk ransomwarebull httpswwwcsoonlinecomarticle3504492cash-moving-giant-prosegur-knocked-offline-by-ryuk-
ransomwarehtml
bull New ransomware rakes in $4 million by adopting a ldquobig game huntingrdquo strategy Ryuk lies in wait for as long as a year then pounces on only the biggest prey
bull httpsarstechnicacominformation-technology201901new-ransomware-rakes-in-4-million-by-adopting-a-big-game-hunting-strategy
bull A Nasty Trick From Credential Theft Malware to Business Disruptionbull httpswwwfireeyecomblogthreat-research201901a-nasty-trick-from-credential-theft-malware-to-
business-disruptionhtml
28
References
TLP WHITE ID 202001301000
bull Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarebull httpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
bull Hackers Demand Bitcoin Ransom in Cyberattack on Big Canadian Restaurantsbull qhttpswwwcbccanewsbusinessransomware-hack-recipe-unlimited-restaurant-cyberattack-
14847487
bull Ryuk Ransomware Is Making Victims Left and Rightbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-is-making-victims-left-and-right
bull Ryuk Cult Character to Ransomware Villainbull httpssecurityboulevardcom201912ryuk-cult-character-to-ransomware-villain
bull Hermes ransomware distributed to South Koreans via recent Flash zero-daybull httpsblogmalwarebytescomthreat-analysis201803hermes-ransomware-distributed-to-south-
koreans-via-recent-flash-zero-day
Questions
30
Questions
Upcoming Briefsbull Artificial Intelligence ndash Application to the Healthcare Industry
bull Electronic Health Record systems
bull PyXie RAT
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide feedback to HC3HHSGOV
Requests for InformationNeed information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
TLP WHITE ID 202001301000
31
About Us
HC3 works with private and public sector partners to improve cybersecurity throughout the Healthcare and Public Health (HPH) Sector
Sector amp Victim Notifications White PapersDirected communications to victims or potential victims of compromises vulnerable equipment or PIIPHI theft and general notifications to the HPH about currently impacting threats via the HHS OIG
Document that provides in-depth information on a cybersecurity topic to increase comprehensive situational awareness and provide risk recommendations to a wide audience
Threat Briefings amp WebinarBriefing document and presentation that provides actionable information on health sector cybersecurity threats and mitigations Analysts present current cybersecurity topics engage in discussions with participants on current threats and highlight best practices and mitigation tactics
Need information on a specific cybersecurity topic or want to join our listserv Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
Products
TLP WHITE ID 202001301000
Contact
Health Sector Cybersecurity Coordination Center (HC3)
(202) 691-2110 HC3HHSGOV
- Ryuk Update
- Agenda
- Overview
- Functionality
- Shifting Attribution
- Shifting Attribution
- Slide Number 7
- Threat Actors
- Threat Actors
- Slide Number 10
- Slide Number 11
- Ransom Demands
- Slide Number 13
- Slide Number 14
- Slide Number 15
- Slide Number 16
- Slide Number 17
- Slide Number 18
- Slide Number 19
- Slide Number 20
- References
- References
- References
- References
- References
- References
- References
- References
- Slide Number 29
- Questions
- About Us
- Slide Number 32
-
11TLP WHITE ID 202001301000
Emotet TrickBot Ryuk DeliveryAnother example of the workflow of Emotet TrickBot and Ryuk when used together
12TLP WHITE ID 202001301000
Ransom Demands
bull Ryuk is known to be one of the most costly ransomware familiesbull According to Coveware Ryuk payments are often 10 times more than its peers
13TLP WHITE ID 202001301000
bull March 2019bull IT systems for Jackson County Georgia attacked They paid $400000 (most IT systems except
website and 911 knocked down)
bull May 2019 bull Disrupted operations of CE Niehoff amp Co a manufacturing firm
bull April 2019 bull Stuart Florida attacked with Ryukbull Imperial County California refused to pay $12M Ryuk ransom demand but suffered downtime
bull June 2019bull Key Biscayne Florida attacked with Ryukbull Lake City Florida paid ~$460K in Ryuk attack ransombull British GCHQ releases warning about global Ryuk campaignbull Georgiarsquos Administrative Office of the Courts attacked
bull July 2019bull La Porte County Indiana attacked paid $130000 ransom bull Chinese company Tencent releases report on Ryuk attacking targets in Chinabull Coveware report notes dramatically increasing ransomware ransom demands identifies Ryuk as one
of the reasonsbull New Bedford Massachusetts attacked Refused to pay ransom and rebuiltbull Several Louisiana school districts attacked with Ryuk
Prominent Ryuk Activity and Alerts in the Last Year
14TLP WHITE ID 202001301000
Prominent Ryuk Activity and Alerts in the Last Yearbull August 2019
bull Rockville Centre school district (Long Island New York) paid nearly $100000 ransom for a Ryuk attack
bull September 2019bull Ryuk-related malware observed exfiltrating sensitive military and financial files
bull October 2019bull DCH Health System in Alabama were attacked shut down and temporarily stopped admitting new
non-emergency patients
bull November 2019bull Ransomware attack on Louisiana Office of Technology Services likely Ryuk based on publically-
releasedbull Multinational Spanish security company Prosegur temporarily shut down IT network after Ryuk attackbull Ryuk attack on Cadena SER (Spainrsquos largest radio station)bull Ryuk attack on T-System a provider of end-to-end IT solutions for emergency and urgent healthcare
providers allegedly the infection spread to public segments such as their demilitarized zone extranet and even their helpdesk
bull December 2019bull Ryuk used to attack IT network of a federally regulated maritime facility
bull January 2020bull Ryuk used to attack several oil and gas facilitiesbull Coveware again reports dramatically increasing ransomware demands identifies Ryuk as one of the
reasons
15TLP WHITE ID 202001301000
Prominent Ryuk Activity and Alerts in the Last Yearbull January 2020
bull Ryuk used to attack several oil and gas facilitiesbull Coveware again reports dramatically increasing ransomware demands identifies Ryuk as one of the
reasons
16
Ryuk Defense and Mitigations
TLP WHITE ID 202001301000
bull Provide social engineering and phishing training to employees [10SA] [1MD]
bull Develop and maintain policy on suspicious e-mails for end users Ensure suspicious e-mails are reported [10SA] [10MA]
bull Ensure emails originating from outside the organization are automatically marked before received [1SA] [1MA]
bull Apply applicable patches and updates immediately after testing Develop and maintain patching program if necessary [7SA] [7MD]
bull Implement Intrusion Detection System (IDS) [6SC] [6MC] [6LC]bull Implement spam filters at the email gateways [1SA] [1MA]bull Block suspicious IP addresses at the firewall [6SA] [6MA] [6LE]
bull Implement whitelisting technology on appropriate assets to ensure that only authorized software is allowed to execute [2SA] [2MA] [2LE]
bull Implement access control based on the principal of least privilege [3SA] [3MA] [3LC]
bull Implement and maintain anti-malware solution [2SA] [2MA] [2LD]
bull Conduct system hardening to ensure proper configurations [7SA] [7MD]bull Disable the use of Remote Desktop Protocol (RDP) or if absolutely needed
restrict its use applying the principle of least privilege and monitorlog its usage [7SA] [7MD]
We suggest contacting local law enforcement in the case of a cyberattack Also the FBIrsquos Internet Crime Complaint Center (IC3) can be reached herehttpswwwic3govcomplaintdefaultaspx
17TLP WHITE ID 202001301000
Prominent Ryuk Activity and Alerts in the Last Year
bull Please note several things about the indicators of compromise (IOCs) on the following slidesbull There is a significant quantity of indicators of compromise related to Ryuk available on the public
Internet We have attempted to include as many as possible in this presentation However there may be some available to the public not included here
bull Upon being released to the public IOCs may become ldquoburnedrdquo which is to say that the attackers will adjust their TTPs weapon and infrastructure so that the public IOCs are no longer used
bull There are instances of obsolete IOCs being reused so any organization attempting to defend themselves should consider all possibilities
bull New IOCs are constantly being released especially with a tool as prominent and frequently used as TrickBot It is therefore incumbent upon any organization attempting to defend themselves to remain vigilant maintain situational awareness and be ever on the lookout for new IOCs to operationalize in their cyber defense infrastructure
18
Indicators of Compromise
TLP WHITE ID 202001301000
Command and control
474916850 4211591177 199227126250 68417310
1901457484 1377415118 24113161184 7218912441
18525138208 719410125 1972325085 741345113
18868208240 206130141255 9423220113 10527171234
24247181155 923816339 1901457484 1822532066
174105235178 7414016033 474916850 17222297179
18580148162 6531241133 6412817537
18111317230 14019054187 242272224
17410523382 24247181226 21318363245
71141298 46149182112 10311091118
2161836243 21332122246 241196970
19
Indicators of Compromise (Continued)
TLP WHITE ID 202001301000
Hashes
1354ac0d5be0c8d03f4e3aba78d2223e 29340643ca2e6677c19e1d3bf351d654 5ac0f050f93f86e69026faea1fbb4450 86c314bc2dc37ba84f7364acd5108c2b 958c594909933d4c82e93c22850194aa c0202cf6aeab8437c638533d14563d35 cb0c1248d3899358a375888bb4e8f3fe d348f536e214a47655af387408b4fca5
Reference Materials
21
References
TLP WHITE ID 202001301000
bull Ryuk Ransomware Exploring the Technical and Human Connectionsbull httpswwwcovewarecomblog2019219ryuk-ransomware-exploring-the-technical-and-human-
connections
bull 2017 Cylance Threat Reportbull httpspagescylancecom2018-03CylanceThreatReport2017html
bull 2018 Global Threat Report Blurring the Lines Between Statecraft and Tradecraft Crowdstrikebull httpsgocrowdstrikecomrs281-OBQ-266imagesReport2018GlobalThreatReportpdf
bull TEMPMixMaster group infects with Trickbot and delayed Ryuk ransomware combobull httpswwwscmagazinecomhomesecurity-newsfinancially-motivated-threat-actorsreferred-to-as-
temp-mixmaster-are-infecting-victims-with-trickbot-malware-before-deploying-the-infamous-ryuk-ransomware
bull Ryuk ransomware linked to Emotet and TrickBot trojans suspicions shift to cybercriminal groupbull httpswwwscmagazinecomhomesecurity-newsryuk-ransomware-linked-to-emotet-and-trickbot-
trojans-suspicions-shift-to-cybercriminal-group
bull Ryuk ransomware earns hackers $37M in Bitcoin over 5 months - 52 known ransom transactions were recorded the highest worth 99 BTC
bull httpsthenextwebcomhardfork20190114ryuk-bitcoin-ransomware
bull Ryuk Ransomware Crew Makes $640000 in Recent Activity Surgebull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-crew-makes-640-000-in-recent-
activity-surge
22
References
TLP WHITE ID 202001301000
bull Ryuk ransomware gang probably Russian not North Koreanbull httpswwwzdnetcomarticleryuk-ransomware-gang-probably-russian-not-north-korean
bull Cloud Hosting Provider Dataresolutionnet Hit by Ryuk Ransomwarebull httpswwwsecurityswcomblogcloud-hosting-provider-dataresolution-net-hit-by-ryuk-ransomware
bull CrowdStrike 2018 Global Threat Report Blurring the Lines Between Statecraft and Tradecraftbull httpsgocrowdstrikecomrs281-OBQ-266imagesReport2018GlobalThreatReportpdf
bull TrojanTrickBotbull httpsblogmalwarebytescomdetectionstrojan-trickbot
bull TrickBot Banking Trojan Takes Center Stage in 2018bull httpsblogbarklycomtrickbot-trojan-2018-campaigns
bull HHS HCCIC cybersecurity alert New Ryuk ransomware quickly racking up damagebull httpswwwhealthcareitnewscomnewshhs-hccic-cybersecurity-alert-new-ryuk-ransomware-quickly-
racking-damage
bull Notorious Ryuk Ransomware Adds Trojans to Cyberattack Methodbull httpshealthitsecuritycomnewsnotorious-ryuk-ransomware-adds-trojans-to-cyberattack-method
bull Emotet re-emerges after the holidaysbull httpsblogtalosintelligencecom201901return-of-emotethtml
bull The Unholy Alliance of Emotet TrickBot and the Ryuk Ransomwarebull httpsduocomdecipherthe-unholy-alliance-of-emotet-trickbot-and-the-ryuk-ransomware
23
References
TLP WHITE ID 202001301000
bull Cybercrime and Other Threats Faced by the Healthcare Industrybull httpswwwtrendmicrocomcontentdamtrendmicroglobalensecurity-
intelligenceresearchreportswp-cybercrime-amp-other-threats-faced-by-the-healthcare-industrypdf
bull Ryuk ransomware targets big businesses New ransomware group waits and gathers intel before attacking large enterprises
bull httpswwwtechradarcomnewsryuk-ransomware-targets-big-businesses
bull Computer virus hits newspapers coast-to-coastbull httpswwwnbcnewscomnewsus-newscomputer-virus-hits-southern-california-newspapers-
n953001
bull Ryuk Ransomware A Targeted Campaign Break-Down CheckPoint Researchbull httpsresearchcheckpointcomryuk-ransomware-targeted-campaign-break
bull Ryuk ransomware targets big businessesbull httpswwwtechradarcomnewsryuk-ransomware-targets-big-businesses
bull United States Department of Homeland Security Cybersecurity and Infrastructure Security Agency Alert (TA18-201A) Emotet Malware
bull httpswwwus-certgovncasalertsTA18-201A
bull Research Suggests Russian-Based Hackers Behind Ryuk Ransomwarersquos $25 Million Gainsbull httpsfinanceyahoocomnewsresearch-suggests-russian-based-hackers-131700487html
bull Long Island Ransomware Attack New York School Pays $100000bull httpswwwmsspalertcomcybersecurity-breaches-and-attacksransomwareryuk-hits-rockville-centre
24
References
TLP WHITE ID 202001301000
bull Ransomware hits computer networks of North Carolina water utility CyberScoopbull httpswwwcyberscoopcomransomware-hits-onwasa-computer-network-north-carolina-water-utility
bull Media Release Cyber-Criminals Target Critical Utility in Hurricane-Ravaged Area Onslow Water and Sewer Authority
bull httpswwwonwasacomDocumentCenterView3701Scan-from-2018-10-15-08_08_13-Abull Origin of virus that hobbled newspapers still unclear - The origins of a suspected computer attack that
disrupted the Los Angeles Times and Tribune Publishing newspapers remain unclearbull httpsabcnewsgocomUSwireStoryorigin-virus-hobbled-newspapers-unclear-60083516
bull Meet CrowdStrikersquos Adversary of the Month for February MUMMY SPIDERbull httpswwwcrowdstrikecomblogmeet-crowdstrikes-adversary-of-the-month-for-february-mummy-
spider February 8 2018 bull North Korea APT() and recent Ryuk Ransomware attacks
bull httpsblogkryptoslogiccommalware20190110dprk-emotethtmlbull US Coast Guard Warns Over Ryuk Ransomware Attacks
bull httpswwwbankinfosecuritycomus-coast-guard-warns-over-ryuk-ransomware-attacks-a-13563bull Georgia county pays a whopping $400000 to get rid of a ransomware infection
bull httpswwwzdnetcomarticlegeorgia-county-pays-a-whopping-400000-to-get-rid-of-a-ransomware-infection
bull Informations Concernant Les Rancongiciels Lockergoga Et Ryukbull httpswwwcertssigouvfruploadsCERTFR-2019-ACT-005pdf
bull Cybereason Researchers Discover a Triple Threat Attack Utilizing Emotet to Deploy TrickBot Which Steals Data and Spreads Ryuk Ransomware
bull httpswwwbenzingacompressreleases1904p13470755cybereason-researchers-discover-a-triple-threat-attack-utilizing-emote
25
References
TLP WHITE ID 202001301000
bull Ryuk Ransomware Adds IP and Computer Name Blacklistingbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-adds-ip-and-computer-name-
blacklistingbull US Coast Guard - Marine Safety Information Bulletin
bull httpswwwdcouscgmilPortals9DCO20Documents5pMSIB2019MSIB_10_19pdfbull Wizard Spider Upgrades Ryuk Ransomware to Reach Deep into LANs
bull httpsthreatpostcomwizard-spider-upgrades-ryuk-ransomware149853bull US Coast Guard Says Ryuk Ransomware Took Down Maritime Facility
bull httpswwwbleepingcomputercomnewssecurityus-coast-guard-says-ryuk-ransomware-took-down-maritime-facility
bull Mistaken For North Koreans The Ryuk Ransomware Hackers Are Making Millionsbull httpswwwforbescomsitesthomasbrewster20190220mistaken-for-north-koreans-the-ryuk-
ransomware-hackers-are-making-millions6d47034775f4bull Ryuk Ransomware Exploring the Technical and Human Connections
bull httpswwwcovewarecomblog2019219ryuk-ransomware-exploring-the-technical-and-human-connections
bull Stuarts city hall ransomware attack more than likely caused by phishing email scambull httpswwwtcpalmcomstorynewslocalmartin-county20190422city-halls-ransomware-attack-
may-linked-phishing-email-scam-ryuk3540067002bull 7 Florida municipalities have fallen prey to cyber attacks since last year
bull httpswwwnaplesnewscomstorynewscrime201908207-florida-municipalities-have-fallen-prey-cyber-attacks-ryuk-ransomware-phishing2065063001
bull Tampa Bay Times hit with Ryuk ransomware attackbull httpsblogmalwarebytescomransomware202001tampa-bay-times-hit-with-ryuk-ransomware-
attack
26
References
TLP WHITE ID 202001301000
bull Cyber attack Virus Ryuk disrupts The Watertown Daily Times Sunday paper deliverybull httpswwwibtimessgcyber-attack-virus-ryuk-disrupts-watertown-daily-times-sunday-paper-delivery-
30503bull How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
bull httpswwwdarkreadingcomattacks-breacheshow-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attackdd-id1334760
bull Florida LAN Someone clicks link again giving Key Biscayne ransomwarebull httpsarstechnicacominformation-technology201906is-there-something-in-the-water-third-florida-
city-hit-by-ransomwarebull New Warning on Ryuk Ransomware
bull httpswwwdarkreadingcomdocumentaspdoc_id=1335101bull La Porte County Pays $130000 Ransom To Ryuk Ransomware
bull httpswwwbleepingcomputercomnewssecurityla-porte-county-pays-130-000-ransom-to-ryuk-ransomware
bull China on Ryuk Virus alert Deadly ransomware sneaks through the countryrsquos computer systemsbull httpswwwcryptopolitancomchina-on-ryuk-virus-alert
Ryuk Sodinokibi Ransomware Responsible for Higher Average Ransomshttpswwwbleepingcomputercomnewssecurityryuk-sodinokibi-ransomware-responsible-for-higher-average-ransoms
Ryuk Related Malware Steals Confidential Military Financial Fileshttpswwwbleepingcomputercomnewssecurityryuk-related-malware-steals-confidential-military-financial-files
Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarehttpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
27
References
TLP WHITE ID 202001301000
bull Rolling back Ryuk Ransomwarebull httpsnewssophoscomen-us20191004rolling-back-ryuk-ransomware
bull DCH Hospital Pays Ryuk Ransomware for Decryption Keybull httpswwwbleepingcomputercomnewssecuritydch-hospital-pays-ryuk-ransomware-for-decryption-
key
bull Louisiana was hit by Ryuk triggering another cyber-emergencybull httpsarstechnicacominformation-technology201911louisiana-was-hit-by-ryuk-triggering-another-
cyber-emergency
bull Security firm Prosegur Weve shut our IT network after Ryuk ransomware attackbull httpswwwzdnetcomarticlesecurity-firm-prosegur-weve-shut-our-it-network-after-ryuk-ransomware-
attack
bull Cash-moving giant Prosegur knocked offline by Ryuk ransomwarebull httpswwwcsoonlinecomarticle3504492cash-moving-giant-prosegur-knocked-offline-by-ryuk-
ransomwarehtml
bull New ransomware rakes in $4 million by adopting a ldquobig game huntingrdquo strategy Ryuk lies in wait for as long as a year then pounces on only the biggest prey
bull httpsarstechnicacominformation-technology201901new-ransomware-rakes-in-4-million-by-adopting-a-big-game-hunting-strategy
bull A Nasty Trick From Credential Theft Malware to Business Disruptionbull httpswwwfireeyecomblogthreat-research201901a-nasty-trick-from-credential-theft-malware-to-
business-disruptionhtml
28
References
TLP WHITE ID 202001301000
bull Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarebull httpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
bull Hackers Demand Bitcoin Ransom in Cyberattack on Big Canadian Restaurantsbull qhttpswwwcbccanewsbusinessransomware-hack-recipe-unlimited-restaurant-cyberattack-
14847487
bull Ryuk Ransomware Is Making Victims Left and Rightbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-is-making-victims-left-and-right
bull Ryuk Cult Character to Ransomware Villainbull httpssecurityboulevardcom201912ryuk-cult-character-to-ransomware-villain
bull Hermes ransomware distributed to South Koreans via recent Flash zero-daybull httpsblogmalwarebytescomthreat-analysis201803hermes-ransomware-distributed-to-south-
koreans-via-recent-flash-zero-day
Questions
30
Questions
Upcoming Briefsbull Artificial Intelligence ndash Application to the Healthcare Industry
bull Electronic Health Record systems
bull PyXie RAT
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide feedback to HC3HHSGOV
Requests for InformationNeed information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
TLP WHITE ID 202001301000
31
About Us
HC3 works with private and public sector partners to improve cybersecurity throughout the Healthcare and Public Health (HPH) Sector
Sector amp Victim Notifications White PapersDirected communications to victims or potential victims of compromises vulnerable equipment or PIIPHI theft and general notifications to the HPH about currently impacting threats via the HHS OIG
Document that provides in-depth information on a cybersecurity topic to increase comprehensive situational awareness and provide risk recommendations to a wide audience
Threat Briefings amp WebinarBriefing document and presentation that provides actionable information on health sector cybersecurity threats and mitigations Analysts present current cybersecurity topics engage in discussions with participants on current threats and highlight best practices and mitigation tactics
Need information on a specific cybersecurity topic or want to join our listserv Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
Products
TLP WHITE ID 202001301000
Contact
Health Sector Cybersecurity Coordination Center (HC3)
(202) 691-2110 HC3HHSGOV
- Ryuk Update
- Agenda
- Overview
- Functionality
- Shifting Attribution
- Shifting Attribution
- Slide Number 7
- Threat Actors
- Threat Actors
- Slide Number 10
- Slide Number 11
- Ransom Demands
- Slide Number 13
- Slide Number 14
- Slide Number 15
- Slide Number 16
- Slide Number 17
- Slide Number 18
- Slide Number 19
- Slide Number 20
- References
- References
- References
- References
- References
- References
- References
- References
- Slide Number 29
- Questions
- About Us
- Slide Number 32
-
12TLP WHITE ID 202001301000
Ransom Demands
bull Ryuk is known to be one of the most costly ransomware familiesbull According to Coveware Ryuk payments are often 10 times more than its peers
13TLP WHITE ID 202001301000
bull March 2019bull IT systems for Jackson County Georgia attacked They paid $400000 (most IT systems except
website and 911 knocked down)
bull May 2019 bull Disrupted operations of CE Niehoff amp Co a manufacturing firm
bull April 2019 bull Stuart Florida attacked with Ryukbull Imperial County California refused to pay $12M Ryuk ransom demand but suffered downtime
bull June 2019bull Key Biscayne Florida attacked with Ryukbull Lake City Florida paid ~$460K in Ryuk attack ransombull British GCHQ releases warning about global Ryuk campaignbull Georgiarsquos Administrative Office of the Courts attacked
bull July 2019bull La Porte County Indiana attacked paid $130000 ransom bull Chinese company Tencent releases report on Ryuk attacking targets in Chinabull Coveware report notes dramatically increasing ransomware ransom demands identifies Ryuk as one
of the reasonsbull New Bedford Massachusetts attacked Refused to pay ransom and rebuiltbull Several Louisiana school districts attacked with Ryuk
Prominent Ryuk Activity and Alerts in the Last Year
14TLP WHITE ID 202001301000
Prominent Ryuk Activity and Alerts in the Last Yearbull August 2019
bull Rockville Centre school district (Long Island New York) paid nearly $100000 ransom for a Ryuk attack
bull September 2019bull Ryuk-related malware observed exfiltrating sensitive military and financial files
bull October 2019bull DCH Health System in Alabama were attacked shut down and temporarily stopped admitting new
non-emergency patients
bull November 2019bull Ransomware attack on Louisiana Office of Technology Services likely Ryuk based on publically-
releasedbull Multinational Spanish security company Prosegur temporarily shut down IT network after Ryuk attackbull Ryuk attack on Cadena SER (Spainrsquos largest radio station)bull Ryuk attack on T-System a provider of end-to-end IT solutions for emergency and urgent healthcare
providers allegedly the infection spread to public segments such as their demilitarized zone extranet and even their helpdesk
bull December 2019bull Ryuk used to attack IT network of a federally regulated maritime facility
bull January 2020bull Ryuk used to attack several oil and gas facilitiesbull Coveware again reports dramatically increasing ransomware demands identifies Ryuk as one of the
reasons
15TLP WHITE ID 202001301000
Prominent Ryuk Activity and Alerts in the Last Yearbull January 2020
bull Ryuk used to attack several oil and gas facilitiesbull Coveware again reports dramatically increasing ransomware demands identifies Ryuk as one of the
reasons
16
Ryuk Defense and Mitigations
TLP WHITE ID 202001301000
bull Provide social engineering and phishing training to employees [10SA] [1MD]
bull Develop and maintain policy on suspicious e-mails for end users Ensure suspicious e-mails are reported [10SA] [10MA]
bull Ensure emails originating from outside the organization are automatically marked before received [1SA] [1MA]
bull Apply applicable patches and updates immediately after testing Develop and maintain patching program if necessary [7SA] [7MD]
bull Implement Intrusion Detection System (IDS) [6SC] [6MC] [6LC]bull Implement spam filters at the email gateways [1SA] [1MA]bull Block suspicious IP addresses at the firewall [6SA] [6MA] [6LE]
bull Implement whitelisting technology on appropriate assets to ensure that only authorized software is allowed to execute [2SA] [2MA] [2LE]
bull Implement access control based on the principal of least privilege [3SA] [3MA] [3LC]
bull Implement and maintain anti-malware solution [2SA] [2MA] [2LD]
bull Conduct system hardening to ensure proper configurations [7SA] [7MD]bull Disable the use of Remote Desktop Protocol (RDP) or if absolutely needed
restrict its use applying the principle of least privilege and monitorlog its usage [7SA] [7MD]
We suggest contacting local law enforcement in the case of a cyberattack Also the FBIrsquos Internet Crime Complaint Center (IC3) can be reached herehttpswwwic3govcomplaintdefaultaspx
17TLP WHITE ID 202001301000
Prominent Ryuk Activity and Alerts in the Last Year
bull Please note several things about the indicators of compromise (IOCs) on the following slidesbull There is a significant quantity of indicators of compromise related to Ryuk available on the public
Internet We have attempted to include as many as possible in this presentation However there may be some available to the public not included here
bull Upon being released to the public IOCs may become ldquoburnedrdquo which is to say that the attackers will adjust their TTPs weapon and infrastructure so that the public IOCs are no longer used
bull There are instances of obsolete IOCs being reused so any organization attempting to defend themselves should consider all possibilities
bull New IOCs are constantly being released especially with a tool as prominent and frequently used as TrickBot It is therefore incumbent upon any organization attempting to defend themselves to remain vigilant maintain situational awareness and be ever on the lookout for new IOCs to operationalize in their cyber defense infrastructure
18
Indicators of Compromise
TLP WHITE ID 202001301000
Command and control
474916850 4211591177 199227126250 68417310
1901457484 1377415118 24113161184 7218912441
18525138208 719410125 1972325085 741345113
18868208240 206130141255 9423220113 10527171234
24247181155 923816339 1901457484 1822532066
174105235178 7414016033 474916850 17222297179
18580148162 6531241133 6412817537
18111317230 14019054187 242272224
17410523382 24247181226 21318363245
71141298 46149182112 10311091118
2161836243 21332122246 241196970
19
Indicators of Compromise (Continued)
TLP WHITE ID 202001301000
Hashes
1354ac0d5be0c8d03f4e3aba78d2223e 29340643ca2e6677c19e1d3bf351d654 5ac0f050f93f86e69026faea1fbb4450 86c314bc2dc37ba84f7364acd5108c2b 958c594909933d4c82e93c22850194aa c0202cf6aeab8437c638533d14563d35 cb0c1248d3899358a375888bb4e8f3fe d348f536e214a47655af387408b4fca5
Reference Materials
21
References
TLP WHITE ID 202001301000
bull Ryuk Ransomware Exploring the Technical and Human Connectionsbull httpswwwcovewarecomblog2019219ryuk-ransomware-exploring-the-technical-and-human-
connections
bull 2017 Cylance Threat Reportbull httpspagescylancecom2018-03CylanceThreatReport2017html
bull 2018 Global Threat Report Blurring the Lines Between Statecraft and Tradecraft Crowdstrikebull httpsgocrowdstrikecomrs281-OBQ-266imagesReport2018GlobalThreatReportpdf
bull TEMPMixMaster group infects with Trickbot and delayed Ryuk ransomware combobull httpswwwscmagazinecomhomesecurity-newsfinancially-motivated-threat-actorsreferred-to-as-
temp-mixmaster-are-infecting-victims-with-trickbot-malware-before-deploying-the-infamous-ryuk-ransomware
bull Ryuk ransomware linked to Emotet and TrickBot trojans suspicions shift to cybercriminal groupbull httpswwwscmagazinecomhomesecurity-newsryuk-ransomware-linked-to-emotet-and-trickbot-
trojans-suspicions-shift-to-cybercriminal-group
bull Ryuk ransomware earns hackers $37M in Bitcoin over 5 months - 52 known ransom transactions were recorded the highest worth 99 BTC
bull httpsthenextwebcomhardfork20190114ryuk-bitcoin-ransomware
bull Ryuk Ransomware Crew Makes $640000 in Recent Activity Surgebull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-crew-makes-640-000-in-recent-
activity-surge
22
References
TLP WHITE ID 202001301000
bull Ryuk ransomware gang probably Russian not North Koreanbull httpswwwzdnetcomarticleryuk-ransomware-gang-probably-russian-not-north-korean
bull Cloud Hosting Provider Dataresolutionnet Hit by Ryuk Ransomwarebull httpswwwsecurityswcomblogcloud-hosting-provider-dataresolution-net-hit-by-ryuk-ransomware
bull CrowdStrike 2018 Global Threat Report Blurring the Lines Between Statecraft and Tradecraftbull httpsgocrowdstrikecomrs281-OBQ-266imagesReport2018GlobalThreatReportpdf
bull TrojanTrickBotbull httpsblogmalwarebytescomdetectionstrojan-trickbot
bull TrickBot Banking Trojan Takes Center Stage in 2018bull httpsblogbarklycomtrickbot-trojan-2018-campaigns
bull HHS HCCIC cybersecurity alert New Ryuk ransomware quickly racking up damagebull httpswwwhealthcareitnewscomnewshhs-hccic-cybersecurity-alert-new-ryuk-ransomware-quickly-
racking-damage
bull Notorious Ryuk Ransomware Adds Trojans to Cyberattack Methodbull httpshealthitsecuritycomnewsnotorious-ryuk-ransomware-adds-trojans-to-cyberattack-method
bull Emotet re-emerges after the holidaysbull httpsblogtalosintelligencecom201901return-of-emotethtml
bull The Unholy Alliance of Emotet TrickBot and the Ryuk Ransomwarebull httpsduocomdecipherthe-unholy-alliance-of-emotet-trickbot-and-the-ryuk-ransomware
23
References
TLP WHITE ID 202001301000
bull Cybercrime and Other Threats Faced by the Healthcare Industrybull httpswwwtrendmicrocomcontentdamtrendmicroglobalensecurity-
intelligenceresearchreportswp-cybercrime-amp-other-threats-faced-by-the-healthcare-industrypdf
bull Ryuk ransomware targets big businesses New ransomware group waits and gathers intel before attacking large enterprises
bull httpswwwtechradarcomnewsryuk-ransomware-targets-big-businesses
bull Computer virus hits newspapers coast-to-coastbull httpswwwnbcnewscomnewsus-newscomputer-virus-hits-southern-california-newspapers-
n953001
bull Ryuk Ransomware A Targeted Campaign Break-Down CheckPoint Researchbull httpsresearchcheckpointcomryuk-ransomware-targeted-campaign-break
bull Ryuk ransomware targets big businessesbull httpswwwtechradarcomnewsryuk-ransomware-targets-big-businesses
bull United States Department of Homeland Security Cybersecurity and Infrastructure Security Agency Alert (TA18-201A) Emotet Malware
bull httpswwwus-certgovncasalertsTA18-201A
bull Research Suggests Russian-Based Hackers Behind Ryuk Ransomwarersquos $25 Million Gainsbull httpsfinanceyahoocomnewsresearch-suggests-russian-based-hackers-131700487html
bull Long Island Ransomware Attack New York School Pays $100000bull httpswwwmsspalertcomcybersecurity-breaches-and-attacksransomwareryuk-hits-rockville-centre
24
References
TLP WHITE ID 202001301000
bull Ransomware hits computer networks of North Carolina water utility CyberScoopbull httpswwwcyberscoopcomransomware-hits-onwasa-computer-network-north-carolina-water-utility
bull Media Release Cyber-Criminals Target Critical Utility in Hurricane-Ravaged Area Onslow Water and Sewer Authority
bull httpswwwonwasacomDocumentCenterView3701Scan-from-2018-10-15-08_08_13-Abull Origin of virus that hobbled newspapers still unclear - The origins of a suspected computer attack that
disrupted the Los Angeles Times and Tribune Publishing newspapers remain unclearbull httpsabcnewsgocomUSwireStoryorigin-virus-hobbled-newspapers-unclear-60083516
bull Meet CrowdStrikersquos Adversary of the Month for February MUMMY SPIDERbull httpswwwcrowdstrikecomblogmeet-crowdstrikes-adversary-of-the-month-for-february-mummy-
spider February 8 2018 bull North Korea APT() and recent Ryuk Ransomware attacks
bull httpsblogkryptoslogiccommalware20190110dprk-emotethtmlbull US Coast Guard Warns Over Ryuk Ransomware Attacks
bull httpswwwbankinfosecuritycomus-coast-guard-warns-over-ryuk-ransomware-attacks-a-13563bull Georgia county pays a whopping $400000 to get rid of a ransomware infection
bull httpswwwzdnetcomarticlegeorgia-county-pays-a-whopping-400000-to-get-rid-of-a-ransomware-infection
bull Informations Concernant Les Rancongiciels Lockergoga Et Ryukbull httpswwwcertssigouvfruploadsCERTFR-2019-ACT-005pdf
bull Cybereason Researchers Discover a Triple Threat Attack Utilizing Emotet to Deploy TrickBot Which Steals Data and Spreads Ryuk Ransomware
bull httpswwwbenzingacompressreleases1904p13470755cybereason-researchers-discover-a-triple-threat-attack-utilizing-emote
25
References
TLP WHITE ID 202001301000
bull Ryuk Ransomware Adds IP and Computer Name Blacklistingbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-adds-ip-and-computer-name-
blacklistingbull US Coast Guard - Marine Safety Information Bulletin
bull httpswwwdcouscgmilPortals9DCO20Documents5pMSIB2019MSIB_10_19pdfbull Wizard Spider Upgrades Ryuk Ransomware to Reach Deep into LANs
bull httpsthreatpostcomwizard-spider-upgrades-ryuk-ransomware149853bull US Coast Guard Says Ryuk Ransomware Took Down Maritime Facility
bull httpswwwbleepingcomputercomnewssecurityus-coast-guard-says-ryuk-ransomware-took-down-maritime-facility
bull Mistaken For North Koreans The Ryuk Ransomware Hackers Are Making Millionsbull httpswwwforbescomsitesthomasbrewster20190220mistaken-for-north-koreans-the-ryuk-
ransomware-hackers-are-making-millions6d47034775f4bull Ryuk Ransomware Exploring the Technical and Human Connections
bull httpswwwcovewarecomblog2019219ryuk-ransomware-exploring-the-technical-and-human-connections
bull Stuarts city hall ransomware attack more than likely caused by phishing email scambull httpswwwtcpalmcomstorynewslocalmartin-county20190422city-halls-ransomware-attack-
may-linked-phishing-email-scam-ryuk3540067002bull 7 Florida municipalities have fallen prey to cyber attacks since last year
bull httpswwwnaplesnewscomstorynewscrime201908207-florida-municipalities-have-fallen-prey-cyber-attacks-ryuk-ransomware-phishing2065063001
bull Tampa Bay Times hit with Ryuk ransomware attackbull httpsblogmalwarebytescomransomware202001tampa-bay-times-hit-with-ryuk-ransomware-
attack
26
References
TLP WHITE ID 202001301000
bull Cyber attack Virus Ryuk disrupts The Watertown Daily Times Sunday paper deliverybull httpswwwibtimessgcyber-attack-virus-ryuk-disrupts-watertown-daily-times-sunday-paper-delivery-
30503bull How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
bull httpswwwdarkreadingcomattacks-breacheshow-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attackdd-id1334760
bull Florida LAN Someone clicks link again giving Key Biscayne ransomwarebull httpsarstechnicacominformation-technology201906is-there-something-in-the-water-third-florida-
city-hit-by-ransomwarebull New Warning on Ryuk Ransomware
bull httpswwwdarkreadingcomdocumentaspdoc_id=1335101bull La Porte County Pays $130000 Ransom To Ryuk Ransomware
bull httpswwwbleepingcomputercomnewssecurityla-porte-county-pays-130-000-ransom-to-ryuk-ransomware
bull China on Ryuk Virus alert Deadly ransomware sneaks through the countryrsquos computer systemsbull httpswwwcryptopolitancomchina-on-ryuk-virus-alert
Ryuk Sodinokibi Ransomware Responsible for Higher Average Ransomshttpswwwbleepingcomputercomnewssecurityryuk-sodinokibi-ransomware-responsible-for-higher-average-ransoms
Ryuk Related Malware Steals Confidential Military Financial Fileshttpswwwbleepingcomputercomnewssecurityryuk-related-malware-steals-confidential-military-financial-files
Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarehttpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
27
References
TLP WHITE ID 202001301000
bull Rolling back Ryuk Ransomwarebull httpsnewssophoscomen-us20191004rolling-back-ryuk-ransomware
bull DCH Hospital Pays Ryuk Ransomware for Decryption Keybull httpswwwbleepingcomputercomnewssecuritydch-hospital-pays-ryuk-ransomware-for-decryption-
key
bull Louisiana was hit by Ryuk triggering another cyber-emergencybull httpsarstechnicacominformation-technology201911louisiana-was-hit-by-ryuk-triggering-another-
cyber-emergency
bull Security firm Prosegur Weve shut our IT network after Ryuk ransomware attackbull httpswwwzdnetcomarticlesecurity-firm-prosegur-weve-shut-our-it-network-after-ryuk-ransomware-
attack
bull Cash-moving giant Prosegur knocked offline by Ryuk ransomwarebull httpswwwcsoonlinecomarticle3504492cash-moving-giant-prosegur-knocked-offline-by-ryuk-
ransomwarehtml
bull New ransomware rakes in $4 million by adopting a ldquobig game huntingrdquo strategy Ryuk lies in wait for as long as a year then pounces on only the biggest prey
bull httpsarstechnicacominformation-technology201901new-ransomware-rakes-in-4-million-by-adopting-a-big-game-hunting-strategy
bull A Nasty Trick From Credential Theft Malware to Business Disruptionbull httpswwwfireeyecomblogthreat-research201901a-nasty-trick-from-credential-theft-malware-to-
business-disruptionhtml
28
References
TLP WHITE ID 202001301000
bull Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarebull httpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
bull Hackers Demand Bitcoin Ransom in Cyberattack on Big Canadian Restaurantsbull qhttpswwwcbccanewsbusinessransomware-hack-recipe-unlimited-restaurant-cyberattack-
14847487
bull Ryuk Ransomware Is Making Victims Left and Rightbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-is-making-victims-left-and-right
bull Ryuk Cult Character to Ransomware Villainbull httpssecurityboulevardcom201912ryuk-cult-character-to-ransomware-villain
bull Hermes ransomware distributed to South Koreans via recent Flash zero-daybull httpsblogmalwarebytescomthreat-analysis201803hermes-ransomware-distributed-to-south-
koreans-via-recent-flash-zero-day
Questions
30
Questions
Upcoming Briefsbull Artificial Intelligence ndash Application to the Healthcare Industry
bull Electronic Health Record systems
bull PyXie RAT
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide feedback to HC3HHSGOV
Requests for InformationNeed information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
TLP WHITE ID 202001301000
31
About Us
HC3 works with private and public sector partners to improve cybersecurity throughout the Healthcare and Public Health (HPH) Sector
Sector amp Victim Notifications White PapersDirected communications to victims or potential victims of compromises vulnerable equipment or PIIPHI theft and general notifications to the HPH about currently impacting threats via the HHS OIG
Document that provides in-depth information on a cybersecurity topic to increase comprehensive situational awareness and provide risk recommendations to a wide audience
Threat Briefings amp WebinarBriefing document and presentation that provides actionable information on health sector cybersecurity threats and mitigations Analysts present current cybersecurity topics engage in discussions with participants on current threats and highlight best practices and mitigation tactics
Need information on a specific cybersecurity topic or want to join our listserv Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
Products
TLP WHITE ID 202001301000
Contact
Health Sector Cybersecurity Coordination Center (HC3)
(202) 691-2110 HC3HHSGOV
- Ryuk Update
- Agenda
- Overview
- Functionality
- Shifting Attribution
- Shifting Attribution
- Slide Number 7
- Threat Actors
- Threat Actors
- Slide Number 10
- Slide Number 11
- Ransom Demands
- Slide Number 13
- Slide Number 14
- Slide Number 15
- Slide Number 16
- Slide Number 17
- Slide Number 18
- Slide Number 19
- Slide Number 20
- References
- References
- References
- References
- References
- References
- References
- References
- Slide Number 29
- Questions
- About Us
- Slide Number 32
-
13TLP WHITE ID 202001301000
bull March 2019bull IT systems for Jackson County Georgia attacked They paid $400000 (most IT systems except
website and 911 knocked down)
bull May 2019 bull Disrupted operations of CE Niehoff amp Co a manufacturing firm
bull April 2019 bull Stuart Florida attacked with Ryukbull Imperial County California refused to pay $12M Ryuk ransom demand but suffered downtime
bull June 2019bull Key Biscayne Florida attacked with Ryukbull Lake City Florida paid ~$460K in Ryuk attack ransombull British GCHQ releases warning about global Ryuk campaignbull Georgiarsquos Administrative Office of the Courts attacked
bull July 2019bull La Porte County Indiana attacked paid $130000 ransom bull Chinese company Tencent releases report on Ryuk attacking targets in Chinabull Coveware report notes dramatically increasing ransomware ransom demands identifies Ryuk as one
of the reasonsbull New Bedford Massachusetts attacked Refused to pay ransom and rebuiltbull Several Louisiana school districts attacked with Ryuk
Prominent Ryuk Activity and Alerts in the Last Year
14TLP WHITE ID 202001301000
Prominent Ryuk Activity and Alerts in the Last Yearbull August 2019
bull Rockville Centre school district (Long Island New York) paid nearly $100000 ransom for a Ryuk attack
bull September 2019bull Ryuk-related malware observed exfiltrating sensitive military and financial files
bull October 2019bull DCH Health System in Alabama were attacked shut down and temporarily stopped admitting new
non-emergency patients
bull November 2019bull Ransomware attack on Louisiana Office of Technology Services likely Ryuk based on publically-
releasedbull Multinational Spanish security company Prosegur temporarily shut down IT network after Ryuk attackbull Ryuk attack on Cadena SER (Spainrsquos largest radio station)bull Ryuk attack on T-System a provider of end-to-end IT solutions for emergency and urgent healthcare
providers allegedly the infection spread to public segments such as their demilitarized zone extranet and even their helpdesk
bull December 2019bull Ryuk used to attack IT network of a federally regulated maritime facility
bull January 2020bull Ryuk used to attack several oil and gas facilitiesbull Coveware again reports dramatically increasing ransomware demands identifies Ryuk as one of the
reasons
15TLP WHITE ID 202001301000
Prominent Ryuk Activity and Alerts in the Last Yearbull January 2020
bull Ryuk used to attack several oil and gas facilitiesbull Coveware again reports dramatically increasing ransomware demands identifies Ryuk as one of the
reasons
16
Ryuk Defense and Mitigations
TLP WHITE ID 202001301000
bull Provide social engineering and phishing training to employees [10SA] [1MD]
bull Develop and maintain policy on suspicious e-mails for end users Ensure suspicious e-mails are reported [10SA] [10MA]
bull Ensure emails originating from outside the organization are automatically marked before received [1SA] [1MA]
bull Apply applicable patches and updates immediately after testing Develop and maintain patching program if necessary [7SA] [7MD]
bull Implement Intrusion Detection System (IDS) [6SC] [6MC] [6LC]bull Implement spam filters at the email gateways [1SA] [1MA]bull Block suspicious IP addresses at the firewall [6SA] [6MA] [6LE]
bull Implement whitelisting technology on appropriate assets to ensure that only authorized software is allowed to execute [2SA] [2MA] [2LE]
bull Implement access control based on the principal of least privilege [3SA] [3MA] [3LC]
bull Implement and maintain anti-malware solution [2SA] [2MA] [2LD]
bull Conduct system hardening to ensure proper configurations [7SA] [7MD]bull Disable the use of Remote Desktop Protocol (RDP) or if absolutely needed
restrict its use applying the principle of least privilege and monitorlog its usage [7SA] [7MD]
We suggest contacting local law enforcement in the case of a cyberattack Also the FBIrsquos Internet Crime Complaint Center (IC3) can be reached herehttpswwwic3govcomplaintdefaultaspx
17TLP WHITE ID 202001301000
Prominent Ryuk Activity and Alerts in the Last Year
bull Please note several things about the indicators of compromise (IOCs) on the following slidesbull There is a significant quantity of indicators of compromise related to Ryuk available on the public
Internet We have attempted to include as many as possible in this presentation However there may be some available to the public not included here
bull Upon being released to the public IOCs may become ldquoburnedrdquo which is to say that the attackers will adjust their TTPs weapon and infrastructure so that the public IOCs are no longer used
bull There are instances of obsolete IOCs being reused so any organization attempting to defend themselves should consider all possibilities
bull New IOCs are constantly being released especially with a tool as prominent and frequently used as TrickBot It is therefore incumbent upon any organization attempting to defend themselves to remain vigilant maintain situational awareness and be ever on the lookout for new IOCs to operationalize in their cyber defense infrastructure
18
Indicators of Compromise
TLP WHITE ID 202001301000
Command and control
474916850 4211591177 199227126250 68417310
1901457484 1377415118 24113161184 7218912441
18525138208 719410125 1972325085 741345113
18868208240 206130141255 9423220113 10527171234
24247181155 923816339 1901457484 1822532066
174105235178 7414016033 474916850 17222297179
18580148162 6531241133 6412817537
18111317230 14019054187 242272224
17410523382 24247181226 21318363245
71141298 46149182112 10311091118
2161836243 21332122246 241196970
19
Indicators of Compromise (Continued)
TLP WHITE ID 202001301000
Hashes
1354ac0d5be0c8d03f4e3aba78d2223e 29340643ca2e6677c19e1d3bf351d654 5ac0f050f93f86e69026faea1fbb4450 86c314bc2dc37ba84f7364acd5108c2b 958c594909933d4c82e93c22850194aa c0202cf6aeab8437c638533d14563d35 cb0c1248d3899358a375888bb4e8f3fe d348f536e214a47655af387408b4fca5
Reference Materials
21
References
TLP WHITE ID 202001301000
bull Ryuk Ransomware Exploring the Technical and Human Connectionsbull httpswwwcovewarecomblog2019219ryuk-ransomware-exploring-the-technical-and-human-
connections
bull 2017 Cylance Threat Reportbull httpspagescylancecom2018-03CylanceThreatReport2017html
bull 2018 Global Threat Report Blurring the Lines Between Statecraft and Tradecraft Crowdstrikebull httpsgocrowdstrikecomrs281-OBQ-266imagesReport2018GlobalThreatReportpdf
bull TEMPMixMaster group infects with Trickbot and delayed Ryuk ransomware combobull httpswwwscmagazinecomhomesecurity-newsfinancially-motivated-threat-actorsreferred-to-as-
temp-mixmaster-are-infecting-victims-with-trickbot-malware-before-deploying-the-infamous-ryuk-ransomware
bull Ryuk ransomware linked to Emotet and TrickBot trojans suspicions shift to cybercriminal groupbull httpswwwscmagazinecomhomesecurity-newsryuk-ransomware-linked-to-emotet-and-trickbot-
trojans-suspicions-shift-to-cybercriminal-group
bull Ryuk ransomware earns hackers $37M in Bitcoin over 5 months - 52 known ransom transactions were recorded the highest worth 99 BTC
bull httpsthenextwebcomhardfork20190114ryuk-bitcoin-ransomware
bull Ryuk Ransomware Crew Makes $640000 in Recent Activity Surgebull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-crew-makes-640-000-in-recent-
activity-surge
22
References
TLP WHITE ID 202001301000
bull Ryuk ransomware gang probably Russian not North Koreanbull httpswwwzdnetcomarticleryuk-ransomware-gang-probably-russian-not-north-korean
bull Cloud Hosting Provider Dataresolutionnet Hit by Ryuk Ransomwarebull httpswwwsecurityswcomblogcloud-hosting-provider-dataresolution-net-hit-by-ryuk-ransomware
bull CrowdStrike 2018 Global Threat Report Blurring the Lines Between Statecraft and Tradecraftbull httpsgocrowdstrikecomrs281-OBQ-266imagesReport2018GlobalThreatReportpdf
bull TrojanTrickBotbull httpsblogmalwarebytescomdetectionstrojan-trickbot
bull TrickBot Banking Trojan Takes Center Stage in 2018bull httpsblogbarklycomtrickbot-trojan-2018-campaigns
bull HHS HCCIC cybersecurity alert New Ryuk ransomware quickly racking up damagebull httpswwwhealthcareitnewscomnewshhs-hccic-cybersecurity-alert-new-ryuk-ransomware-quickly-
racking-damage
bull Notorious Ryuk Ransomware Adds Trojans to Cyberattack Methodbull httpshealthitsecuritycomnewsnotorious-ryuk-ransomware-adds-trojans-to-cyberattack-method
bull Emotet re-emerges after the holidaysbull httpsblogtalosintelligencecom201901return-of-emotethtml
bull The Unholy Alliance of Emotet TrickBot and the Ryuk Ransomwarebull httpsduocomdecipherthe-unholy-alliance-of-emotet-trickbot-and-the-ryuk-ransomware
23
References
TLP WHITE ID 202001301000
bull Cybercrime and Other Threats Faced by the Healthcare Industrybull httpswwwtrendmicrocomcontentdamtrendmicroglobalensecurity-
intelligenceresearchreportswp-cybercrime-amp-other-threats-faced-by-the-healthcare-industrypdf
bull Ryuk ransomware targets big businesses New ransomware group waits and gathers intel before attacking large enterprises
bull httpswwwtechradarcomnewsryuk-ransomware-targets-big-businesses
bull Computer virus hits newspapers coast-to-coastbull httpswwwnbcnewscomnewsus-newscomputer-virus-hits-southern-california-newspapers-
n953001
bull Ryuk Ransomware A Targeted Campaign Break-Down CheckPoint Researchbull httpsresearchcheckpointcomryuk-ransomware-targeted-campaign-break
bull Ryuk ransomware targets big businessesbull httpswwwtechradarcomnewsryuk-ransomware-targets-big-businesses
bull United States Department of Homeland Security Cybersecurity and Infrastructure Security Agency Alert (TA18-201A) Emotet Malware
bull httpswwwus-certgovncasalertsTA18-201A
bull Research Suggests Russian-Based Hackers Behind Ryuk Ransomwarersquos $25 Million Gainsbull httpsfinanceyahoocomnewsresearch-suggests-russian-based-hackers-131700487html
bull Long Island Ransomware Attack New York School Pays $100000bull httpswwwmsspalertcomcybersecurity-breaches-and-attacksransomwareryuk-hits-rockville-centre
24
References
TLP WHITE ID 202001301000
bull Ransomware hits computer networks of North Carolina water utility CyberScoopbull httpswwwcyberscoopcomransomware-hits-onwasa-computer-network-north-carolina-water-utility
bull Media Release Cyber-Criminals Target Critical Utility in Hurricane-Ravaged Area Onslow Water and Sewer Authority
bull httpswwwonwasacomDocumentCenterView3701Scan-from-2018-10-15-08_08_13-Abull Origin of virus that hobbled newspapers still unclear - The origins of a suspected computer attack that
disrupted the Los Angeles Times and Tribune Publishing newspapers remain unclearbull httpsabcnewsgocomUSwireStoryorigin-virus-hobbled-newspapers-unclear-60083516
bull Meet CrowdStrikersquos Adversary of the Month for February MUMMY SPIDERbull httpswwwcrowdstrikecomblogmeet-crowdstrikes-adversary-of-the-month-for-february-mummy-
spider February 8 2018 bull North Korea APT() and recent Ryuk Ransomware attacks
bull httpsblogkryptoslogiccommalware20190110dprk-emotethtmlbull US Coast Guard Warns Over Ryuk Ransomware Attacks
bull httpswwwbankinfosecuritycomus-coast-guard-warns-over-ryuk-ransomware-attacks-a-13563bull Georgia county pays a whopping $400000 to get rid of a ransomware infection
bull httpswwwzdnetcomarticlegeorgia-county-pays-a-whopping-400000-to-get-rid-of-a-ransomware-infection
bull Informations Concernant Les Rancongiciels Lockergoga Et Ryukbull httpswwwcertssigouvfruploadsCERTFR-2019-ACT-005pdf
bull Cybereason Researchers Discover a Triple Threat Attack Utilizing Emotet to Deploy TrickBot Which Steals Data and Spreads Ryuk Ransomware
bull httpswwwbenzingacompressreleases1904p13470755cybereason-researchers-discover-a-triple-threat-attack-utilizing-emote
25
References
TLP WHITE ID 202001301000
bull Ryuk Ransomware Adds IP and Computer Name Blacklistingbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-adds-ip-and-computer-name-
blacklistingbull US Coast Guard - Marine Safety Information Bulletin
bull httpswwwdcouscgmilPortals9DCO20Documents5pMSIB2019MSIB_10_19pdfbull Wizard Spider Upgrades Ryuk Ransomware to Reach Deep into LANs
bull httpsthreatpostcomwizard-spider-upgrades-ryuk-ransomware149853bull US Coast Guard Says Ryuk Ransomware Took Down Maritime Facility
bull httpswwwbleepingcomputercomnewssecurityus-coast-guard-says-ryuk-ransomware-took-down-maritime-facility
bull Mistaken For North Koreans The Ryuk Ransomware Hackers Are Making Millionsbull httpswwwforbescomsitesthomasbrewster20190220mistaken-for-north-koreans-the-ryuk-
ransomware-hackers-are-making-millions6d47034775f4bull Ryuk Ransomware Exploring the Technical and Human Connections
bull httpswwwcovewarecomblog2019219ryuk-ransomware-exploring-the-technical-and-human-connections
bull Stuarts city hall ransomware attack more than likely caused by phishing email scambull httpswwwtcpalmcomstorynewslocalmartin-county20190422city-halls-ransomware-attack-
may-linked-phishing-email-scam-ryuk3540067002bull 7 Florida municipalities have fallen prey to cyber attacks since last year
bull httpswwwnaplesnewscomstorynewscrime201908207-florida-municipalities-have-fallen-prey-cyber-attacks-ryuk-ransomware-phishing2065063001
bull Tampa Bay Times hit with Ryuk ransomware attackbull httpsblogmalwarebytescomransomware202001tampa-bay-times-hit-with-ryuk-ransomware-
attack
26
References
TLP WHITE ID 202001301000
bull Cyber attack Virus Ryuk disrupts The Watertown Daily Times Sunday paper deliverybull httpswwwibtimessgcyber-attack-virus-ryuk-disrupts-watertown-daily-times-sunday-paper-delivery-
30503bull How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
bull httpswwwdarkreadingcomattacks-breacheshow-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attackdd-id1334760
bull Florida LAN Someone clicks link again giving Key Biscayne ransomwarebull httpsarstechnicacominformation-technology201906is-there-something-in-the-water-third-florida-
city-hit-by-ransomwarebull New Warning on Ryuk Ransomware
bull httpswwwdarkreadingcomdocumentaspdoc_id=1335101bull La Porte County Pays $130000 Ransom To Ryuk Ransomware
bull httpswwwbleepingcomputercomnewssecurityla-porte-county-pays-130-000-ransom-to-ryuk-ransomware
bull China on Ryuk Virus alert Deadly ransomware sneaks through the countryrsquos computer systemsbull httpswwwcryptopolitancomchina-on-ryuk-virus-alert
Ryuk Sodinokibi Ransomware Responsible for Higher Average Ransomshttpswwwbleepingcomputercomnewssecurityryuk-sodinokibi-ransomware-responsible-for-higher-average-ransoms
Ryuk Related Malware Steals Confidential Military Financial Fileshttpswwwbleepingcomputercomnewssecurityryuk-related-malware-steals-confidential-military-financial-files
Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarehttpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
27
References
TLP WHITE ID 202001301000
bull Rolling back Ryuk Ransomwarebull httpsnewssophoscomen-us20191004rolling-back-ryuk-ransomware
bull DCH Hospital Pays Ryuk Ransomware for Decryption Keybull httpswwwbleepingcomputercomnewssecuritydch-hospital-pays-ryuk-ransomware-for-decryption-
key
bull Louisiana was hit by Ryuk triggering another cyber-emergencybull httpsarstechnicacominformation-technology201911louisiana-was-hit-by-ryuk-triggering-another-
cyber-emergency
bull Security firm Prosegur Weve shut our IT network after Ryuk ransomware attackbull httpswwwzdnetcomarticlesecurity-firm-prosegur-weve-shut-our-it-network-after-ryuk-ransomware-
attack
bull Cash-moving giant Prosegur knocked offline by Ryuk ransomwarebull httpswwwcsoonlinecomarticle3504492cash-moving-giant-prosegur-knocked-offline-by-ryuk-
ransomwarehtml
bull New ransomware rakes in $4 million by adopting a ldquobig game huntingrdquo strategy Ryuk lies in wait for as long as a year then pounces on only the biggest prey
bull httpsarstechnicacominformation-technology201901new-ransomware-rakes-in-4-million-by-adopting-a-big-game-hunting-strategy
bull A Nasty Trick From Credential Theft Malware to Business Disruptionbull httpswwwfireeyecomblogthreat-research201901a-nasty-trick-from-credential-theft-malware-to-
business-disruptionhtml
28
References
TLP WHITE ID 202001301000
bull Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarebull httpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
bull Hackers Demand Bitcoin Ransom in Cyberattack on Big Canadian Restaurantsbull qhttpswwwcbccanewsbusinessransomware-hack-recipe-unlimited-restaurant-cyberattack-
14847487
bull Ryuk Ransomware Is Making Victims Left and Rightbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-is-making-victims-left-and-right
bull Ryuk Cult Character to Ransomware Villainbull httpssecurityboulevardcom201912ryuk-cult-character-to-ransomware-villain
bull Hermes ransomware distributed to South Koreans via recent Flash zero-daybull httpsblogmalwarebytescomthreat-analysis201803hermes-ransomware-distributed-to-south-
koreans-via-recent-flash-zero-day
Questions
30
Questions
Upcoming Briefsbull Artificial Intelligence ndash Application to the Healthcare Industry
bull Electronic Health Record systems
bull PyXie RAT
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide feedback to HC3HHSGOV
Requests for InformationNeed information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
TLP WHITE ID 202001301000
31
About Us
HC3 works with private and public sector partners to improve cybersecurity throughout the Healthcare and Public Health (HPH) Sector
Sector amp Victim Notifications White PapersDirected communications to victims or potential victims of compromises vulnerable equipment or PIIPHI theft and general notifications to the HPH about currently impacting threats via the HHS OIG
Document that provides in-depth information on a cybersecurity topic to increase comprehensive situational awareness and provide risk recommendations to a wide audience
Threat Briefings amp WebinarBriefing document and presentation that provides actionable information on health sector cybersecurity threats and mitigations Analysts present current cybersecurity topics engage in discussions with participants on current threats and highlight best practices and mitigation tactics
Need information on a specific cybersecurity topic or want to join our listserv Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
Products
TLP WHITE ID 202001301000
Contact
Health Sector Cybersecurity Coordination Center (HC3)
(202) 691-2110 HC3HHSGOV
- Ryuk Update
- Agenda
- Overview
- Functionality
- Shifting Attribution
- Shifting Attribution
- Slide Number 7
- Threat Actors
- Threat Actors
- Slide Number 10
- Slide Number 11
- Ransom Demands
- Slide Number 13
- Slide Number 14
- Slide Number 15
- Slide Number 16
- Slide Number 17
- Slide Number 18
- Slide Number 19
- Slide Number 20
- References
- References
- References
- References
- References
- References
- References
- References
- Slide Number 29
- Questions
- About Us
- Slide Number 32
-
14TLP WHITE ID 202001301000
Prominent Ryuk Activity and Alerts in the Last Yearbull August 2019
bull Rockville Centre school district (Long Island New York) paid nearly $100000 ransom for a Ryuk attack
bull September 2019bull Ryuk-related malware observed exfiltrating sensitive military and financial files
bull October 2019bull DCH Health System in Alabama were attacked shut down and temporarily stopped admitting new
non-emergency patients
bull November 2019bull Ransomware attack on Louisiana Office of Technology Services likely Ryuk based on publically-
releasedbull Multinational Spanish security company Prosegur temporarily shut down IT network after Ryuk attackbull Ryuk attack on Cadena SER (Spainrsquos largest radio station)bull Ryuk attack on T-System a provider of end-to-end IT solutions for emergency and urgent healthcare
providers allegedly the infection spread to public segments such as their demilitarized zone extranet and even their helpdesk
bull December 2019bull Ryuk used to attack IT network of a federally regulated maritime facility
bull January 2020bull Ryuk used to attack several oil and gas facilitiesbull Coveware again reports dramatically increasing ransomware demands identifies Ryuk as one of the
reasons
15TLP WHITE ID 202001301000
Prominent Ryuk Activity and Alerts in the Last Yearbull January 2020
bull Ryuk used to attack several oil and gas facilitiesbull Coveware again reports dramatically increasing ransomware demands identifies Ryuk as one of the
reasons
16
Ryuk Defense and Mitigations
TLP WHITE ID 202001301000
bull Provide social engineering and phishing training to employees [10SA] [1MD]
bull Develop and maintain policy on suspicious e-mails for end users Ensure suspicious e-mails are reported [10SA] [10MA]
bull Ensure emails originating from outside the organization are automatically marked before received [1SA] [1MA]
bull Apply applicable patches and updates immediately after testing Develop and maintain patching program if necessary [7SA] [7MD]
bull Implement Intrusion Detection System (IDS) [6SC] [6MC] [6LC]bull Implement spam filters at the email gateways [1SA] [1MA]bull Block suspicious IP addresses at the firewall [6SA] [6MA] [6LE]
bull Implement whitelisting technology on appropriate assets to ensure that only authorized software is allowed to execute [2SA] [2MA] [2LE]
bull Implement access control based on the principal of least privilege [3SA] [3MA] [3LC]
bull Implement and maintain anti-malware solution [2SA] [2MA] [2LD]
bull Conduct system hardening to ensure proper configurations [7SA] [7MD]bull Disable the use of Remote Desktop Protocol (RDP) or if absolutely needed
restrict its use applying the principle of least privilege and monitorlog its usage [7SA] [7MD]
We suggest contacting local law enforcement in the case of a cyberattack Also the FBIrsquos Internet Crime Complaint Center (IC3) can be reached herehttpswwwic3govcomplaintdefaultaspx
17TLP WHITE ID 202001301000
Prominent Ryuk Activity and Alerts in the Last Year
bull Please note several things about the indicators of compromise (IOCs) on the following slidesbull There is a significant quantity of indicators of compromise related to Ryuk available on the public
Internet We have attempted to include as many as possible in this presentation However there may be some available to the public not included here
bull Upon being released to the public IOCs may become ldquoburnedrdquo which is to say that the attackers will adjust their TTPs weapon and infrastructure so that the public IOCs are no longer used
bull There are instances of obsolete IOCs being reused so any organization attempting to defend themselves should consider all possibilities
bull New IOCs are constantly being released especially with a tool as prominent and frequently used as TrickBot It is therefore incumbent upon any organization attempting to defend themselves to remain vigilant maintain situational awareness and be ever on the lookout for new IOCs to operationalize in their cyber defense infrastructure
18
Indicators of Compromise
TLP WHITE ID 202001301000
Command and control
474916850 4211591177 199227126250 68417310
1901457484 1377415118 24113161184 7218912441
18525138208 719410125 1972325085 741345113
18868208240 206130141255 9423220113 10527171234
24247181155 923816339 1901457484 1822532066
174105235178 7414016033 474916850 17222297179
18580148162 6531241133 6412817537
18111317230 14019054187 242272224
17410523382 24247181226 21318363245
71141298 46149182112 10311091118
2161836243 21332122246 241196970
19
Indicators of Compromise (Continued)
TLP WHITE ID 202001301000
Hashes
1354ac0d5be0c8d03f4e3aba78d2223e 29340643ca2e6677c19e1d3bf351d654 5ac0f050f93f86e69026faea1fbb4450 86c314bc2dc37ba84f7364acd5108c2b 958c594909933d4c82e93c22850194aa c0202cf6aeab8437c638533d14563d35 cb0c1248d3899358a375888bb4e8f3fe d348f536e214a47655af387408b4fca5
Reference Materials
21
References
TLP WHITE ID 202001301000
bull Ryuk Ransomware Exploring the Technical and Human Connectionsbull httpswwwcovewarecomblog2019219ryuk-ransomware-exploring-the-technical-and-human-
connections
bull 2017 Cylance Threat Reportbull httpspagescylancecom2018-03CylanceThreatReport2017html
bull 2018 Global Threat Report Blurring the Lines Between Statecraft and Tradecraft Crowdstrikebull httpsgocrowdstrikecomrs281-OBQ-266imagesReport2018GlobalThreatReportpdf
bull TEMPMixMaster group infects with Trickbot and delayed Ryuk ransomware combobull httpswwwscmagazinecomhomesecurity-newsfinancially-motivated-threat-actorsreferred-to-as-
temp-mixmaster-are-infecting-victims-with-trickbot-malware-before-deploying-the-infamous-ryuk-ransomware
bull Ryuk ransomware linked to Emotet and TrickBot trojans suspicions shift to cybercriminal groupbull httpswwwscmagazinecomhomesecurity-newsryuk-ransomware-linked-to-emotet-and-trickbot-
trojans-suspicions-shift-to-cybercriminal-group
bull Ryuk ransomware earns hackers $37M in Bitcoin over 5 months - 52 known ransom transactions were recorded the highest worth 99 BTC
bull httpsthenextwebcomhardfork20190114ryuk-bitcoin-ransomware
bull Ryuk Ransomware Crew Makes $640000 in Recent Activity Surgebull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-crew-makes-640-000-in-recent-
activity-surge
22
References
TLP WHITE ID 202001301000
bull Ryuk ransomware gang probably Russian not North Koreanbull httpswwwzdnetcomarticleryuk-ransomware-gang-probably-russian-not-north-korean
bull Cloud Hosting Provider Dataresolutionnet Hit by Ryuk Ransomwarebull httpswwwsecurityswcomblogcloud-hosting-provider-dataresolution-net-hit-by-ryuk-ransomware
bull CrowdStrike 2018 Global Threat Report Blurring the Lines Between Statecraft and Tradecraftbull httpsgocrowdstrikecomrs281-OBQ-266imagesReport2018GlobalThreatReportpdf
bull TrojanTrickBotbull httpsblogmalwarebytescomdetectionstrojan-trickbot
bull TrickBot Banking Trojan Takes Center Stage in 2018bull httpsblogbarklycomtrickbot-trojan-2018-campaigns
bull HHS HCCIC cybersecurity alert New Ryuk ransomware quickly racking up damagebull httpswwwhealthcareitnewscomnewshhs-hccic-cybersecurity-alert-new-ryuk-ransomware-quickly-
racking-damage
bull Notorious Ryuk Ransomware Adds Trojans to Cyberattack Methodbull httpshealthitsecuritycomnewsnotorious-ryuk-ransomware-adds-trojans-to-cyberattack-method
bull Emotet re-emerges after the holidaysbull httpsblogtalosintelligencecom201901return-of-emotethtml
bull The Unholy Alliance of Emotet TrickBot and the Ryuk Ransomwarebull httpsduocomdecipherthe-unholy-alliance-of-emotet-trickbot-and-the-ryuk-ransomware
23
References
TLP WHITE ID 202001301000
bull Cybercrime and Other Threats Faced by the Healthcare Industrybull httpswwwtrendmicrocomcontentdamtrendmicroglobalensecurity-
intelligenceresearchreportswp-cybercrime-amp-other-threats-faced-by-the-healthcare-industrypdf
bull Ryuk ransomware targets big businesses New ransomware group waits and gathers intel before attacking large enterprises
bull httpswwwtechradarcomnewsryuk-ransomware-targets-big-businesses
bull Computer virus hits newspapers coast-to-coastbull httpswwwnbcnewscomnewsus-newscomputer-virus-hits-southern-california-newspapers-
n953001
bull Ryuk Ransomware A Targeted Campaign Break-Down CheckPoint Researchbull httpsresearchcheckpointcomryuk-ransomware-targeted-campaign-break
bull Ryuk ransomware targets big businessesbull httpswwwtechradarcomnewsryuk-ransomware-targets-big-businesses
bull United States Department of Homeland Security Cybersecurity and Infrastructure Security Agency Alert (TA18-201A) Emotet Malware
bull httpswwwus-certgovncasalertsTA18-201A
bull Research Suggests Russian-Based Hackers Behind Ryuk Ransomwarersquos $25 Million Gainsbull httpsfinanceyahoocomnewsresearch-suggests-russian-based-hackers-131700487html
bull Long Island Ransomware Attack New York School Pays $100000bull httpswwwmsspalertcomcybersecurity-breaches-and-attacksransomwareryuk-hits-rockville-centre
24
References
TLP WHITE ID 202001301000
bull Ransomware hits computer networks of North Carolina water utility CyberScoopbull httpswwwcyberscoopcomransomware-hits-onwasa-computer-network-north-carolina-water-utility
bull Media Release Cyber-Criminals Target Critical Utility in Hurricane-Ravaged Area Onslow Water and Sewer Authority
bull httpswwwonwasacomDocumentCenterView3701Scan-from-2018-10-15-08_08_13-Abull Origin of virus that hobbled newspapers still unclear - The origins of a suspected computer attack that
disrupted the Los Angeles Times and Tribune Publishing newspapers remain unclearbull httpsabcnewsgocomUSwireStoryorigin-virus-hobbled-newspapers-unclear-60083516
bull Meet CrowdStrikersquos Adversary of the Month for February MUMMY SPIDERbull httpswwwcrowdstrikecomblogmeet-crowdstrikes-adversary-of-the-month-for-february-mummy-
spider February 8 2018 bull North Korea APT() and recent Ryuk Ransomware attacks
bull httpsblogkryptoslogiccommalware20190110dprk-emotethtmlbull US Coast Guard Warns Over Ryuk Ransomware Attacks
bull httpswwwbankinfosecuritycomus-coast-guard-warns-over-ryuk-ransomware-attacks-a-13563bull Georgia county pays a whopping $400000 to get rid of a ransomware infection
bull httpswwwzdnetcomarticlegeorgia-county-pays-a-whopping-400000-to-get-rid-of-a-ransomware-infection
bull Informations Concernant Les Rancongiciels Lockergoga Et Ryukbull httpswwwcertssigouvfruploadsCERTFR-2019-ACT-005pdf
bull Cybereason Researchers Discover a Triple Threat Attack Utilizing Emotet to Deploy TrickBot Which Steals Data and Spreads Ryuk Ransomware
bull httpswwwbenzingacompressreleases1904p13470755cybereason-researchers-discover-a-triple-threat-attack-utilizing-emote
25
References
TLP WHITE ID 202001301000
bull Ryuk Ransomware Adds IP and Computer Name Blacklistingbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-adds-ip-and-computer-name-
blacklistingbull US Coast Guard - Marine Safety Information Bulletin
bull httpswwwdcouscgmilPortals9DCO20Documents5pMSIB2019MSIB_10_19pdfbull Wizard Spider Upgrades Ryuk Ransomware to Reach Deep into LANs
bull httpsthreatpostcomwizard-spider-upgrades-ryuk-ransomware149853bull US Coast Guard Says Ryuk Ransomware Took Down Maritime Facility
bull httpswwwbleepingcomputercomnewssecurityus-coast-guard-says-ryuk-ransomware-took-down-maritime-facility
bull Mistaken For North Koreans The Ryuk Ransomware Hackers Are Making Millionsbull httpswwwforbescomsitesthomasbrewster20190220mistaken-for-north-koreans-the-ryuk-
ransomware-hackers-are-making-millions6d47034775f4bull Ryuk Ransomware Exploring the Technical and Human Connections
bull httpswwwcovewarecomblog2019219ryuk-ransomware-exploring-the-technical-and-human-connections
bull Stuarts city hall ransomware attack more than likely caused by phishing email scambull httpswwwtcpalmcomstorynewslocalmartin-county20190422city-halls-ransomware-attack-
may-linked-phishing-email-scam-ryuk3540067002bull 7 Florida municipalities have fallen prey to cyber attacks since last year
bull httpswwwnaplesnewscomstorynewscrime201908207-florida-municipalities-have-fallen-prey-cyber-attacks-ryuk-ransomware-phishing2065063001
bull Tampa Bay Times hit with Ryuk ransomware attackbull httpsblogmalwarebytescomransomware202001tampa-bay-times-hit-with-ryuk-ransomware-
attack
26
References
TLP WHITE ID 202001301000
bull Cyber attack Virus Ryuk disrupts The Watertown Daily Times Sunday paper deliverybull httpswwwibtimessgcyber-attack-virus-ryuk-disrupts-watertown-daily-times-sunday-paper-delivery-
30503bull How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
bull httpswwwdarkreadingcomattacks-breacheshow-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attackdd-id1334760
bull Florida LAN Someone clicks link again giving Key Biscayne ransomwarebull httpsarstechnicacominformation-technology201906is-there-something-in-the-water-third-florida-
city-hit-by-ransomwarebull New Warning on Ryuk Ransomware
bull httpswwwdarkreadingcomdocumentaspdoc_id=1335101bull La Porte County Pays $130000 Ransom To Ryuk Ransomware
bull httpswwwbleepingcomputercomnewssecurityla-porte-county-pays-130-000-ransom-to-ryuk-ransomware
bull China on Ryuk Virus alert Deadly ransomware sneaks through the countryrsquos computer systemsbull httpswwwcryptopolitancomchina-on-ryuk-virus-alert
Ryuk Sodinokibi Ransomware Responsible for Higher Average Ransomshttpswwwbleepingcomputercomnewssecurityryuk-sodinokibi-ransomware-responsible-for-higher-average-ransoms
Ryuk Related Malware Steals Confidential Military Financial Fileshttpswwwbleepingcomputercomnewssecurityryuk-related-malware-steals-confidential-military-financial-files
Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarehttpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
27
References
TLP WHITE ID 202001301000
bull Rolling back Ryuk Ransomwarebull httpsnewssophoscomen-us20191004rolling-back-ryuk-ransomware
bull DCH Hospital Pays Ryuk Ransomware for Decryption Keybull httpswwwbleepingcomputercomnewssecuritydch-hospital-pays-ryuk-ransomware-for-decryption-
key
bull Louisiana was hit by Ryuk triggering another cyber-emergencybull httpsarstechnicacominformation-technology201911louisiana-was-hit-by-ryuk-triggering-another-
cyber-emergency
bull Security firm Prosegur Weve shut our IT network after Ryuk ransomware attackbull httpswwwzdnetcomarticlesecurity-firm-prosegur-weve-shut-our-it-network-after-ryuk-ransomware-
attack
bull Cash-moving giant Prosegur knocked offline by Ryuk ransomwarebull httpswwwcsoonlinecomarticle3504492cash-moving-giant-prosegur-knocked-offline-by-ryuk-
ransomwarehtml
bull New ransomware rakes in $4 million by adopting a ldquobig game huntingrdquo strategy Ryuk lies in wait for as long as a year then pounces on only the biggest prey
bull httpsarstechnicacominformation-technology201901new-ransomware-rakes-in-4-million-by-adopting-a-big-game-hunting-strategy
bull A Nasty Trick From Credential Theft Malware to Business Disruptionbull httpswwwfireeyecomblogthreat-research201901a-nasty-trick-from-credential-theft-malware-to-
business-disruptionhtml
28
References
TLP WHITE ID 202001301000
bull Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarebull httpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
bull Hackers Demand Bitcoin Ransom in Cyberattack on Big Canadian Restaurantsbull qhttpswwwcbccanewsbusinessransomware-hack-recipe-unlimited-restaurant-cyberattack-
14847487
bull Ryuk Ransomware Is Making Victims Left and Rightbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-is-making-victims-left-and-right
bull Ryuk Cult Character to Ransomware Villainbull httpssecurityboulevardcom201912ryuk-cult-character-to-ransomware-villain
bull Hermes ransomware distributed to South Koreans via recent Flash zero-daybull httpsblogmalwarebytescomthreat-analysis201803hermes-ransomware-distributed-to-south-
koreans-via-recent-flash-zero-day
Questions
30
Questions
Upcoming Briefsbull Artificial Intelligence ndash Application to the Healthcare Industry
bull Electronic Health Record systems
bull PyXie RAT
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide feedback to HC3HHSGOV
Requests for InformationNeed information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
TLP WHITE ID 202001301000
31
About Us
HC3 works with private and public sector partners to improve cybersecurity throughout the Healthcare and Public Health (HPH) Sector
Sector amp Victim Notifications White PapersDirected communications to victims or potential victims of compromises vulnerable equipment or PIIPHI theft and general notifications to the HPH about currently impacting threats via the HHS OIG
Document that provides in-depth information on a cybersecurity topic to increase comprehensive situational awareness and provide risk recommendations to a wide audience
Threat Briefings amp WebinarBriefing document and presentation that provides actionable information on health sector cybersecurity threats and mitigations Analysts present current cybersecurity topics engage in discussions with participants on current threats and highlight best practices and mitigation tactics
Need information on a specific cybersecurity topic or want to join our listserv Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
Products
TLP WHITE ID 202001301000
Contact
Health Sector Cybersecurity Coordination Center (HC3)
(202) 691-2110 HC3HHSGOV
- Ryuk Update
- Agenda
- Overview
- Functionality
- Shifting Attribution
- Shifting Attribution
- Slide Number 7
- Threat Actors
- Threat Actors
- Slide Number 10
- Slide Number 11
- Ransom Demands
- Slide Number 13
- Slide Number 14
- Slide Number 15
- Slide Number 16
- Slide Number 17
- Slide Number 18
- Slide Number 19
- Slide Number 20
- References
- References
- References
- References
- References
- References
- References
- References
- Slide Number 29
- Questions
- About Us
- Slide Number 32
-
15TLP WHITE ID 202001301000
Prominent Ryuk Activity and Alerts in the Last Yearbull January 2020
bull Ryuk used to attack several oil and gas facilitiesbull Coveware again reports dramatically increasing ransomware demands identifies Ryuk as one of the
reasons
16
Ryuk Defense and Mitigations
TLP WHITE ID 202001301000
bull Provide social engineering and phishing training to employees [10SA] [1MD]
bull Develop and maintain policy on suspicious e-mails for end users Ensure suspicious e-mails are reported [10SA] [10MA]
bull Ensure emails originating from outside the organization are automatically marked before received [1SA] [1MA]
bull Apply applicable patches and updates immediately after testing Develop and maintain patching program if necessary [7SA] [7MD]
bull Implement Intrusion Detection System (IDS) [6SC] [6MC] [6LC]bull Implement spam filters at the email gateways [1SA] [1MA]bull Block suspicious IP addresses at the firewall [6SA] [6MA] [6LE]
bull Implement whitelisting technology on appropriate assets to ensure that only authorized software is allowed to execute [2SA] [2MA] [2LE]
bull Implement access control based on the principal of least privilege [3SA] [3MA] [3LC]
bull Implement and maintain anti-malware solution [2SA] [2MA] [2LD]
bull Conduct system hardening to ensure proper configurations [7SA] [7MD]bull Disable the use of Remote Desktop Protocol (RDP) or if absolutely needed
restrict its use applying the principle of least privilege and monitorlog its usage [7SA] [7MD]
We suggest contacting local law enforcement in the case of a cyberattack Also the FBIrsquos Internet Crime Complaint Center (IC3) can be reached herehttpswwwic3govcomplaintdefaultaspx
17TLP WHITE ID 202001301000
Prominent Ryuk Activity and Alerts in the Last Year
bull Please note several things about the indicators of compromise (IOCs) on the following slidesbull There is a significant quantity of indicators of compromise related to Ryuk available on the public
Internet We have attempted to include as many as possible in this presentation However there may be some available to the public not included here
bull Upon being released to the public IOCs may become ldquoburnedrdquo which is to say that the attackers will adjust their TTPs weapon and infrastructure so that the public IOCs are no longer used
bull There are instances of obsolete IOCs being reused so any organization attempting to defend themselves should consider all possibilities
bull New IOCs are constantly being released especially with a tool as prominent and frequently used as TrickBot It is therefore incumbent upon any organization attempting to defend themselves to remain vigilant maintain situational awareness and be ever on the lookout for new IOCs to operationalize in their cyber defense infrastructure
18
Indicators of Compromise
TLP WHITE ID 202001301000
Command and control
474916850 4211591177 199227126250 68417310
1901457484 1377415118 24113161184 7218912441
18525138208 719410125 1972325085 741345113
18868208240 206130141255 9423220113 10527171234
24247181155 923816339 1901457484 1822532066
174105235178 7414016033 474916850 17222297179
18580148162 6531241133 6412817537
18111317230 14019054187 242272224
17410523382 24247181226 21318363245
71141298 46149182112 10311091118
2161836243 21332122246 241196970
19
Indicators of Compromise (Continued)
TLP WHITE ID 202001301000
Hashes
1354ac0d5be0c8d03f4e3aba78d2223e 29340643ca2e6677c19e1d3bf351d654 5ac0f050f93f86e69026faea1fbb4450 86c314bc2dc37ba84f7364acd5108c2b 958c594909933d4c82e93c22850194aa c0202cf6aeab8437c638533d14563d35 cb0c1248d3899358a375888bb4e8f3fe d348f536e214a47655af387408b4fca5
Reference Materials
21
References
TLP WHITE ID 202001301000
bull Ryuk Ransomware Exploring the Technical and Human Connectionsbull httpswwwcovewarecomblog2019219ryuk-ransomware-exploring-the-technical-and-human-
connections
bull 2017 Cylance Threat Reportbull httpspagescylancecom2018-03CylanceThreatReport2017html
bull 2018 Global Threat Report Blurring the Lines Between Statecraft and Tradecraft Crowdstrikebull httpsgocrowdstrikecomrs281-OBQ-266imagesReport2018GlobalThreatReportpdf
bull TEMPMixMaster group infects with Trickbot and delayed Ryuk ransomware combobull httpswwwscmagazinecomhomesecurity-newsfinancially-motivated-threat-actorsreferred-to-as-
temp-mixmaster-are-infecting-victims-with-trickbot-malware-before-deploying-the-infamous-ryuk-ransomware
bull Ryuk ransomware linked to Emotet and TrickBot trojans suspicions shift to cybercriminal groupbull httpswwwscmagazinecomhomesecurity-newsryuk-ransomware-linked-to-emotet-and-trickbot-
trojans-suspicions-shift-to-cybercriminal-group
bull Ryuk ransomware earns hackers $37M in Bitcoin over 5 months - 52 known ransom transactions were recorded the highest worth 99 BTC
bull httpsthenextwebcomhardfork20190114ryuk-bitcoin-ransomware
bull Ryuk Ransomware Crew Makes $640000 in Recent Activity Surgebull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-crew-makes-640-000-in-recent-
activity-surge
22
References
TLP WHITE ID 202001301000
bull Ryuk ransomware gang probably Russian not North Koreanbull httpswwwzdnetcomarticleryuk-ransomware-gang-probably-russian-not-north-korean
bull Cloud Hosting Provider Dataresolutionnet Hit by Ryuk Ransomwarebull httpswwwsecurityswcomblogcloud-hosting-provider-dataresolution-net-hit-by-ryuk-ransomware
bull CrowdStrike 2018 Global Threat Report Blurring the Lines Between Statecraft and Tradecraftbull httpsgocrowdstrikecomrs281-OBQ-266imagesReport2018GlobalThreatReportpdf
bull TrojanTrickBotbull httpsblogmalwarebytescomdetectionstrojan-trickbot
bull TrickBot Banking Trojan Takes Center Stage in 2018bull httpsblogbarklycomtrickbot-trojan-2018-campaigns
bull HHS HCCIC cybersecurity alert New Ryuk ransomware quickly racking up damagebull httpswwwhealthcareitnewscomnewshhs-hccic-cybersecurity-alert-new-ryuk-ransomware-quickly-
racking-damage
bull Notorious Ryuk Ransomware Adds Trojans to Cyberattack Methodbull httpshealthitsecuritycomnewsnotorious-ryuk-ransomware-adds-trojans-to-cyberattack-method
bull Emotet re-emerges after the holidaysbull httpsblogtalosintelligencecom201901return-of-emotethtml
bull The Unholy Alliance of Emotet TrickBot and the Ryuk Ransomwarebull httpsduocomdecipherthe-unholy-alliance-of-emotet-trickbot-and-the-ryuk-ransomware
23
References
TLP WHITE ID 202001301000
bull Cybercrime and Other Threats Faced by the Healthcare Industrybull httpswwwtrendmicrocomcontentdamtrendmicroglobalensecurity-
intelligenceresearchreportswp-cybercrime-amp-other-threats-faced-by-the-healthcare-industrypdf
bull Ryuk ransomware targets big businesses New ransomware group waits and gathers intel before attacking large enterprises
bull httpswwwtechradarcomnewsryuk-ransomware-targets-big-businesses
bull Computer virus hits newspapers coast-to-coastbull httpswwwnbcnewscomnewsus-newscomputer-virus-hits-southern-california-newspapers-
n953001
bull Ryuk Ransomware A Targeted Campaign Break-Down CheckPoint Researchbull httpsresearchcheckpointcomryuk-ransomware-targeted-campaign-break
bull Ryuk ransomware targets big businessesbull httpswwwtechradarcomnewsryuk-ransomware-targets-big-businesses
bull United States Department of Homeland Security Cybersecurity and Infrastructure Security Agency Alert (TA18-201A) Emotet Malware
bull httpswwwus-certgovncasalertsTA18-201A
bull Research Suggests Russian-Based Hackers Behind Ryuk Ransomwarersquos $25 Million Gainsbull httpsfinanceyahoocomnewsresearch-suggests-russian-based-hackers-131700487html
bull Long Island Ransomware Attack New York School Pays $100000bull httpswwwmsspalertcomcybersecurity-breaches-and-attacksransomwareryuk-hits-rockville-centre
24
References
TLP WHITE ID 202001301000
bull Ransomware hits computer networks of North Carolina water utility CyberScoopbull httpswwwcyberscoopcomransomware-hits-onwasa-computer-network-north-carolina-water-utility
bull Media Release Cyber-Criminals Target Critical Utility in Hurricane-Ravaged Area Onslow Water and Sewer Authority
bull httpswwwonwasacomDocumentCenterView3701Scan-from-2018-10-15-08_08_13-Abull Origin of virus that hobbled newspapers still unclear - The origins of a suspected computer attack that
disrupted the Los Angeles Times and Tribune Publishing newspapers remain unclearbull httpsabcnewsgocomUSwireStoryorigin-virus-hobbled-newspapers-unclear-60083516
bull Meet CrowdStrikersquos Adversary of the Month for February MUMMY SPIDERbull httpswwwcrowdstrikecomblogmeet-crowdstrikes-adversary-of-the-month-for-february-mummy-
spider February 8 2018 bull North Korea APT() and recent Ryuk Ransomware attacks
bull httpsblogkryptoslogiccommalware20190110dprk-emotethtmlbull US Coast Guard Warns Over Ryuk Ransomware Attacks
bull httpswwwbankinfosecuritycomus-coast-guard-warns-over-ryuk-ransomware-attacks-a-13563bull Georgia county pays a whopping $400000 to get rid of a ransomware infection
bull httpswwwzdnetcomarticlegeorgia-county-pays-a-whopping-400000-to-get-rid-of-a-ransomware-infection
bull Informations Concernant Les Rancongiciels Lockergoga Et Ryukbull httpswwwcertssigouvfruploadsCERTFR-2019-ACT-005pdf
bull Cybereason Researchers Discover a Triple Threat Attack Utilizing Emotet to Deploy TrickBot Which Steals Data and Spreads Ryuk Ransomware
bull httpswwwbenzingacompressreleases1904p13470755cybereason-researchers-discover-a-triple-threat-attack-utilizing-emote
25
References
TLP WHITE ID 202001301000
bull Ryuk Ransomware Adds IP and Computer Name Blacklistingbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-adds-ip-and-computer-name-
blacklistingbull US Coast Guard - Marine Safety Information Bulletin
bull httpswwwdcouscgmilPortals9DCO20Documents5pMSIB2019MSIB_10_19pdfbull Wizard Spider Upgrades Ryuk Ransomware to Reach Deep into LANs
bull httpsthreatpostcomwizard-spider-upgrades-ryuk-ransomware149853bull US Coast Guard Says Ryuk Ransomware Took Down Maritime Facility
bull httpswwwbleepingcomputercomnewssecurityus-coast-guard-says-ryuk-ransomware-took-down-maritime-facility
bull Mistaken For North Koreans The Ryuk Ransomware Hackers Are Making Millionsbull httpswwwforbescomsitesthomasbrewster20190220mistaken-for-north-koreans-the-ryuk-
ransomware-hackers-are-making-millions6d47034775f4bull Ryuk Ransomware Exploring the Technical and Human Connections
bull httpswwwcovewarecomblog2019219ryuk-ransomware-exploring-the-technical-and-human-connections
bull Stuarts city hall ransomware attack more than likely caused by phishing email scambull httpswwwtcpalmcomstorynewslocalmartin-county20190422city-halls-ransomware-attack-
may-linked-phishing-email-scam-ryuk3540067002bull 7 Florida municipalities have fallen prey to cyber attacks since last year
bull httpswwwnaplesnewscomstorynewscrime201908207-florida-municipalities-have-fallen-prey-cyber-attacks-ryuk-ransomware-phishing2065063001
bull Tampa Bay Times hit with Ryuk ransomware attackbull httpsblogmalwarebytescomransomware202001tampa-bay-times-hit-with-ryuk-ransomware-
attack
26
References
TLP WHITE ID 202001301000
bull Cyber attack Virus Ryuk disrupts The Watertown Daily Times Sunday paper deliverybull httpswwwibtimessgcyber-attack-virus-ryuk-disrupts-watertown-daily-times-sunday-paper-delivery-
30503bull How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
bull httpswwwdarkreadingcomattacks-breacheshow-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attackdd-id1334760
bull Florida LAN Someone clicks link again giving Key Biscayne ransomwarebull httpsarstechnicacominformation-technology201906is-there-something-in-the-water-third-florida-
city-hit-by-ransomwarebull New Warning on Ryuk Ransomware
bull httpswwwdarkreadingcomdocumentaspdoc_id=1335101bull La Porte County Pays $130000 Ransom To Ryuk Ransomware
bull httpswwwbleepingcomputercomnewssecurityla-porte-county-pays-130-000-ransom-to-ryuk-ransomware
bull China on Ryuk Virus alert Deadly ransomware sneaks through the countryrsquos computer systemsbull httpswwwcryptopolitancomchina-on-ryuk-virus-alert
Ryuk Sodinokibi Ransomware Responsible for Higher Average Ransomshttpswwwbleepingcomputercomnewssecurityryuk-sodinokibi-ransomware-responsible-for-higher-average-ransoms
Ryuk Related Malware Steals Confidential Military Financial Fileshttpswwwbleepingcomputercomnewssecurityryuk-related-malware-steals-confidential-military-financial-files
Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarehttpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
27
References
TLP WHITE ID 202001301000
bull Rolling back Ryuk Ransomwarebull httpsnewssophoscomen-us20191004rolling-back-ryuk-ransomware
bull DCH Hospital Pays Ryuk Ransomware for Decryption Keybull httpswwwbleepingcomputercomnewssecuritydch-hospital-pays-ryuk-ransomware-for-decryption-
key
bull Louisiana was hit by Ryuk triggering another cyber-emergencybull httpsarstechnicacominformation-technology201911louisiana-was-hit-by-ryuk-triggering-another-
cyber-emergency
bull Security firm Prosegur Weve shut our IT network after Ryuk ransomware attackbull httpswwwzdnetcomarticlesecurity-firm-prosegur-weve-shut-our-it-network-after-ryuk-ransomware-
attack
bull Cash-moving giant Prosegur knocked offline by Ryuk ransomwarebull httpswwwcsoonlinecomarticle3504492cash-moving-giant-prosegur-knocked-offline-by-ryuk-
ransomwarehtml
bull New ransomware rakes in $4 million by adopting a ldquobig game huntingrdquo strategy Ryuk lies in wait for as long as a year then pounces on only the biggest prey
bull httpsarstechnicacominformation-technology201901new-ransomware-rakes-in-4-million-by-adopting-a-big-game-hunting-strategy
bull A Nasty Trick From Credential Theft Malware to Business Disruptionbull httpswwwfireeyecomblogthreat-research201901a-nasty-trick-from-credential-theft-malware-to-
business-disruptionhtml
28
References
TLP WHITE ID 202001301000
bull Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarebull httpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
bull Hackers Demand Bitcoin Ransom in Cyberattack on Big Canadian Restaurantsbull qhttpswwwcbccanewsbusinessransomware-hack-recipe-unlimited-restaurant-cyberattack-
14847487
bull Ryuk Ransomware Is Making Victims Left and Rightbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-is-making-victims-left-and-right
bull Ryuk Cult Character to Ransomware Villainbull httpssecurityboulevardcom201912ryuk-cult-character-to-ransomware-villain
bull Hermes ransomware distributed to South Koreans via recent Flash zero-daybull httpsblogmalwarebytescomthreat-analysis201803hermes-ransomware-distributed-to-south-
koreans-via-recent-flash-zero-day
Questions
30
Questions
Upcoming Briefsbull Artificial Intelligence ndash Application to the Healthcare Industry
bull Electronic Health Record systems
bull PyXie RAT
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide feedback to HC3HHSGOV
Requests for InformationNeed information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
TLP WHITE ID 202001301000
31
About Us
HC3 works with private and public sector partners to improve cybersecurity throughout the Healthcare and Public Health (HPH) Sector
Sector amp Victim Notifications White PapersDirected communications to victims or potential victims of compromises vulnerable equipment or PIIPHI theft and general notifications to the HPH about currently impacting threats via the HHS OIG
Document that provides in-depth information on a cybersecurity topic to increase comprehensive situational awareness and provide risk recommendations to a wide audience
Threat Briefings amp WebinarBriefing document and presentation that provides actionable information on health sector cybersecurity threats and mitigations Analysts present current cybersecurity topics engage in discussions with participants on current threats and highlight best practices and mitigation tactics
Need information on a specific cybersecurity topic or want to join our listserv Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
Products
TLP WHITE ID 202001301000
Contact
Health Sector Cybersecurity Coordination Center (HC3)
(202) 691-2110 HC3HHSGOV
- Ryuk Update
- Agenda
- Overview
- Functionality
- Shifting Attribution
- Shifting Attribution
- Slide Number 7
- Threat Actors
- Threat Actors
- Slide Number 10
- Slide Number 11
- Ransom Demands
- Slide Number 13
- Slide Number 14
- Slide Number 15
- Slide Number 16
- Slide Number 17
- Slide Number 18
- Slide Number 19
- Slide Number 20
- References
- References
- References
- References
- References
- References
- References
- References
- Slide Number 29
- Questions
- About Us
- Slide Number 32
-
16
Ryuk Defense and Mitigations
TLP WHITE ID 202001301000
bull Provide social engineering and phishing training to employees [10SA] [1MD]
bull Develop and maintain policy on suspicious e-mails for end users Ensure suspicious e-mails are reported [10SA] [10MA]
bull Ensure emails originating from outside the organization are automatically marked before received [1SA] [1MA]
bull Apply applicable patches and updates immediately after testing Develop and maintain patching program if necessary [7SA] [7MD]
bull Implement Intrusion Detection System (IDS) [6SC] [6MC] [6LC]bull Implement spam filters at the email gateways [1SA] [1MA]bull Block suspicious IP addresses at the firewall [6SA] [6MA] [6LE]
bull Implement whitelisting technology on appropriate assets to ensure that only authorized software is allowed to execute [2SA] [2MA] [2LE]
bull Implement access control based on the principal of least privilege [3SA] [3MA] [3LC]
bull Implement and maintain anti-malware solution [2SA] [2MA] [2LD]
bull Conduct system hardening to ensure proper configurations [7SA] [7MD]bull Disable the use of Remote Desktop Protocol (RDP) or if absolutely needed
restrict its use applying the principle of least privilege and monitorlog its usage [7SA] [7MD]
We suggest contacting local law enforcement in the case of a cyberattack Also the FBIrsquos Internet Crime Complaint Center (IC3) can be reached herehttpswwwic3govcomplaintdefaultaspx
17TLP WHITE ID 202001301000
Prominent Ryuk Activity and Alerts in the Last Year
bull Please note several things about the indicators of compromise (IOCs) on the following slidesbull There is a significant quantity of indicators of compromise related to Ryuk available on the public
Internet We have attempted to include as many as possible in this presentation However there may be some available to the public not included here
bull Upon being released to the public IOCs may become ldquoburnedrdquo which is to say that the attackers will adjust their TTPs weapon and infrastructure so that the public IOCs are no longer used
bull There are instances of obsolete IOCs being reused so any organization attempting to defend themselves should consider all possibilities
bull New IOCs are constantly being released especially with a tool as prominent and frequently used as TrickBot It is therefore incumbent upon any organization attempting to defend themselves to remain vigilant maintain situational awareness and be ever on the lookout for new IOCs to operationalize in their cyber defense infrastructure
18
Indicators of Compromise
TLP WHITE ID 202001301000
Command and control
474916850 4211591177 199227126250 68417310
1901457484 1377415118 24113161184 7218912441
18525138208 719410125 1972325085 741345113
18868208240 206130141255 9423220113 10527171234
24247181155 923816339 1901457484 1822532066
174105235178 7414016033 474916850 17222297179
18580148162 6531241133 6412817537
18111317230 14019054187 242272224
17410523382 24247181226 21318363245
71141298 46149182112 10311091118
2161836243 21332122246 241196970
19
Indicators of Compromise (Continued)
TLP WHITE ID 202001301000
Hashes
1354ac0d5be0c8d03f4e3aba78d2223e 29340643ca2e6677c19e1d3bf351d654 5ac0f050f93f86e69026faea1fbb4450 86c314bc2dc37ba84f7364acd5108c2b 958c594909933d4c82e93c22850194aa c0202cf6aeab8437c638533d14563d35 cb0c1248d3899358a375888bb4e8f3fe d348f536e214a47655af387408b4fca5
Reference Materials
21
References
TLP WHITE ID 202001301000
bull Ryuk Ransomware Exploring the Technical and Human Connectionsbull httpswwwcovewarecomblog2019219ryuk-ransomware-exploring-the-technical-and-human-
connections
bull 2017 Cylance Threat Reportbull httpspagescylancecom2018-03CylanceThreatReport2017html
bull 2018 Global Threat Report Blurring the Lines Between Statecraft and Tradecraft Crowdstrikebull httpsgocrowdstrikecomrs281-OBQ-266imagesReport2018GlobalThreatReportpdf
bull TEMPMixMaster group infects with Trickbot and delayed Ryuk ransomware combobull httpswwwscmagazinecomhomesecurity-newsfinancially-motivated-threat-actorsreferred-to-as-
temp-mixmaster-are-infecting-victims-with-trickbot-malware-before-deploying-the-infamous-ryuk-ransomware
bull Ryuk ransomware linked to Emotet and TrickBot trojans suspicions shift to cybercriminal groupbull httpswwwscmagazinecomhomesecurity-newsryuk-ransomware-linked-to-emotet-and-trickbot-
trojans-suspicions-shift-to-cybercriminal-group
bull Ryuk ransomware earns hackers $37M in Bitcoin over 5 months - 52 known ransom transactions were recorded the highest worth 99 BTC
bull httpsthenextwebcomhardfork20190114ryuk-bitcoin-ransomware
bull Ryuk Ransomware Crew Makes $640000 in Recent Activity Surgebull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-crew-makes-640-000-in-recent-
activity-surge
22
References
TLP WHITE ID 202001301000
bull Ryuk ransomware gang probably Russian not North Koreanbull httpswwwzdnetcomarticleryuk-ransomware-gang-probably-russian-not-north-korean
bull Cloud Hosting Provider Dataresolutionnet Hit by Ryuk Ransomwarebull httpswwwsecurityswcomblogcloud-hosting-provider-dataresolution-net-hit-by-ryuk-ransomware
bull CrowdStrike 2018 Global Threat Report Blurring the Lines Between Statecraft and Tradecraftbull httpsgocrowdstrikecomrs281-OBQ-266imagesReport2018GlobalThreatReportpdf
bull TrojanTrickBotbull httpsblogmalwarebytescomdetectionstrojan-trickbot
bull TrickBot Banking Trojan Takes Center Stage in 2018bull httpsblogbarklycomtrickbot-trojan-2018-campaigns
bull HHS HCCIC cybersecurity alert New Ryuk ransomware quickly racking up damagebull httpswwwhealthcareitnewscomnewshhs-hccic-cybersecurity-alert-new-ryuk-ransomware-quickly-
racking-damage
bull Notorious Ryuk Ransomware Adds Trojans to Cyberattack Methodbull httpshealthitsecuritycomnewsnotorious-ryuk-ransomware-adds-trojans-to-cyberattack-method
bull Emotet re-emerges after the holidaysbull httpsblogtalosintelligencecom201901return-of-emotethtml
bull The Unholy Alliance of Emotet TrickBot and the Ryuk Ransomwarebull httpsduocomdecipherthe-unholy-alliance-of-emotet-trickbot-and-the-ryuk-ransomware
23
References
TLP WHITE ID 202001301000
bull Cybercrime and Other Threats Faced by the Healthcare Industrybull httpswwwtrendmicrocomcontentdamtrendmicroglobalensecurity-
intelligenceresearchreportswp-cybercrime-amp-other-threats-faced-by-the-healthcare-industrypdf
bull Ryuk ransomware targets big businesses New ransomware group waits and gathers intel before attacking large enterprises
bull httpswwwtechradarcomnewsryuk-ransomware-targets-big-businesses
bull Computer virus hits newspapers coast-to-coastbull httpswwwnbcnewscomnewsus-newscomputer-virus-hits-southern-california-newspapers-
n953001
bull Ryuk Ransomware A Targeted Campaign Break-Down CheckPoint Researchbull httpsresearchcheckpointcomryuk-ransomware-targeted-campaign-break
bull Ryuk ransomware targets big businessesbull httpswwwtechradarcomnewsryuk-ransomware-targets-big-businesses
bull United States Department of Homeland Security Cybersecurity and Infrastructure Security Agency Alert (TA18-201A) Emotet Malware
bull httpswwwus-certgovncasalertsTA18-201A
bull Research Suggests Russian-Based Hackers Behind Ryuk Ransomwarersquos $25 Million Gainsbull httpsfinanceyahoocomnewsresearch-suggests-russian-based-hackers-131700487html
bull Long Island Ransomware Attack New York School Pays $100000bull httpswwwmsspalertcomcybersecurity-breaches-and-attacksransomwareryuk-hits-rockville-centre
24
References
TLP WHITE ID 202001301000
bull Ransomware hits computer networks of North Carolina water utility CyberScoopbull httpswwwcyberscoopcomransomware-hits-onwasa-computer-network-north-carolina-water-utility
bull Media Release Cyber-Criminals Target Critical Utility in Hurricane-Ravaged Area Onslow Water and Sewer Authority
bull httpswwwonwasacomDocumentCenterView3701Scan-from-2018-10-15-08_08_13-Abull Origin of virus that hobbled newspapers still unclear - The origins of a suspected computer attack that
disrupted the Los Angeles Times and Tribune Publishing newspapers remain unclearbull httpsabcnewsgocomUSwireStoryorigin-virus-hobbled-newspapers-unclear-60083516
bull Meet CrowdStrikersquos Adversary of the Month for February MUMMY SPIDERbull httpswwwcrowdstrikecomblogmeet-crowdstrikes-adversary-of-the-month-for-february-mummy-
spider February 8 2018 bull North Korea APT() and recent Ryuk Ransomware attacks
bull httpsblogkryptoslogiccommalware20190110dprk-emotethtmlbull US Coast Guard Warns Over Ryuk Ransomware Attacks
bull httpswwwbankinfosecuritycomus-coast-guard-warns-over-ryuk-ransomware-attacks-a-13563bull Georgia county pays a whopping $400000 to get rid of a ransomware infection
bull httpswwwzdnetcomarticlegeorgia-county-pays-a-whopping-400000-to-get-rid-of-a-ransomware-infection
bull Informations Concernant Les Rancongiciels Lockergoga Et Ryukbull httpswwwcertssigouvfruploadsCERTFR-2019-ACT-005pdf
bull Cybereason Researchers Discover a Triple Threat Attack Utilizing Emotet to Deploy TrickBot Which Steals Data and Spreads Ryuk Ransomware
bull httpswwwbenzingacompressreleases1904p13470755cybereason-researchers-discover-a-triple-threat-attack-utilizing-emote
25
References
TLP WHITE ID 202001301000
bull Ryuk Ransomware Adds IP and Computer Name Blacklistingbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-adds-ip-and-computer-name-
blacklistingbull US Coast Guard - Marine Safety Information Bulletin
bull httpswwwdcouscgmilPortals9DCO20Documents5pMSIB2019MSIB_10_19pdfbull Wizard Spider Upgrades Ryuk Ransomware to Reach Deep into LANs
bull httpsthreatpostcomwizard-spider-upgrades-ryuk-ransomware149853bull US Coast Guard Says Ryuk Ransomware Took Down Maritime Facility
bull httpswwwbleepingcomputercomnewssecurityus-coast-guard-says-ryuk-ransomware-took-down-maritime-facility
bull Mistaken For North Koreans The Ryuk Ransomware Hackers Are Making Millionsbull httpswwwforbescomsitesthomasbrewster20190220mistaken-for-north-koreans-the-ryuk-
ransomware-hackers-are-making-millions6d47034775f4bull Ryuk Ransomware Exploring the Technical and Human Connections
bull httpswwwcovewarecomblog2019219ryuk-ransomware-exploring-the-technical-and-human-connections
bull Stuarts city hall ransomware attack more than likely caused by phishing email scambull httpswwwtcpalmcomstorynewslocalmartin-county20190422city-halls-ransomware-attack-
may-linked-phishing-email-scam-ryuk3540067002bull 7 Florida municipalities have fallen prey to cyber attacks since last year
bull httpswwwnaplesnewscomstorynewscrime201908207-florida-municipalities-have-fallen-prey-cyber-attacks-ryuk-ransomware-phishing2065063001
bull Tampa Bay Times hit with Ryuk ransomware attackbull httpsblogmalwarebytescomransomware202001tampa-bay-times-hit-with-ryuk-ransomware-
attack
26
References
TLP WHITE ID 202001301000
bull Cyber attack Virus Ryuk disrupts The Watertown Daily Times Sunday paper deliverybull httpswwwibtimessgcyber-attack-virus-ryuk-disrupts-watertown-daily-times-sunday-paper-delivery-
30503bull How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
bull httpswwwdarkreadingcomattacks-breacheshow-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attackdd-id1334760
bull Florida LAN Someone clicks link again giving Key Biscayne ransomwarebull httpsarstechnicacominformation-technology201906is-there-something-in-the-water-third-florida-
city-hit-by-ransomwarebull New Warning on Ryuk Ransomware
bull httpswwwdarkreadingcomdocumentaspdoc_id=1335101bull La Porte County Pays $130000 Ransom To Ryuk Ransomware
bull httpswwwbleepingcomputercomnewssecurityla-porte-county-pays-130-000-ransom-to-ryuk-ransomware
bull China on Ryuk Virus alert Deadly ransomware sneaks through the countryrsquos computer systemsbull httpswwwcryptopolitancomchina-on-ryuk-virus-alert
Ryuk Sodinokibi Ransomware Responsible for Higher Average Ransomshttpswwwbleepingcomputercomnewssecurityryuk-sodinokibi-ransomware-responsible-for-higher-average-ransoms
Ryuk Related Malware Steals Confidential Military Financial Fileshttpswwwbleepingcomputercomnewssecurityryuk-related-malware-steals-confidential-military-financial-files
Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarehttpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
27
References
TLP WHITE ID 202001301000
bull Rolling back Ryuk Ransomwarebull httpsnewssophoscomen-us20191004rolling-back-ryuk-ransomware
bull DCH Hospital Pays Ryuk Ransomware for Decryption Keybull httpswwwbleepingcomputercomnewssecuritydch-hospital-pays-ryuk-ransomware-for-decryption-
key
bull Louisiana was hit by Ryuk triggering another cyber-emergencybull httpsarstechnicacominformation-technology201911louisiana-was-hit-by-ryuk-triggering-another-
cyber-emergency
bull Security firm Prosegur Weve shut our IT network after Ryuk ransomware attackbull httpswwwzdnetcomarticlesecurity-firm-prosegur-weve-shut-our-it-network-after-ryuk-ransomware-
attack
bull Cash-moving giant Prosegur knocked offline by Ryuk ransomwarebull httpswwwcsoonlinecomarticle3504492cash-moving-giant-prosegur-knocked-offline-by-ryuk-
ransomwarehtml
bull New ransomware rakes in $4 million by adopting a ldquobig game huntingrdquo strategy Ryuk lies in wait for as long as a year then pounces on only the biggest prey
bull httpsarstechnicacominformation-technology201901new-ransomware-rakes-in-4-million-by-adopting-a-big-game-hunting-strategy
bull A Nasty Trick From Credential Theft Malware to Business Disruptionbull httpswwwfireeyecomblogthreat-research201901a-nasty-trick-from-credential-theft-malware-to-
business-disruptionhtml
28
References
TLP WHITE ID 202001301000
bull Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarebull httpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
bull Hackers Demand Bitcoin Ransom in Cyberattack on Big Canadian Restaurantsbull qhttpswwwcbccanewsbusinessransomware-hack-recipe-unlimited-restaurant-cyberattack-
14847487
bull Ryuk Ransomware Is Making Victims Left and Rightbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-is-making-victims-left-and-right
bull Ryuk Cult Character to Ransomware Villainbull httpssecurityboulevardcom201912ryuk-cult-character-to-ransomware-villain
bull Hermes ransomware distributed to South Koreans via recent Flash zero-daybull httpsblogmalwarebytescomthreat-analysis201803hermes-ransomware-distributed-to-south-
koreans-via-recent-flash-zero-day
Questions
30
Questions
Upcoming Briefsbull Artificial Intelligence ndash Application to the Healthcare Industry
bull Electronic Health Record systems
bull PyXie RAT
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide feedback to HC3HHSGOV
Requests for InformationNeed information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
TLP WHITE ID 202001301000
31
About Us
HC3 works with private and public sector partners to improve cybersecurity throughout the Healthcare and Public Health (HPH) Sector
Sector amp Victim Notifications White PapersDirected communications to victims or potential victims of compromises vulnerable equipment or PIIPHI theft and general notifications to the HPH about currently impacting threats via the HHS OIG
Document that provides in-depth information on a cybersecurity topic to increase comprehensive situational awareness and provide risk recommendations to a wide audience
Threat Briefings amp WebinarBriefing document and presentation that provides actionable information on health sector cybersecurity threats and mitigations Analysts present current cybersecurity topics engage in discussions with participants on current threats and highlight best practices and mitigation tactics
Need information on a specific cybersecurity topic or want to join our listserv Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
Products
TLP WHITE ID 202001301000
Contact
Health Sector Cybersecurity Coordination Center (HC3)
(202) 691-2110 HC3HHSGOV
- Ryuk Update
- Agenda
- Overview
- Functionality
- Shifting Attribution
- Shifting Attribution
- Slide Number 7
- Threat Actors
- Threat Actors
- Slide Number 10
- Slide Number 11
- Ransom Demands
- Slide Number 13
- Slide Number 14
- Slide Number 15
- Slide Number 16
- Slide Number 17
- Slide Number 18
- Slide Number 19
- Slide Number 20
- References
- References
- References
- References
- References
- References
- References
- References
- Slide Number 29
- Questions
- About Us
- Slide Number 32
-
17TLP WHITE ID 202001301000
Prominent Ryuk Activity and Alerts in the Last Year
bull Please note several things about the indicators of compromise (IOCs) on the following slidesbull There is a significant quantity of indicators of compromise related to Ryuk available on the public
Internet We have attempted to include as many as possible in this presentation However there may be some available to the public not included here
bull Upon being released to the public IOCs may become ldquoburnedrdquo which is to say that the attackers will adjust their TTPs weapon and infrastructure so that the public IOCs are no longer used
bull There are instances of obsolete IOCs being reused so any organization attempting to defend themselves should consider all possibilities
bull New IOCs are constantly being released especially with a tool as prominent and frequently used as TrickBot It is therefore incumbent upon any organization attempting to defend themselves to remain vigilant maintain situational awareness and be ever on the lookout for new IOCs to operationalize in their cyber defense infrastructure
18
Indicators of Compromise
TLP WHITE ID 202001301000
Command and control
474916850 4211591177 199227126250 68417310
1901457484 1377415118 24113161184 7218912441
18525138208 719410125 1972325085 741345113
18868208240 206130141255 9423220113 10527171234
24247181155 923816339 1901457484 1822532066
174105235178 7414016033 474916850 17222297179
18580148162 6531241133 6412817537
18111317230 14019054187 242272224
17410523382 24247181226 21318363245
71141298 46149182112 10311091118
2161836243 21332122246 241196970
19
Indicators of Compromise (Continued)
TLP WHITE ID 202001301000
Hashes
1354ac0d5be0c8d03f4e3aba78d2223e 29340643ca2e6677c19e1d3bf351d654 5ac0f050f93f86e69026faea1fbb4450 86c314bc2dc37ba84f7364acd5108c2b 958c594909933d4c82e93c22850194aa c0202cf6aeab8437c638533d14563d35 cb0c1248d3899358a375888bb4e8f3fe d348f536e214a47655af387408b4fca5
Reference Materials
21
References
TLP WHITE ID 202001301000
bull Ryuk Ransomware Exploring the Technical and Human Connectionsbull httpswwwcovewarecomblog2019219ryuk-ransomware-exploring-the-technical-and-human-
connections
bull 2017 Cylance Threat Reportbull httpspagescylancecom2018-03CylanceThreatReport2017html
bull 2018 Global Threat Report Blurring the Lines Between Statecraft and Tradecraft Crowdstrikebull httpsgocrowdstrikecomrs281-OBQ-266imagesReport2018GlobalThreatReportpdf
bull TEMPMixMaster group infects with Trickbot and delayed Ryuk ransomware combobull httpswwwscmagazinecomhomesecurity-newsfinancially-motivated-threat-actorsreferred-to-as-
temp-mixmaster-are-infecting-victims-with-trickbot-malware-before-deploying-the-infamous-ryuk-ransomware
bull Ryuk ransomware linked to Emotet and TrickBot trojans suspicions shift to cybercriminal groupbull httpswwwscmagazinecomhomesecurity-newsryuk-ransomware-linked-to-emotet-and-trickbot-
trojans-suspicions-shift-to-cybercriminal-group
bull Ryuk ransomware earns hackers $37M in Bitcoin over 5 months - 52 known ransom transactions were recorded the highest worth 99 BTC
bull httpsthenextwebcomhardfork20190114ryuk-bitcoin-ransomware
bull Ryuk Ransomware Crew Makes $640000 in Recent Activity Surgebull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-crew-makes-640-000-in-recent-
activity-surge
22
References
TLP WHITE ID 202001301000
bull Ryuk ransomware gang probably Russian not North Koreanbull httpswwwzdnetcomarticleryuk-ransomware-gang-probably-russian-not-north-korean
bull Cloud Hosting Provider Dataresolutionnet Hit by Ryuk Ransomwarebull httpswwwsecurityswcomblogcloud-hosting-provider-dataresolution-net-hit-by-ryuk-ransomware
bull CrowdStrike 2018 Global Threat Report Blurring the Lines Between Statecraft and Tradecraftbull httpsgocrowdstrikecomrs281-OBQ-266imagesReport2018GlobalThreatReportpdf
bull TrojanTrickBotbull httpsblogmalwarebytescomdetectionstrojan-trickbot
bull TrickBot Banking Trojan Takes Center Stage in 2018bull httpsblogbarklycomtrickbot-trojan-2018-campaigns
bull HHS HCCIC cybersecurity alert New Ryuk ransomware quickly racking up damagebull httpswwwhealthcareitnewscomnewshhs-hccic-cybersecurity-alert-new-ryuk-ransomware-quickly-
racking-damage
bull Notorious Ryuk Ransomware Adds Trojans to Cyberattack Methodbull httpshealthitsecuritycomnewsnotorious-ryuk-ransomware-adds-trojans-to-cyberattack-method
bull Emotet re-emerges after the holidaysbull httpsblogtalosintelligencecom201901return-of-emotethtml
bull The Unholy Alliance of Emotet TrickBot and the Ryuk Ransomwarebull httpsduocomdecipherthe-unholy-alliance-of-emotet-trickbot-and-the-ryuk-ransomware
23
References
TLP WHITE ID 202001301000
bull Cybercrime and Other Threats Faced by the Healthcare Industrybull httpswwwtrendmicrocomcontentdamtrendmicroglobalensecurity-
intelligenceresearchreportswp-cybercrime-amp-other-threats-faced-by-the-healthcare-industrypdf
bull Ryuk ransomware targets big businesses New ransomware group waits and gathers intel before attacking large enterprises
bull httpswwwtechradarcomnewsryuk-ransomware-targets-big-businesses
bull Computer virus hits newspapers coast-to-coastbull httpswwwnbcnewscomnewsus-newscomputer-virus-hits-southern-california-newspapers-
n953001
bull Ryuk Ransomware A Targeted Campaign Break-Down CheckPoint Researchbull httpsresearchcheckpointcomryuk-ransomware-targeted-campaign-break
bull Ryuk ransomware targets big businessesbull httpswwwtechradarcomnewsryuk-ransomware-targets-big-businesses
bull United States Department of Homeland Security Cybersecurity and Infrastructure Security Agency Alert (TA18-201A) Emotet Malware
bull httpswwwus-certgovncasalertsTA18-201A
bull Research Suggests Russian-Based Hackers Behind Ryuk Ransomwarersquos $25 Million Gainsbull httpsfinanceyahoocomnewsresearch-suggests-russian-based-hackers-131700487html
bull Long Island Ransomware Attack New York School Pays $100000bull httpswwwmsspalertcomcybersecurity-breaches-and-attacksransomwareryuk-hits-rockville-centre
24
References
TLP WHITE ID 202001301000
bull Ransomware hits computer networks of North Carolina water utility CyberScoopbull httpswwwcyberscoopcomransomware-hits-onwasa-computer-network-north-carolina-water-utility
bull Media Release Cyber-Criminals Target Critical Utility in Hurricane-Ravaged Area Onslow Water and Sewer Authority
bull httpswwwonwasacomDocumentCenterView3701Scan-from-2018-10-15-08_08_13-Abull Origin of virus that hobbled newspapers still unclear - The origins of a suspected computer attack that
disrupted the Los Angeles Times and Tribune Publishing newspapers remain unclearbull httpsabcnewsgocomUSwireStoryorigin-virus-hobbled-newspapers-unclear-60083516
bull Meet CrowdStrikersquos Adversary of the Month for February MUMMY SPIDERbull httpswwwcrowdstrikecomblogmeet-crowdstrikes-adversary-of-the-month-for-february-mummy-
spider February 8 2018 bull North Korea APT() and recent Ryuk Ransomware attacks
bull httpsblogkryptoslogiccommalware20190110dprk-emotethtmlbull US Coast Guard Warns Over Ryuk Ransomware Attacks
bull httpswwwbankinfosecuritycomus-coast-guard-warns-over-ryuk-ransomware-attacks-a-13563bull Georgia county pays a whopping $400000 to get rid of a ransomware infection
bull httpswwwzdnetcomarticlegeorgia-county-pays-a-whopping-400000-to-get-rid-of-a-ransomware-infection
bull Informations Concernant Les Rancongiciels Lockergoga Et Ryukbull httpswwwcertssigouvfruploadsCERTFR-2019-ACT-005pdf
bull Cybereason Researchers Discover a Triple Threat Attack Utilizing Emotet to Deploy TrickBot Which Steals Data and Spreads Ryuk Ransomware
bull httpswwwbenzingacompressreleases1904p13470755cybereason-researchers-discover-a-triple-threat-attack-utilizing-emote
25
References
TLP WHITE ID 202001301000
bull Ryuk Ransomware Adds IP and Computer Name Blacklistingbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-adds-ip-and-computer-name-
blacklistingbull US Coast Guard - Marine Safety Information Bulletin
bull httpswwwdcouscgmilPortals9DCO20Documents5pMSIB2019MSIB_10_19pdfbull Wizard Spider Upgrades Ryuk Ransomware to Reach Deep into LANs
bull httpsthreatpostcomwizard-spider-upgrades-ryuk-ransomware149853bull US Coast Guard Says Ryuk Ransomware Took Down Maritime Facility
bull httpswwwbleepingcomputercomnewssecurityus-coast-guard-says-ryuk-ransomware-took-down-maritime-facility
bull Mistaken For North Koreans The Ryuk Ransomware Hackers Are Making Millionsbull httpswwwforbescomsitesthomasbrewster20190220mistaken-for-north-koreans-the-ryuk-
ransomware-hackers-are-making-millions6d47034775f4bull Ryuk Ransomware Exploring the Technical and Human Connections
bull httpswwwcovewarecomblog2019219ryuk-ransomware-exploring-the-technical-and-human-connections
bull Stuarts city hall ransomware attack more than likely caused by phishing email scambull httpswwwtcpalmcomstorynewslocalmartin-county20190422city-halls-ransomware-attack-
may-linked-phishing-email-scam-ryuk3540067002bull 7 Florida municipalities have fallen prey to cyber attacks since last year
bull httpswwwnaplesnewscomstorynewscrime201908207-florida-municipalities-have-fallen-prey-cyber-attacks-ryuk-ransomware-phishing2065063001
bull Tampa Bay Times hit with Ryuk ransomware attackbull httpsblogmalwarebytescomransomware202001tampa-bay-times-hit-with-ryuk-ransomware-
attack
26
References
TLP WHITE ID 202001301000
bull Cyber attack Virus Ryuk disrupts The Watertown Daily Times Sunday paper deliverybull httpswwwibtimessgcyber-attack-virus-ryuk-disrupts-watertown-daily-times-sunday-paper-delivery-
30503bull How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
bull httpswwwdarkreadingcomattacks-breacheshow-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attackdd-id1334760
bull Florida LAN Someone clicks link again giving Key Biscayne ransomwarebull httpsarstechnicacominformation-technology201906is-there-something-in-the-water-third-florida-
city-hit-by-ransomwarebull New Warning on Ryuk Ransomware
bull httpswwwdarkreadingcomdocumentaspdoc_id=1335101bull La Porte County Pays $130000 Ransom To Ryuk Ransomware
bull httpswwwbleepingcomputercomnewssecurityla-porte-county-pays-130-000-ransom-to-ryuk-ransomware
bull China on Ryuk Virus alert Deadly ransomware sneaks through the countryrsquos computer systemsbull httpswwwcryptopolitancomchina-on-ryuk-virus-alert
Ryuk Sodinokibi Ransomware Responsible for Higher Average Ransomshttpswwwbleepingcomputercomnewssecurityryuk-sodinokibi-ransomware-responsible-for-higher-average-ransoms
Ryuk Related Malware Steals Confidential Military Financial Fileshttpswwwbleepingcomputercomnewssecurityryuk-related-malware-steals-confidential-military-financial-files
Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarehttpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
27
References
TLP WHITE ID 202001301000
bull Rolling back Ryuk Ransomwarebull httpsnewssophoscomen-us20191004rolling-back-ryuk-ransomware
bull DCH Hospital Pays Ryuk Ransomware for Decryption Keybull httpswwwbleepingcomputercomnewssecuritydch-hospital-pays-ryuk-ransomware-for-decryption-
key
bull Louisiana was hit by Ryuk triggering another cyber-emergencybull httpsarstechnicacominformation-technology201911louisiana-was-hit-by-ryuk-triggering-another-
cyber-emergency
bull Security firm Prosegur Weve shut our IT network after Ryuk ransomware attackbull httpswwwzdnetcomarticlesecurity-firm-prosegur-weve-shut-our-it-network-after-ryuk-ransomware-
attack
bull Cash-moving giant Prosegur knocked offline by Ryuk ransomwarebull httpswwwcsoonlinecomarticle3504492cash-moving-giant-prosegur-knocked-offline-by-ryuk-
ransomwarehtml
bull New ransomware rakes in $4 million by adopting a ldquobig game huntingrdquo strategy Ryuk lies in wait for as long as a year then pounces on only the biggest prey
bull httpsarstechnicacominformation-technology201901new-ransomware-rakes-in-4-million-by-adopting-a-big-game-hunting-strategy
bull A Nasty Trick From Credential Theft Malware to Business Disruptionbull httpswwwfireeyecomblogthreat-research201901a-nasty-trick-from-credential-theft-malware-to-
business-disruptionhtml
28
References
TLP WHITE ID 202001301000
bull Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarebull httpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
bull Hackers Demand Bitcoin Ransom in Cyberattack on Big Canadian Restaurantsbull qhttpswwwcbccanewsbusinessransomware-hack-recipe-unlimited-restaurant-cyberattack-
14847487
bull Ryuk Ransomware Is Making Victims Left and Rightbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-is-making-victims-left-and-right
bull Ryuk Cult Character to Ransomware Villainbull httpssecurityboulevardcom201912ryuk-cult-character-to-ransomware-villain
bull Hermes ransomware distributed to South Koreans via recent Flash zero-daybull httpsblogmalwarebytescomthreat-analysis201803hermes-ransomware-distributed-to-south-
koreans-via-recent-flash-zero-day
Questions
30
Questions
Upcoming Briefsbull Artificial Intelligence ndash Application to the Healthcare Industry
bull Electronic Health Record systems
bull PyXie RAT
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide feedback to HC3HHSGOV
Requests for InformationNeed information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
TLP WHITE ID 202001301000
31
About Us
HC3 works with private and public sector partners to improve cybersecurity throughout the Healthcare and Public Health (HPH) Sector
Sector amp Victim Notifications White PapersDirected communications to victims or potential victims of compromises vulnerable equipment or PIIPHI theft and general notifications to the HPH about currently impacting threats via the HHS OIG
Document that provides in-depth information on a cybersecurity topic to increase comprehensive situational awareness and provide risk recommendations to a wide audience
Threat Briefings amp WebinarBriefing document and presentation that provides actionable information on health sector cybersecurity threats and mitigations Analysts present current cybersecurity topics engage in discussions with participants on current threats and highlight best practices and mitigation tactics
Need information on a specific cybersecurity topic or want to join our listserv Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
Products
TLP WHITE ID 202001301000
Contact
Health Sector Cybersecurity Coordination Center (HC3)
(202) 691-2110 HC3HHSGOV
- Ryuk Update
- Agenda
- Overview
- Functionality
- Shifting Attribution
- Shifting Attribution
- Slide Number 7
- Threat Actors
- Threat Actors
- Slide Number 10
- Slide Number 11
- Ransom Demands
- Slide Number 13
- Slide Number 14
- Slide Number 15
- Slide Number 16
- Slide Number 17
- Slide Number 18
- Slide Number 19
- Slide Number 20
- References
- References
- References
- References
- References
- References
- References
- References
- Slide Number 29
- Questions
- About Us
- Slide Number 32
-
18
Indicators of Compromise
TLP WHITE ID 202001301000
Command and control
474916850 4211591177 199227126250 68417310
1901457484 1377415118 24113161184 7218912441
18525138208 719410125 1972325085 741345113
18868208240 206130141255 9423220113 10527171234
24247181155 923816339 1901457484 1822532066
174105235178 7414016033 474916850 17222297179
18580148162 6531241133 6412817537
18111317230 14019054187 242272224
17410523382 24247181226 21318363245
71141298 46149182112 10311091118
2161836243 21332122246 241196970
19
Indicators of Compromise (Continued)
TLP WHITE ID 202001301000
Hashes
1354ac0d5be0c8d03f4e3aba78d2223e 29340643ca2e6677c19e1d3bf351d654 5ac0f050f93f86e69026faea1fbb4450 86c314bc2dc37ba84f7364acd5108c2b 958c594909933d4c82e93c22850194aa c0202cf6aeab8437c638533d14563d35 cb0c1248d3899358a375888bb4e8f3fe d348f536e214a47655af387408b4fca5
Reference Materials
21
References
TLP WHITE ID 202001301000
bull Ryuk Ransomware Exploring the Technical and Human Connectionsbull httpswwwcovewarecomblog2019219ryuk-ransomware-exploring-the-technical-and-human-
connections
bull 2017 Cylance Threat Reportbull httpspagescylancecom2018-03CylanceThreatReport2017html
bull 2018 Global Threat Report Blurring the Lines Between Statecraft and Tradecraft Crowdstrikebull httpsgocrowdstrikecomrs281-OBQ-266imagesReport2018GlobalThreatReportpdf
bull TEMPMixMaster group infects with Trickbot and delayed Ryuk ransomware combobull httpswwwscmagazinecomhomesecurity-newsfinancially-motivated-threat-actorsreferred-to-as-
temp-mixmaster-are-infecting-victims-with-trickbot-malware-before-deploying-the-infamous-ryuk-ransomware
bull Ryuk ransomware linked to Emotet and TrickBot trojans suspicions shift to cybercriminal groupbull httpswwwscmagazinecomhomesecurity-newsryuk-ransomware-linked-to-emotet-and-trickbot-
trojans-suspicions-shift-to-cybercriminal-group
bull Ryuk ransomware earns hackers $37M in Bitcoin over 5 months - 52 known ransom transactions were recorded the highest worth 99 BTC
bull httpsthenextwebcomhardfork20190114ryuk-bitcoin-ransomware
bull Ryuk Ransomware Crew Makes $640000 in Recent Activity Surgebull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-crew-makes-640-000-in-recent-
activity-surge
22
References
TLP WHITE ID 202001301000
bull Ryuk ransomware gang probably Russian not North Koreanbull httpswwwzdnetcomarticleryuk-ransomware-gang-probably-russian-not-north-korean
bull Cloud Hosting Provider Dataresolutionnet Hit by Ryuk Ransomwarebull httpswwwsecurityswcomblogcloud-hosting-provider-dataresolution-net-hit-by-ryuk-ransomware
bull CrowdStrike 2018 Global Threat Report Blurring the Lines Between Statecraft and Tradecraftbull httpsgocrowdstrikecomrs281-OBQ-266imagesReport2018GlobalThreatReportpdf
bull TrojanTrickBotbull httpsblogmalwarebytescomdetectionstrojan-trickbot
bull TrickBot Banking Trojan Takes Center Stage in 2018bull httpsblogbarklycomtrickbot-trojan-2018-campaigns
bull HHS HCCIC cybersecurity alert New Ryuk ransomware quickly racking up damagebull httpswwwhealthcareitnewscomnewshhs-hccic-cybersecurity-alert-new-ryuk-ransomware-quickly-
racking-damage
bull Notorious Ryuk Ransomware Adds Trojans to Cyberattack Methodbull httpshealthitsecuritycomnewsnotorious-ryuk-ransomware-adds-trojans-to-cyberattack-method
bull Emotet re-emerges after the holidaysbull httpsblogtalosintelligencecom201901return-of-emotethtml
bull The Unholy Alliance of Emotet TrickBot and the Ryuk Ransomwarebull httpsduocomdecipherthe-unholy-alliance-of-emotet-trickbot-and-the-ryuk-ransomware
23
References
TLP WHITE ID 202001301000
bull Cybercrime and Other Threats Faced by the Healthcare Industrybull httpswwwtrendmicrocomcontentdamtrendmicroglobalensecurity-
intelligenceresearchreportswp-cybercrime-amp-other-threats-faced-by-the-healthcare-industrypdf
bull Ryuk ransomware targets big businesses New ransomware group waits and gathers intel before attacking large enterprises
bull httpswwwtechradarcomnewsryuk-ransomware-targets-big-businesses
bull Computer virus hits newspapers coast-to-coastbull httpswwwnbcnewscomnewsus-newscomputer-virus-hits-southern-california-newspapers-
n953001
bull Ryuk Ransomware A Targeted Campaign Break-Down CheckPoint Researchbull httpsresearchcheckpointcomryuk-ransomware-targeted-campaign-break
bull Ryuk ransomware targets big businessesbull httpswwwtechradarcomnewsryuk-ransomware-targets-big-businesses
bull United States Department of Homeland Security Cybersecurity and Infrastructure Security Agency Alert (TA18-201A) Emotet Malware
bull httpswwwus-certgovncasalertsTA18-201A
bull Research Suggests Russian-Based Hackers Behind Ryuk Ransomwarersquos $25 Million Gainsbull httpsfinanceyahoocomnewsresearch-suggests-russian-based-hackers-131700487html
bull Long Island Ransomware Attack New York School Pays $100000bull httpswwwmsspalertcomcybersecurity-breaches-and-attacksransomwareryuk-hits-rockville-centre
24
References
TLP WHITE ID 202001301000
bull Ransomware hits computer networks of North Carolina water utility CyberScoopbull httpswwwcyberscoopcomransomware-hits-onwasa-computer-network-north-carolina-water-utility
bull Media Release Cyber-Criminals Target Critical Utility in Hurricane-Ravaged Area Onslow Water and Sewer Authority
bull httpswwwonwasacomDocumentCenterView3701Scan-from-2018-10-15-08_08_13-Abull Origin of virus that hobbled newspapers still unclear - The origins of a suspected computer attack that
disrupted the Los Angeles Times and Tribune Publishing newspapers remain unclearbull httpsabcnewsgocomUSwireStoryorigin-virus-hobbled-newspapers-unclear-60083516
bull Meet CrowdStrikersquos Adversary of the Month for February MUMMY SPIDERbull httpswwwcrowdstrikecomblogmeet-crowdstrikes-adversary-of-the-month-for-february-mummy-
spider February 8 2018 bull North Korea APT() and recent Ryuk Ransomware attacks
bull httpsblogkryptoslogiccommalware20190110dprk-emotethtmlbull US Coast Guard Warns Over Ryuk Ransomware Attacks
bull httpswwwbankinfosecuritycomus-coast-guard-warns-over-ryuk-ransomware-attacks-a-13563bull Georgia county pays a whopping $400000 to get rid of a ransomware infection
bull httpswwwzdnetcomarticlegeorgia-county-pays-a-whopping-400000-to-get-rid-of-a-ransomware-infection
bull Informations Concernant Les Rancongiciels Lockergoga Et Ryukbull httpswwwcertssigouvfruploadsCERTFR-2019-ACT-005pdf
bull Cybereason Researchers Discover a Triple Threat Attack Utilizing Emotet to Deploy TrickBot Which Steals Data and Spreads Ryuk Ransomware
bull httpswwwbenzingacompressreleases1904p13470755cybereason-researchers-discover-a-triple-threat-attack-utilizing-emote
25
References
TLP WHITE ID 202001301000
bull Ryuk Ransomware Adds IP and Computer Name Blacklistingbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-adds-ip-and-computer-name-
blacklistingbull US Coast Guard - Marine Safety Information Bulletin
bull httpswwwdcouscgmilPortals9DCO20Documents5pMSIB2019MSIB_10_19pdfbull Wizard Spider Upgrades Ryuk Ransomware to Reach Deep into LANs
bull httpsthreatpostcomwizard-spider-upgrades-ryuk-ransomware149853bull US Coast Guard Says Ryuk Ransomware Took Down Maritime Facility
bull httpswwwbleepingcomputercomnewssecurityus-coast-guard-says-ryuk-ransomware-took-down-maritime-facility
bull Mistaken For North Koreans The Ryuk Ransomware Hackers Are Making Millionsbull httpswwwforbescomsitesthomasbrewster20190220mistaken-for-north-koreans-the-ryuk-
ransomware-hackers-are-making-millions6d47034775f4bull Ryuk Ransomware Exploring the Technical and Human Connections
bull httpswwwcovewarecomblog2019219ryuk-ransomware-exploring-the-technical-and-human-connections
bull Stuarts city hall ransomware attack more than likely caused by phishing email scambull httpswwwtcpalmcomstorynewslocalmartin-county20190422city-halls-ransomware-attack-
may-linked-phishing-email-scam-ryuk3540067002bull 7 Florida municipalities have fallen prey to cyber attacks since last year
bull httpswwwnaplesnewscomstorynewscrime201908207-florida-municipalities-have-fallen-prey-cyber-attacks-ryuk-ransomware-phishing2065063001
bull Tampa Bay Times hit with Ryuk ransomware attackbull httpsblogmalwarebytescomransomware202001tampa-bay-times-hit-with-ryuk-ransomware-
attack
26
References
TLP WHITE ID 202001301000
bull Cyber attack Virus Ryuk disrupts The Watertown Daily Times Sunday paper deliverybull httpswwwibtimessgcyber-attack-virus-ryuk-disrupts-watertown-daily-times-sunday-paper-delivery-
30503bull How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
bull httpswwwdarkreadingcomattacks-breacheshow-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attackdd-id1334760
bull Florida LAN Someone clicks link again giving Key Biscayne ransomwarebull httpsarstechnicacominformation-technology201906is-there-something-in-the-water-third-florida-
city-hit-by-ransomwarebull New Warning on Ryuk Ransomware
bull httpswwwdarkreadingcomdocumentaspdoc_id=1335101bull La Porte County Pays $130000 Ransom To Ryuk Ransomware
bull httpswwwbleepingcomputercomnewssecurityla-porte-county-pays-130-000-ransom-to-ryuk-ransomware
bull China on Ryuk Virus alert Deadly ransomware sneaks through the countryrsquos computer systemsbull httpswwwcryptopolitancomchina-on-ryuk-virus-alert
Ryuk Sodinokibi Ransomware Responsible for Higher Average Ransomshttpswwwbleepingcomputercomnewssecurityryuk-sodinokibi-ransomware-responsible-for-higher-average-ransoms
Ryuk Related Malware Steals Confidential Military Financial Fileshttpswwwbleepingcomputercomnewssecurityryuk-related-malware-steals-confidential-military-financial-files
Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarehttpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
27
References
TLP WHITE ID 202001301000
bull Rolling back Ryuk Ransomwarebull httpsnewssophoscomen-us20191004rolling-back-ryuk-ransomware
bull DCH Hospital Pays Ryuk Ransomware for Decryption Keybull httpswwwbleepingcomputercomnewssecuritydch-hospital-pays-ryuk-ransomware-for-decryption-
key
bull Louisiana was hit by Ryuk triggering another cyber-emergencybull httpsarstechnicacominformation-technology201911louisiana-was-hit-by-ryuk-triggering-another-
cyber-emergency
bull Security firm Prosegur Weve shut our IT network after Ryuk ransomware attackbull httpswwwzdnetcomarticlesecurity-firm-prosegur-weve-shut-our-it-network-after-ryuk-ransomware-
attack
bull Cash-moving giant Prosegur knocked offline by Ryuk ransomwarebull httpswwwcsoonlinecomarticle3504492cash-moving-giant-prosegur-knocked-offline-by-ryuk-
ransomwarehtml
bull New ransomware rakes in $4 million by adopting a ldquobig game huntingrdquo strategy Ryuk lies in wait for as long as a year then pounces on only the biggest prey
bull httpsarstechnicacominformation-technology201901new-ransomware-rakes-in-4-million-by-adopting-a-big-game-hunting-strategy
bull A Nasty Trick From Credential Theft Malware to Business Disruptionbull httpswwwfireeyecomblogthreat-research201901a-nasty-trick-from-credential-theft-malware-to-
business-disruptionhtml
28
References
TLP WHITE ID 202001301000
bull Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarebull httpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
bull Hackers Demand Bitcoin Ransom in Cyberattack on Big Canadian Restaurantsbull qhttpswwwcbccanewsbusinessransomware-hack-recipe-unlimited-restaurant-cyberattack-
14847487
bull Ryuk Ransomware Is Making Victims Left and Rightbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-is-making-victims-left-and-right
bull Ryuk Cult Character to Ransomware Villainbull httpssecurityboulevardcom201912ryuk-cult-character-to-ransomware-villain
bull Hermes ransomware distributed to South Koreans via recent Flash zero-daybull httpsblogmalwarebytescomthreat-analysis201803hermes-ransomware-distributed-to-south-
koreans-via-recent-flash-zero-day
Questions
30
Questions
Upcoming Briefsbull Artificial Intelligence ndash Application to the Healthcare Industry
bull Electronic Health Record systems
bull PyXie RAT
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide feedback to HC3HHSGOV
Requests for InformationNeed information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
TLP WHITE ID 202001301000
31
About Us
HC3 works with private and public sector partners to improve cybersecurity throughout the Healthcare and Public Health (HPH) Sector
Sector amp Victim Notifications White PapersDirected communications to victims or potential victims of compromises vulnerable equipment or PIIPHI theft and general notifications to the HPH about currently impacting threats via the HHS OIG
Document that provides in-depth information on a cybersecurity topic to increase comprehensive situational awareness and provide risk recommendations to a wide audience
Threat Briefings amp WebinarBriefing document and presentation that provides actionable information on health sector cybersecurity threats and mitigations Analysts present current cybersecurity topics engage in discussions with participants on current threats and highlight best practices and mitigation tactics
Need information on a specific cybersecurity topic or want to join our listserv Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
Products
TLP WHITE ID 202001301000
Contact
Health Sector Cybersecurity Coordination Center (HC3)
(202) 691-2110 HC3HHSGOV
- Ryuk Update
- Agenda
- Overview
- Functionality
- Shifting Attribution
- Shifting Attribution
- Slide Number 7
- Threat Actors
- Threat Actors
- Slide Number 10
- Slide Number 11
- Ransom Demands
- Slide Number 13
- Slide Number 14
- Slide Number 15
- Slide Number 16
- Slide Number 17
- Slide Number 18
- Slide Number 19
- Slide Number 20
- References
- References
- References
- References
- References
- References
- References
- References
- Slide Number 29
- Questions
- About Us
- Slide Number 32
-
19
Indicators of Compromise (Continued)
TLP WHITE ID 202001301000
Hashes
1354ac0d5be0c8d03f4e3aba78d2223e 29340643ca2e6677c19e1d3bf351d654 5ac0f050f93f86e69026faea1fbb4450 86c314bc2dc37ba84f7364acd5108c2b 958c594909933d4c82e93c22850194aa c0202cf6aeab8437c638533d14563d35 cb0c1248d3899358a375888bb4e8f3fe d348f536e214a47655af387408b4fca5
Reference Materials
21
References
TLP WHITE ID 202001301000
bull Ryuk Ransomware Exploring the Technical and Human Connectionsbull httpswwwcovewarecomblog2019219ryuk-ransomware-exploring-the-technical-and-human-
connections
bull 2017 Cylance Threat Reportbull httpspagescylancecom2018-03CylanceThreatReport2017html
bull 2018 Global Threat Report Blurring the Lines Between Statecraft and Tradecraft Crowdstrikebull httpsgocrowdstrikecomrs281-OBQ-266imagesReport2018GlobalThreatReportpdf
bull TEMPMixMaster group infects with Trickbot and delayed Ryuk ransomware combobull httpswwwscmagazinecomhomesecurity-newsfinancially-motivated-threat-actorsreferred-to-as-
temp-mixmaster-are-infecting-victims-with-trickbot-malware-before-deploying-the-infamous-ryuk-ransomware
bull Ryuk ransomware linked to Emotet and TrickBot trojans suspicions shift to cybercriminal groupbull httpswwwscmagazinecomhomesecurity-newsryuk-ransomware-linked-to-emotet-and-trickbot-
trojans-suspicions-shift-to-cybercriminal-group
bull Ryuk ransomware earns hackers $37M in Bitcoin over 5 months - 52 known ransom transactions were recorded the highest worth 99 BTC
bull httpsthenextwebcomhardfork20190114ryuk-bitcoin-ransomware
bull Ryuk Ransomware Crew Makes $640000 in Recent Activity Surgebull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-crew-makes-640-000-in-recent-
activity-surge
22
References
TLP WHITE ID 202001301000
bull Ryuk ransomware gang probably Russian not North Koreanbull httpswwwzdnetcomarticleryuk-ransomware-gang-probably-russian-not-north-korean
bull Cloud Hosting Provider Dataresolutionnet Hit by Ryuk Ransomwarebull httpswwwsecurityswcomblogcloud-hosting-provider-dataresolution-net-hit-by-ryuk-ransomware
bull CrowdStrike 2018 Global Threat Report Blurring the Lines Between Statecraft and Tradecraftbull httpsgocrowdstrikecomrs281-OBQ-266imagesReport2018GlobalThreatReportpdf
bull TrojanTrickBotbull httpsblogmalwarebytescomdetectionstrojan-trickbot
bull TrickBot Banking Trojan Takes Center Stage in 2018bull httpsblogbarklycomtrickbot-trojan-2018-campaigns
bull HHS HCCIC cybersecurity alert New Ryuk ransomware quickly racking up damagebull httpswwwhealthcareitnewscomnewshhs-hccic-cybersecurity-alert-new-ryuk-ransomware-quickly-
racking-damage
bull Notorious Ryuk Ransomware Adds Trojans to Cyberattack Methodbull httpshealthitsecuritycomnewsnotorious-ryuk-ransomware-adds-trojans-to-cyberattack-method
bull Emotet re-emerges after the holidaysbull httpsblogtalosintelligencecom201901return-of-emotethtml
bull The Unholy Alliance of Emotet TrickBot and the Ryuk Ransomwarebull httpsduocomdecipherthe-unholy-alliance-of-emotet-trickbot-and-the-ryuk-ransomware
23
References
TLP WHITE ID 202001301000
bull Cybercrime and Other Threats Faced by the Healthcare Industrybull httpswwwtrendmicrocomcontentdamtrendmicroglobalensecurity-
intelligenceresearchreportswp-cybercrime-amp-other-threats-faced-by-the-healthcare-industrypdf
bull Ryuk ransomware targets big businesses New ransomware group waits and gathers intel before attacking large enterprises
bull httpswwwtechradarcomnewsryuk-ransomware-targets-big-businesses
bull Computer virus hits newspapers coast-to-coastbull httpswwwnbcnewscomnewsus-newscomputer-virus-hits-southern-california-newspapers-
n953001
bull Ryuk Ransomware A Targeted Campaign Break-Down CheckPoint Researchbull httpsresearchcheckpointcomryuk-ransomware-targeted-campaign-break
bull Ryuk ransomware targets big businessesbull httpswwwtechradarcomnewsryuk-ransomware-targets-big-businesses
bull United States Department of Homeland Security Cybersecurity and Infrastructure Security Agency Alert (TA18-201A) Emotet Malware
bull httpswwwus-certgovncasalertsTA18-201A
bull Research Suggests Russian-Based Hackers Behind Ryuk Ransomwarersquos $25 Million Gainsbull httpsfinanceyahoocomnewsresearch-suggests-russian-based-hackers-131700487html
bull Long Island Ransomware Attack New York School Pays $100000bull httpswwwmsspalertcomcybersecurity-breaches-and-attacksransomwareryuk-hits-rockville-centre
24
References
TLP WHITE ID 202001301000
bull Ransomware hits computer networks of North Carolina water utility CyberScoopbull httpswwwcyberscoopcomransomware-hits-onwasa-computer-network-north-carolina-water-utility
bull Media Release Cyber-Criminals Target Critical Utility in Hurricane-Ravaged Area Onslow Water and Sewer Authority
bull httpswwwonwasacomDocumentCenterView3701Scan-from-2018-10-15-08_08_13-Abull Origin of virus that hobbled newspapers still unclear - The origins of a suspected computer attack that
disrupted the Los Angeles Times and Tribune Publishing newspapers remain unclearbull httpsabcnewsgocomUSwireStoryorigin-virus-hobbled-newspapers-unclear-60083516
bull Meet CrowdStrikersquos Adversary of the Month for February MUMMY SPIDERbull httpswwwcrowdstrikecomblogmeet-crowdstrikes-adversary-of-the-month-for-february-mummy-
spider February 8 2018 bull North Korea APT() and recent Ryuk Ransomware attacks
bull httpsblogkryptoslogiccommalware20190110dprk-emotethtmlbull US Coast Guard Warns Over Ryuk Ransomware Attacks
bull httpswwwbankinfosecuritycomus-coast-guard-warns-over-ryuk-ransomware-attacks-a-13563bull Georgia county pays a whopping $400000 to get rid of a ransomware infection
bull httpswwwzdnetcomarticlegeorgia-county-pays-a-whopping-400000-to-get-rid-of-a-ransomware-infection
bull Informations Concernant Les Rancongiciels Lockergoga Et Ryukbull httpswwwcertssigouvfruploadsCERTFR-2019-ACT-005pdf
bull Cybereason Researchers Discover a Triple Threat Attack Utilizing Emotet to Deploy TrickBot Which Steals Data and Spreads Ryuk Ransomware
bull httpswwwbenzingacompressreleases1904p13470755cybereason-researchers-discover-a-triple-threat-attack-utilizing-emote
25
References
TLP WHITE ID 202001301000
bull Ryuk Ransomware Adds IP and Computer Name Blacklistingbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-adds-ip-and-computer-name-
blacklistingbull US Coast Guard - Marine Safety Information Bulletin
bull httpswwwdcouscgmilPortals9DCO20Documents5pMSIB2019MSIB_10_19pdfbull Wizard Spider Upgrades Ryuk Ransomware to Reach Deep into LANs
bull httpsthreatpostcomwizard-spider-upgrades-ryuk-ransomware149853bull US Coast Guard Says Ryuk Ransomware Took Down Maritime Facility
bull httpswwwbleepingcomputercomnewssecurityus-coast-guard-says-ryuk-ransomware-took-down-maritime-facility
bull Mistaken For North Koreans The Ryuk Ransomware Hackers Are Making Millionsbull httpswwwforbescomsitesthomasbrewster20190220mistaken-for-north-koreans-the-ryuk-
ransomware-hackers-are-making-millions6d47034775f4bull Ryuk Ransomware Exploring the Technical and Human Connections
bull httpswwwcovewarecomblog2019219ryuk-ransomware-exploring-the-technical-and-human-connections
bull Stuarts city hall ransomware attack more than likely caused by phishing email scambull httpswwwtcpalmcomstorynewslocalmartin-county20190422city-halls-ransomware-attack-
may-linked-phishing-email-scam-ryuk3540067002bull 7 Florida municipalities have fallen prey to cyber attacks since last year
bull httpswwwnaplesnewscomstorynewscrime201908207-florida-municipalities-have-fallen-prey-cyber-attacks-ryuk-ransomware-phishing2065063001
bull Tampa Bay Times hit with Ryuk ransomware attackbull httpsblogmalwarebytescomransomware202001tampa-bay-times-hit-with-ryuk-ransomware-
attack
26
References
TLP WHITE ID 202001301000
bull Cyber attack Virus Ryuk disrupts The Watertown Daily Times Sunday paper deliverybull httpswwwibtimessgcyber-attack-virus-ryuk-disrupts-watertown-daily-times-sunday-paper-delivery-
30503bull How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
bull httpswwwdarkreadingcomattacks-breacheshow-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attackdd-id1334760
bull Florida LAN Someone clicks link again giving Key Biscayne ransomwarebull httpsarstechnicacominformation-technology201906is-there-something-in-the-water-third-florida-
city-hit-by-ransomwarebull New Warning on Ryuk Ransomware
bull httpswwwdarkreadingcomdocumentaspdoc_id=1335101bull La Porte County Pays $130000 Ransom To Ryuk Ransomware
bull httpswwwbleepingcomputercomnewssecurityla-porte-county-pays-130-000-ransom-to-ryuk-ransomware
bull China on Ryuk Virus alert Deadly ransomware sneaks through the countryrsquos computer systemsbull httpswwwcryptopolitancomchina-on-ryuk-virus-alert
Ryuk Sodinokibi Ransomware Responsible for Higher Average Ransomshttpswwwbleepingcomputercomnewssecurityryuk-sodinokibi-ransomware-responsible-for-higher-average-ransoms
Ryuk Related Malware Steals Confidential Military Financial Fileshttpswwwbleepingcomputercomnewssecurityryuk-related-malware-steals-confidential-military-financial-files
Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarehttpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
27
References
TLP WHITE ID 202001301000
bull Rolling back Ryuk Ransomwarebull httpsnewssophoscomen-us20191004rolling-back-ryuk-ransomware
bull DCH Hospital Pays Ryuk Ransomware for Decryption Keybull httpswwwbleepingcomputercomnewssecuritydch-hospital-pays-ryuk-ransomware-for-decryption-
key
bull Louisiana was hit by Ryuk triggering another cyber-emergencybull httpsarstechnicacominformation-technology201911louisiana-was-hit-by-ryuk-triggering-another-
cyber-emergency
bull Security firm Prosegur Weve shut our IT network after Ryuk ransomware attackbull httpswwwzdnetcomarticlesecurity-firm-prosegur-weve-shut-our-it-network-after-ryuk-ransomware-
attack
bull Cash-moving giant Prosegur knocked offline by Ryuk ransomwarebull httpswwwcsoonlinecomarticle3504492cash-moving-giant-prosegur-knocked-offline-by-ryuk-
ransomwarehtml
bull New ransomware rakes in $4 million by adopting a ldquobig game huntingrdquo strategy Ryuk lies in wait for as long as a year then pounces on only the biggest prey
bull httpsarstechnicacominformation-technology201901new-ransomware-rakes-in-4-million-by-adopting-a-big-game-hunting-strategy
bull A Nasty Trick From Credential Theft Malware to Business Disruptionbull httpswwwfireeyecomblogthreat-research201901a-nasty-trick-from-credential-theft-malware-to-
business-disruptionhtml
28
References
TLP WHITE ID 202001301000
bull Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarebull httpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
bull Hackers Demand Bitcoin Ransom in Cyberattack on Big Canadian Restaurantsbull qhttpswwwcbccanewsbusinessransomware-hack-recipe-unlimited-restaurant-cyberattack-
14847487
bull Ryuk Ransomware Is Making Victims Left and Rightbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-is-making-victims-left-and-right
bull Ryuk Cult Character to Ransomware Villainbull httpssecurityboulevardcom201912ryuk-cult-character-to-ransomware-villain
bull Hermes ransomware distributed to South Koreans via recent Flash zero-daybull httpsblogmalwarebytescomthreat-analysis201803hermes-ransomware-distributed-to-south-
koreans-via-recent-flash-zero-day
Questions
30
Questions
Upcoming Briefsbull Artificial Intelligence ndash Application to the Healthcare Industry
bull Electronic Health Record systems
bull PyXie RAT
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide feedback to HC3HHSGOV
Requests for InformationNeed information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
TLP WHITE ID 202001301000
31
About Us
HC3 works with private and public sector partners to improve cybersecurity throughout the Healthcare and Public Health (HPH) Sector
Sector amp Victim Notifications White PapersDirected communications to victims or potential victims of compromises vulnerable equipment or PIIPHI theft and general notifications to the HPH about currently impacting threats via the HHS OIG
Document that provides in-depth information on a cybersecurity topic to increase comprehensive situational awareness and provide risk recommendations to a wide audience
Threat Briefings amp WebinarBriefing document and presentation that provides actionable information on health sector cybersecurity threats and mitigations Analysts present current cybersecurity topics engage in discussions with participants on current threats and highlight best practices and mitigation tactics
Need information on a specific cybersecurity topic or want to join our listserv Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
Products
TLP WHITE ID 202001301000
Contact
Health Sector Cybersecurity Coordination Center (HC3)
(202) 691-2110 HC3HHSGOV
- Ryuk Update
- Agenda
- Overview
- Functionality
- Shifting Attribution
- Shifting Attribution
- Slide Number 7
- Threat Actors
- Threat Actors
- Slide Number 10
- Slide Number 11
- Ransom Demands
- Slide Number 13
- Slide Number 14
- Slide Number 15
- Slide Number 16
- Slide Number 17
- Slide Number 18
- Slide Number 19
- Slide Number 20
- References
- References
- References
- References
- References
- References
- References
- References
- Slide Number 29
- Questions
- About Us
- Slide Number 32
-
Reference Materials
21
References
TLP WHITE ID 202001301000
bull Ryuk Ransomware Exploring the Technical and Human Connectionsbull httpswwwcovewarecomblog2019219ryuk-ransomware-exploring-the-technical-and-human-
connections
bull 2017 Cylance Threat Reportbull httpspagescylancecom2018-03CylanceThreatReport2017html
bull 2018 Global Threat Report Blurring the Lines Between Statecraft and Tradecraft Crowdstrikebull httpsgocrowdstrikecomrs281-OBQ-266imagesReport2018GlobalThreatReportpdf
bull TEMPMixMaster group infects with Trickbot and delayed Ryuk ransomware combobull httpswwwscmagazinecomhomesecurity-newsfinancially-motivated-threat-actorsreferred-to-as-
temp-mixmaster-are-infecting-victims-with-trickbot-malware-before-deploying-the-infamous-ryuk-ransomware
bull Ryuk ransomware linked to Emotet and TrickBot trojans suspicions shift to cybercriminal groupbull httpswwwscmagazinecomhomesecurity-newsryuk-ransomware-linked-to-emotet-and-trickbot-
trojans-suspicions-shift-to-cybercriminal-group
bull Ryuk ransomware earns hackers $37M in Bitcoin over 5 months - 52 known ransom transactions were recorded the highest worth 99 BTC
bull httpsthenextwebcomhardfork20190114ryuk-bitcoin-ransomware
bull Ryuk Ransomware Crew Makes $640000 in Recent Activity Surgebull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-crew-makes-640-000-in-recent-
activity-surge
22
References
TLP WHITE ID 202001301000
bull Ryuk ransomware gang probably Russian not North Koreanbull httpswwwzdnetcomarticleryuk-ransomware-gang-probably-russian-not-north-korean
bull Cloud Hosting Provider Dataresolutionnet Hit by Ryuk Ransomwarebull httpswwwsecurityswcomblogcloud-hosting-provider-dataresolution-net-hit-by-ryuk-ransomware
bull CrowdStrike 2018 Global Threat Report Blurring the Lines Between Statecraft and Tradecraftbull httpsgocrowdstrikecomrs281-OBQ-266imagesReport2018GlobalThreatReportpdf
bull TrojanTrickBotbull httpsblogmalwarebytescomdetectionstrojan-trickbot
bull TrickBot Banking Trojan Takes Center Stage in 2018bull httpsblogbarklycomtrickbot-trojan-2018-campaigns
bull HHS HCCIC cybersecurity alert New Ryuk ransomware quickly racking up damagebull httpswwwhealthcareitnewscomnewshhs-hccic-cybersecurity-alert-new-ryuk-ransomware-quickly-
racking-damage
bull Notorious Ryuk Ransomware Adds Trojans to Cyberattack Methodbull httpshealthitsecuritycomnewsnotorious-ryuk-ransomware-adds-trojans-to-cyberattack-method
bull Emotet re-emerges after the holidaysbull httpsblogtalosintelligencecom201901return-of-emotethtml
bull The Unholy Alliance of Emotet TrickBot and the Ryuk Ransomwarebull httpsduocomdecipherthe-unholy-alliance-of-emotet-trickbot-and-the-ryuk-ransomware
23
References
TLP WHITE ID 202001301000
bull Cybercrime and Other Threats Faced by the Healthcare Industrybull httpswwwtrendmicrocomcontentdamtrendmicroglobalensecurity-
intelligenceresearchreportswp-cybercrime-amp-other-threats-faced-by-the-healthcare-industrypdf
bull Ryuk ransomware targets big businesses New ransomware group waits and gathers intel before attacking large enterprises
bull httpswwwtechradarcomnewsryuk-ransomware-targets-big-businesses
bull Computer virus hits newspapers coast-to-coastbull httpswwwnbcnewscomnewsus-newscomputer-virus-hits-southern-california-newspapers-
n953001
bull Ryuk Ransomware A Targeted Campaign Break-Down CheckPoint Researchbull httpsresearchcheckpointcomryuk-ransomware-targeted-campaign-break
bull Ryuk ransomware targets big businessesbull httpswwwtechradarcomnewsryuk-ransomware-targets-big-businesses
bull United States Department of Homeland Security Cybersecurity and Infrastructure Security Agency Alert (TA18-201A) Emotet Malware
bull httpswwwus-certgovncasalertsTA18-201A
bull Research Suggests Russian-Based Hackers Behind Ryuk Ransomwarersquos $25 Million Gainsbull httpsfinanceyahoocomnewsresearch-suggests-russian-based-hackers-131700487html
bull Long Island Ransomware Attack New York School Pays $100000bull httpswwwmsspalertcomcybersecurity-breaches-and-attacksransomwareryuk-hits-rockville-centre
24
References
TLP WHITE ID 202001301000
bull Ransomware hits computer networks of North Carolina water utility CyberScoopbull httpswwwcyberscoopcomransomware-hits-onwasa-computer-network-north-carolina-water-utility
bull Media Release Cyber-Criminals Target Critical Utility in Hurricane-Ravaged Area Onslow Water and Sewer Authority
bull httpswwwonwasacomDocumentCenterView3701Scan-from-2018-10-15-08_08_13-Abull Origin of virus that hobbled newspapers still unclear - The origins of a suspected computer attack that
disrupted the Los Angeles Times and Tribune Publishing newspapers remain unclearbull httpsabcnewsgocomUSwireStoryorigin-virus-hobbled-newspapers-unclear-60083516
bull Meet CrowdStrikersquos Adversary of the Month for February MUMMY SPIDERbull httpswwwcrowdstrikecomblogmeet-crowdstrikes-adversary-of-the-month-for-february-mummy-
spider February 8 2018 bull North Korea APT() and recent Ryuk Ransomware attacks
bull httpsblogkryptoslogiccommalware20190110dprk-emotethtmlbull US Coast Guard Warns Over Ryuk Ransomware Attacks
bull httpswwwbankinfosecuritycomus-coast-guard-warns-over-ryuk-ransomware-attacks-a-13563bull Georgia county pays a whopping $400000 to get rid of a ransomware infection
bull httpswwwzdnetcomarticlegeorgia-county-pays-a-whopping-400000-to-get-rid-of-a-ransomware-infection
bull Informations Concernant Les Rancongiciels Lockergoga Et Ryukbull httpswwwcertssigouvfruploadsCERTFR-2019-ACT-005pdf
bull Cybereason Researchers Discover a Triple Threat Attack Utilizing Emotet to Deploy TrickBot Which Steals Data and Spreads Ryuk Ransomware
bull httpswwwbenzingacompressreleases1904p13470755cybereason-researchers-discover-a-triple-threat-attack-utilizing-emote
25
References
TLP WHITE ID 202001301000
bull Ryuk Ransomware Adds IP and Computer Name Blacklistingbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-adds-ip-and-computer-name-
blacklistingbull US Coast Guard - Marine Safety Information Bulletin
bull httpswwwdcouscgmilPortals9DCO20Documents5pMSIB2019MSIB_10_19pdfbull Wizard Spider Upgrades Ryuk Ransomware to Reach Deep into LANs
bull httpsthreatpostcomwizard-spider-upgrades-ryuk-ransomware149853bull US Coast Guard Says Ryuk Ransomware Took Down Maritime Facility
bull httpswwwbleepingcomputercomnewssecurityus-coast-guard-says-ryuk-ransomware-took-down-maritime-facility
bull Mistaken For North Koreans The Ryuk Ransomware Hackers Are Making Millionsbull httpswwwforbescomsitesthomasbrewster20190220mistaken-for-north-koreans-the-ryuk-
ransomware-hackers-are-making-millions6d47034775f4bull Ryuk Ransomware Exploring the Technical and Human Connections
bull httpswwwcovewarecomblog2019219ryuk-ransomware-exploring-the-technical-and-human-connections
bull Stuarts city hall ransomware attack more than likely caused by phishing email scambull httpswwwtcpalmcomstorynewslocalmartin-county20190422city-halls-ransomware-attack-
may-linked-phishing-email-scam-ryuk3540067002bull 7 Florida municipalities have fallen prey to cyber attacks since last year
bull httpswwwnaplesnewscomstorynewscrime201908207-florida-municipalities-have-fallen-prey-cyber-attacks-ryuk-ransomware-phishing2065063001
bull Tampa Bay Times hit with Ryuk ransomware attackbull httpsblogmalwarebytescomransomware202001tampa-bay-times-hit-with-ryuk-ransomware-
attack
26
References
TLP WHITE ID 202001301000
bull Cyber attack Virus Ryuk disrupts The Watertown Daily Times Sunday paper deliverybull httpswwwibtimessgcyber-attack-virus-ryuk-disrupts-watertown-daily-times-sunday-paper-delivery-
30503bull How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
bull httpswwwdarkreadingcomattacks-breacheshow-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attackdd-id1334760
bull Florida LAN Someone clicks link again giving Key Biscayne ransomwarebull httpsarstechnicacominformation-technology201906is-there-something-in-the-water-third-florida-
city-hit-by-ransomwarebull New Warning on Ryuk Ransomware
bull httpswwwdarkreadingcomdocumentaspdoc_id=1335101bull La Porte County Pays $130000 Ransom To Ryuk Ransomware
bull httpswwwbleepingcomputercomnewssecurityla-porte-county-pays-130-000-ransom-to-ryuk-ransomware
bull China on Ryuk Virus alert Deadly ransomware sneaks through the countryrsquos computer systemsbull httpswwwcryptopolitancomchina-on-ryuk-virus-alert
Ryuk Sodinokibi Ransomware Responsible for Higher Average Ransomshttpswwwbleepingcomputercomnewssecurityryuk-sodinokibi-ransomware-responsible-for-higher-average-ransoms
Ryuk Related Malware Steals Confidential Military Financial Fileshttpswwwbleepingcomputercomnewssecurityryuk-related-malware-steals-confidential-military-financial-files
Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarehttpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
27
References
TLP WHITE ID 202001301000
bull Rolling back Ryuk Ransomwarebull httpsnewssophoscomen-us20191004rolling-back-ryuk-ransomware
bull DCH Hospital Pays Ryuk Ransomware for Decryption Keybull httpswwwbleepingcomputercomnewssecuritydch-hospital-pays-ryuk-ransomware-for-decryption-
key
bull Louisiana was hit by Ryuk triggering another cyber-emergencybull httpsarstechnicacominformation-technology201911louisiana-was-hit-by-ryuk-triggering-another-
cyber-emergency
bull Security firm Prosegur Weve shut our IT network after Ryuk ransomware attackbull httpswwwzdnetcomarticlesecurity-firm-prosegur-weve-shut-our-it-network-after-ryuk-ransomware-
attack
bull Cash-moving giant Prosegur knocked offline by Ryuk ransomwarebull httpswwwcsoonlinecomarticle3504492cash-moving-giant-prosegur-knocked-offline-by-ryuk-
ransomwarehtml
bull New ransomware rakes in $4 million by adopting a ldquobig game huntingrdquo strategy Ryuk lies in wait for as long as a year then pounces on only the biggest prey
bull httpsarstechnicacominformation-technology201901new-ransomware-rakes-in-4-million-by-adopting-a-big-game-hunting-strategy
bull A Nasty Trick From Credential Theft Malware to Business Disruptionbull httpswwwfireeyecomblogthreat-research201901a-nasty-trick-from-credential-theft-malware-to-
business-disruptionhtml
28
References
TLP WHITE ID 202001301000
bull Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarebull httpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
bull Hackers Demand Bitcoin Ransom in Cyberattack on Big Canadian Restaurantsbull qhttpswwwcbccanewsbusinessransomware-hack-recipe-unlimited-restaurant-cyberattack-
14847487
bull Ryuk Ransomware Is Making Victims Left and Rightbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-is-making-victims-left-and-right
bull Ryuk Cult Character to Ransomware Villainbull httpssecurityboulevardcom201912ryuk-cult-character-to-ransomware-villain
bull Hermes ransomware distributed to South Koreans via recent Flash zero-daybull httpsblogmalwarebytescomthreat-analysis201803hermes-ransomware-distributed-to-south-
koreans-via-recent-flash-zero-day
Questions
30
Questions
Upcoming Briefsbull Artificial Intelligence ndash Application to the Healthcare Industry
bull Electronic Health Record systems
bull PyXie RAT
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide feedback to HC3HHSGOV
Requests for InformationNeed information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
TLP WHITE ID 202001301000
31
About Us
HC3 works with private and public sector partners to improve cybersecurity throughout the Healthcare and Public Health (HPH) Sector
Sector amp Victim Notifications White PapersDirected communications to victims or potential victims of compromises vulnerable equipment or PIIPHI theft and general notifications to the HPH about currently impacting threats via the HHS OIG
Document that provides in-depth information on a cybersecurity topic to increase comprehensive situational awareness and provide risk recommendations to a wide audience
Threat Briefings amp WebinarBriefing document and presentation that provides actionable information on health sector cybersecurity threats and mitigations Analysts present current cybersecurity topics engage in discussions with participants on current threats and highlight best practices and mitigation tactics
Need information on a specific cybersecurity topic or want to join our listserv Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
Products
TLP WHITE ID 202001301000
Contact
Health Sector Cybersecurity Coordination Center (HC3)
(202) 691-2110 HC3HHSGOV
- Ryuk Update
- Agenda
- Overview
- Functionality
- Shifting Attribution
- Shifting Attribution
- Slide Number 7
- Threat Actors
- Threat Actors
- Slide Number 10
- Slide Number 11
- Ransom Demands
- Slide Number 13
- Slide Number 14
- Slide Number 15
- Slide Number 16
- Slide Number 17
- Slide Number 18
- Slide Number 19
- Slide Number 20
- References
- References
- References
- References
- References
- References
- References
- References
- Slide Number 29
- Questions
- About Us
- Slide Number 32
-
21
References
TLP WHITE ID 202001301000
bull Ryuk Ransomware Exploring the Technical and Human Connectionsbull httpswwwcovewarecomblog2019219ryuk-ransomware-exploring-the-technical-and-human-
connections
bull 2017 Cylance Threat Reportbull httpspagescylancecom2018-03CylanceThreatReport2017html
bull 2018 Global Threat Report Blurring the Lines Between Statecraft and Tradecraft Crowdstrikebull httpsgocrowdstrikecomrs281-OBQ-266imagesReport2018GlobalThreatReportpdf
bull TEMPMixMaster group infects with Trickbot and delayed Ryuk ransomware combobull httpswwwscmagazinecomhomesecurity-newsfinancially-motivated-threat-actorsreferred-to-as-
temp-mixmaster-are-infecting-victims-with-trickbot-malware-before-deploying-the-infamous-ryuk-ransomware
bull Ryuk ransomware linked to Emotet and TrickBot trojans suspicions shift to cybercriminal groupbull httpswwwscmagazinecomhomesecurity-newsryuk-ransomware-linked-to-emotet-and-trickbot-
trojans-suspicions-shift-to-cybercriminal-group
bull Ryuk ransomware earns hackers $37M in Bitcoin over 5 months - 52 known ransom transactions were recorded the highest worth 99 BTC
bull httpsthenextwebcomhardfork20190114ryuk-bitcoin-ransomware
bull Ryuk Ransomware Crew Makes $640000 in Recent Activity Surgebull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-crew-makes-640-000-in-recent-
activity-surge
22
References
TLP WHITE ID 202001301000
bull Ryuk ransomware gang probably Russian not North Koreanbull httpswwwzdnetcomarticleryuk-ransomware-gang-probably-russian-not-north-korean
bull Cloud Hosting Provider Dataresolutionnet Hit by Ryuk Ransomwarebull httpswwwsecurityswcomblogcloud-hosting-provider-dataresolution-net-hit-by-ryuk-ransomware
bull CrowdStrike 2018 Global Threat Report Blurring the Lines Between Statecraft and Tradecraftbull httpsgocrowdstrikecomrs281-OBQ-266imagesReport2018GlobalThreatReportpdf
bull TrojanTrickBotbull httpsblogmalwarebytescomdetectionstrojan-trickbot
bull TrickBot Banking Trojan Takes Center Stage in 2018bull httpsblogbarklycomtrickbot-trojan-2018-campaigns
bull HHS HCCIC cybersecurity alert New Ryuk ransomware quickly racking up damagebull httpswwwhealthcareitnewscomnewshhs-hccic-cybersecurity-alert-new-ryuk-ransomware-quickly-
racking-damage
bull Notorious Ryuk Ransomware Adds Trojans to Cyberattack Methodbull httpshealthitsecuritycomnewsnotorious-ryuk-ransomware-adds-trojans-to-cyberattack-method
bull Emotet re-emerges after the holidaysbull httpsblogtalosintelligencecom201901return-of-emotethtml
bull The Unholy Alliance of Emotet TrickBot and the Ryuk Ransomwarebull httpsduocomdecipherthe-unholy-alliance-of-emotet-trickbot-and-the-ryuk-ransomware
23
References
TLP WHITE ID 202001301000
bull Cybercrime and Other Threats Faced by the Healthcare Industrybull httpswwwtrendmicrocomcontentdamtrendmicroglobalensecurity-
intelligenceresearchreportswp-cybercrime-amp-other-threats-faced-by-the-healthcare-industrypdf
bull Ryuk ransomware targets big businesses New ransomware group waits and gathers intel before attacking large enterprises
bull httpswwwtechradarcomnewsryuk-ransomware-targets-big-businesses
bull Computer virus hits newspapers coast-to-coastbull httpswwwnbcnewscomnewsus-newscomputer-virus-hits-southern-california-newspapers-
n953001
bull Ryuk Ransomware A Targeted Campaign Break-Down CheckPoint Researchbull httpsresearchcheckpointcomryuk-ransomware-targeted-campaign-break
bull Ryuk ransomware targets big businessesbull httpswwwtechradarcomnewsryuk-ransomware-targets-big-businesses
bull United States Department of Homeland Security Cybersecurity and Infrastructure Security Agency Alert (TA18-201A) Emotet Malware
bull httpswwwus-certgovncasalertsTA18-201A
bull Research Suggests Russian-Based Hackers Behind Ryuk Ransomwarersquos $25 Million Gainsbull httpsfinanceyahoocomnewsresearch-suggests-russian-based-hackers-131700487html
bull Long Island Ransomware Attack New York School Pays $100000bull httpswwwmsspalertcomcybersecurity-breaches-and-attacksransomwareryuk-hits-rockville-centre
24
References
TLP WHITE ID 202001301000
bull Ransomware hits computer networks of North Carolina water utility CyberScoopbull httpswwwcyberscoopcomransomware-hits-onwasa-computer-network-north-carolina-water-utility
bull Media Release Cyber-Criminals Target Critical Utility in Hurricane-Ravaged Area Onslow Water and Sewer Authority
bull httpswwwonwasacomDocumentCenterView3701Scan-from-2018-10-15-08_08_13-Abull Origin of virus that hobbled newspapers still unclear - The origins of a suspected computer attack that
disrupted the Los Angeles Times and Tribune Publishing newspapers remain unclearbull httpsabcnewsgocomUSwireStoryorigin-virus-hobbled-newspapers-unclear-60083516
bull Meet CrowdStrikersquos Adversary of the Month for February MUMMY SPIDERbull httpswwwcrowdstrikecomblogmeet-crowdstrikes-adversary-of-the-month-for-february-mummy-
spider February 8 2018 bull North Korea APT() and recent Ryuk Ransomware attacks
bull httpsblogkryptoslogiccommalware20190110dprk-emotethtmlbull US Coast Guard Warns Over Ryuk Ransomware Attacks
bull httpswwwbankinfosecuritycomus-coast-guard-warns-over-ryuk-ransomware-attacks-a-13563bull Georgia county pays a whopping $400000 to get rid of a ransomware infection
bull httpswwwzdnetcomarticlegeorgia-county-pays-a-whopping-400000-to-get-rid-of-a-ransomware-infection
bull Informations Concernant Les Rancongiciels Lockergoga Et Ryukbull httpswwwcertssigouvfruploadsCERTFR-2019-ACT-005pdf
bull Cybereason Researchers Discover a Triple Threat Attack Utilizing Emotet to Deploy TrickBot Which Steals Data and Spreads Ryuk Ransomware
bull httpswwwbenzingacompressreleases1904p13470755cybereason-researchers-discover-a-triple-threat-attack-utilizing-emote
25
References
TLP WHITE ID 202001301000
bull Ryuk Ransomware Adds IP and Computer Name Blacklistingbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-adds-ip-and-computer-name-
blacklistingbull US Coast Guard - Marine Safety Information Bulletin
bull httpswwwdcouscgmilPortals9DCO20Documents5pMSIB2019MSIB_10_19pdfbull Wizard Spider Upgrades Ryuk Ransomware to Reach Deep into LANs
bull httpsthreatpostcomwizard-spider-upgrades-ryuk-ransomware149853bull US Coast Guard Says Ryuk Ransomware Took Down Maritime Facility
bull httpswwwbleepingcomputercomnewssecurityus-coast-guard-says-ryuk-ransomware-took-down-maritime-facility
bull Mistaken For North Koreans The Ryuk Ransomware Hackers Are Making Millionsbull httpswwwforbescomsitesthomasbrewster20190220mistaken-for-north-koreans-the-ryuk-
ransomware-hackers-are-making-millions6d47034775f4bull Ryuk Ransomware Exploring the Technical and Human Connections
bull httpswwwcovewarecomblog2019219ryuk-ransomware-exploring-the-technical-and-human-connections
bull Stuarts city hall ransomware attack more than likely caused by phishing email scambull httpswwwtcpalmcomstorynewslocalmartin-county20190422city-halls-ransomware-attack-
may-linked-phishing-email-scam-ryuk3540067002bull 7 Florida municipalities have fallen prey to cyber attacks since last year
bull httpswwwnaplesnewscomstorynewscrime201908207-florida-municipalities-have-fallen-prey-cyber-attacks-ryuk-ransomware-phishing2065063001
bull Tampa Bay Times hit with Ryuk ransomware attackbull httpsblogmalwarebytescomransomware202001tampa-bay-times-hit-with-ryuk-ransomware-
attack
26
References
TLP WHITE ID 202001301000
bull Cyber attack Virus Ryuk disrupts The Watertown Daily Times Sunday paper deliverybull httpswwwibtimessgcyber-attack-virus-ryuk-disrupts-watertown-daily-times-sunday-paper-delivery-
30503bull How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
bull httpswwwdarkreadingcomattacks-breacheshow-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attackdd-id1334760
bull Florida LAN Someone clicks link again giving Key Biscayne ransomwarebull httpsarstechnicacominformation-technology201906is-there-something-in-the-water-third-florida-
city-hit-by-ransomwarebull New Warning on Ryuk Ransomware
bull httpswwwdarkreadingcomdocumentaspdoc_id=1335101bull La Porte County Pays $130000 Ransom To Ryuk Ransomware
bull httpswwwbleepingcomputercomnewssecurityla-porte-county-pays-130-000-ransom-to-ryuk-ransomware
bull China on Ryuk Virus alert Deadly ransomware sneaks through the countryrsquos computer systemsbull httpswwwcryptopolitancomchina-on-ryuk-virus-alert
Ryuk Sodinokibi Ransomware Responsible for Higher Average Ransomshttpswwwbleepingcomputercomnewssecurityryuk-sodinokibi-ransomware-responsible-for-higher-average-ransoms
Ryuk Related Malware Steals Confidential Military Financial Fileshttpswwwbleepingcomputercomnewssecurityryuk-related-malware-steals-confidential-military-financial-files
Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarehttpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
27
References
TLP WHITE ID 202001301000
bull Rolling back Ryuk Ransomwarebull httpsnewssophoscomen-us20191004rolling-back-ryuk-ransomware
bull DCH Hospital Pays Ryuk Ransomware for Decryption Keybull httpswwwbleepingcomputercomnewssecuritydch-hospital-pays-ryuk-ransomware-for-decryption-
key
bull Louisiana was hit by Ryuk triggering another cyber-emergencybull httpsarstechnicacominformation-technology201911louisiana-was-hit-by-ryuk-triggering-another-
cyber-emergency
bull Security firm Prosegur Weve shut our IT network after Ryuk ransomware attackbull httpswwwzdnetcomarticlesecurity-firm-prosegur-weve-shut-our-it-network-after-ryuk-ransomware-
attack
bull Cash-moving giant Prosegur knocked offline by Ryuk ransomwarebull httpswwwcsoonlinecomarticle3504492cash-moving-giant-prosegur-knocked-offline-by-ryuk-
ransomwarehtml
bull New ransomware rakes in $4 million by adopting a ldquobig game huntingrdquo strategy Ryuk lies in wait for as long as a year then pounces on only the biggest prey
bull httpsarstechnicacominformation-technology201901new-ransomware-rakes-in-4-million-by-adopting-a-big-game-hunting-strategy
bull A Nasty Trick From Credential Theft Malware to Business Disruptionbull httpswwwfireeyecomblogthreat-research201901a-nasty-trick-from-credential-theft-malware-to-
business-disruptionhtml
28
References
TLP WHITE ID 202001301000
bull Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarebull httpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
bull Hackers Demand Bitcoin Ransom in Cyberattack on Big Canadian Restaurantsbull qhttpswwwcbccanewsbusinessransomware-hack-recipe-unlimited-restaurant-cyberattack-
14847487
bull Ryuk Ransomware Is Making Victims Left and Rightbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-is-making-victims-left-and-right
bull Ryuk Cult Character to Ransomware Villainbull httpssecurityboulevardcom201912ryuk-cult-character-to-ransomware-villain
bull Hermes ransomware distributed to South Koreans via recent Flash zero-daybull httpsblogmalwarebytescomthreat-analysis201803hermes-ransomware-distributed-to-south-
koreans-via-recent-flash-zero-day
Questions
30
Questions
Upcoming Briefsbull Artificial Intelligence ndash Application to the Healthcare Industry
bull Electronic Health Record systems
bull PyXie RAT
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide feedback to HC3HHSGOV
Requests for InformationNeed information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
TLP WHITE ID 202001301000
31
About Us
HC3 works with private and public sector partners to improve cybersecurity throughout the Healthcare and Public Health (HPH) Sector
Sector amp Victim Notifications White PapersDirected communications to victims or potential victims of compromises vulnerable equipment or PIIPHI theft and general notifications to the HPH about currently impacting threats via the HHS OIG
Document that provides in-depth information on a cybersecurity topic to increase comprehensive situational awareness and provide risk recommendations to a wide audience
Threat Briefings amp WebinarBriefing document and presentation that provides actionable information on health sector cybersecurity threats and mitigations Analysts present current cybersecurity topics engage in discussions with participants on current threats and highlight best practices and mitigation tactics
Need information on a specific cybersecurity topic or want to join our listserv Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
Products
TLP WHITE ID 202001301000
Contact
Health Sector Cybersecurity Coordination Center (HC3)
(202) 691-2110 HC3HHSGOV
- Ryuk Update
- Agenda
- Overview
- Functionality
- Shifting Attribution
- Shifting Attribution
- Slide Number 7
- Threat Actors
- Threat Actors
- Slide Number 10
- Slide Number 11
- Ransom Demands
- Slide Number 13
- Slide Number 14
- Slide Number 15
- Slide Number 16
- Slide Number 17
- Slide Number 18
- Slide Number 19
- Slide Number 20
- References
- References
- References
- References
- References
- References
- References
- References
- Slide Number 29
- Questions
- About Us
- Slide Number 32
-
22
References
TLP WHITE ID 202001301000
bull Ryuk ransomware gang probably Russian not North Koreanbull httpswwwzdnetcomarticleryuk-ransomware-gang-probably-russian-not-north-korean
bull Cloud Hosting Provider Dataresolutionnet Hit by Ryuk Ransomwarebull httpswwwsecurityswcomblogcloud-hosting-provider-dataresolution-net-hit-by-ryuk-ransomware
bull CrowdStrike 2018 Global Threat Report Blurring the Lines Between Statecraft and Tradecraftbull httpsgocrowdstrikecomrs281-OBQ-266imagesReport2018GlobalThreatReportpdf
bull TrojanTrickBotbull httpsblogmalwarebytescomdetectionstrojan-trickbot
bull TrickBot Banking Trojan Takes Center Stage in 2018bull httpsblogbarklycomtrickbot-trojan-2018-campaigns
bull HHS HCCIC cybersecurity alert New Ryuk ransomware quickly racking up damagebull httpswwwhealthcareitnewscomnewshhs-hccic-cybersecurity-alert-new-ryuk-ransomware-quickly-
racking-damage
bull Notorious Ryuk Ransomware Adds Trojans to Cyberattack Methodbull httpshealthitsecuritycomnewsnotorious-ryuk-ransomware-adds-trojans-to-cyberattack-method
bull Emotet re-emerges after the holidaysbull httpsblogtalosintelligencecom201901return-of-emotethtml
bull The Unholy Alliance of Emotet TrickBot and the Ryuk Ransomwarebull httpsduocomdecipherthe-unholy-alliance-of-emotet-trickbot-and-the-ryuk-ransomware
23
References
TLP WHITE ID 202001301000
bull Cybercrime and Other Threats Faced by the Healthcare Industrybull httpswwwtrendmicrocomcontentdamtrendmicroglobalensecurity-
intelligenceresearchreportswp-cybercrime-amp-other-threats-faced-by-the-healthcare-industrypdf
bull Ryuk ransomware targets big businesses New ransomware group waits and gathers intel before attacking large enterprises
bull httpswwwtechradarcomnewsryuk-ransomware-targets-big-businesses
bull Computer virus hits newspapers coast-to-coastbull httpswwwnbcnewscomnewsus-newscomputer-virus-hits-southern-california-newspapers-
n953001
bull Ryuk Ransomware A Targeted Campaign Break-Down CheckPoint Researchbull httpsresearchcheckpointcomryuk-ransomware-targeted-campaign-break
bull Ryuk ransomware targets big businessesbull httpswwwtechradarcomnewsryuk-ransomware-targets-big-businesses
bull United States Department of Homeland Security Cybersecurity and Infrastructure Security Agency Alert (TA18-201A) Emotet Malware
bull httpswwwus-certgovncasalertsTA18-201A
bull Research Suggests Russian-Based Hackers Behind Ryuk Ransomwarersquos $25 Million Gainsbull httpsfinanceyahoocomnewsresearch-suggests-russian-based-hackers-131700487html
bull Long Island Ransomware Attack New York School Pays $100000bull httpswwwmsspalertcomcybersecurity-breaches-and-attacksransomwareryuk-hits-rockville-centre
24
References
TLP WHITE ID 202001301000
bull Ransomware hits computer networks of North Carolina water utility CyberScoopbull httpswwwcyberscoopcomransomware-hits-onwasa-computer-network-north-carolina-water-utility
bull Media Release Cyber-Criminals Target Critical Utility in Hurricane-Ravaged Area Onslow Water and Sewer Authority
bull httpswwwonwasacomDocumentCenterView3701Scan-from-2018-10-15-08_08_13-Abull Origin of virus that hobbled newspapers still unclear - The origins of a suspected computer attack that
disrupted the Los Angeles Times and Tribune Publishing newspapers remain unclearbull httpsabcnewsgocomUSwireStoryorigin-virus-hobbled-newspapers-unclear-60083516
bull Meet CrowdStrikersquos Adversary of the Month for February MUMMY SPIDERbull httpswwwcrowdstrikecomblogmeet-crowdstrikes-adversary-of-the-month-for-february-mummy-
spider February 8 2018 bull North Korea APT() and recent Ryuk Ransomware attacks
bull httpsblogkryptoslogiccommalware20190110dprk-emotethtmlbull US Coast Guard Warns Over Ryuk Ransomware Attacks
bull httpswwwbankinfosecuritycomus-coast-guard-warns-over-ryuk-ransomware-attacks-a-13563bull Georgia county pays a whopping $400000 to get rid of a ransomware infection
bull httpswwwzdnetcomarticlegeorgia-county-pays-a-whopping-400000-to-get-rid-of-a-ransomware-infection
bull Informations Concernant Les Rancongiciels Lockergoga Et Ryukbull httpswwwcertssigouvfruploadsCERTFR-2019-ACT-005pdf
bull Cybereason Researchers Discover a Triple Threat Attack Utilizing Emotet to Deploy TrickBot Which Steals Data and Spreads Ryuk Ransomware
bull httpswwwbenzingacompressreleases1904p13470755cybereason-researchers-discover-a-triple-threat-attack-utilizing-emote
25
References
TLP WHITE ID 202001301000
bull Ryuk Ransomware Adds IP and Computer Name Blacklistingbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-adds-ip-and-computer-name-
blacklistingbull US Coast Guard - Marine Safety Information Bulletin
bull httpswwwdcouscgmilPortals9DCO20Documents5pMSIB2019MSIB_10_19pdfbull Wizard Spider Upgrades Ryuk Ransomware to Reach Deep into LANs
bull httpsthreatpostcomwizard-spider-upgrades-ryuk-ransomware149853bull US Coast Guard Says Ryuk Ransomware Took Down Maritime Facility
bull httpswwwbleepingcomputercomnewssecurityus-coast-guard-says-ryuk-ransomware-took-down-maritime-facility
bull Mistaken For North Koreans The Ryuk Ransomware Hackers Are Making Millionsbull httpswwwforbescomsitesthomasbrewster20190220mistaken-for-north-koreans-the-ryuk-
ransomware-hackers-are-making-millions6d47034775f4bull Ryuk Ransomware Exploring the Technical and Human Connections
bull httpswwwcovewarecomblog2019219ryuk-ransomware-exploring-the-technical-and-human-connections
bull Stuarts city hall ransomware attack more than likely caused by phishing email scambull httpswwwtcpalmcomstorynewslocalmartin-county20190422city-halls-ransomware-attack-
may-linked-phishing-email-scam-ryuk3540067002bull 7 Florida municipalities have fallen prey to cyber attacks since last year
bull httpswwwnaplesnewscomstorynewscrime201908207-florida-municipalities-have-fallen-prey-cyber-attacks-ryuk-ransomware-phishing2065063001
bull Tampa Bay Times hit with Ryuk ransomware attackbull httpsblogmalwarebytescomransomware202001tampa-bay-times-hit-with-ryuk-ransomware-
attack
26
References
TLP WHITE ID 202001301000
bull Cyber attack Virus Ryuk disrupts The Watertown Daily Times Sunday paper deliverybull httpswwwibtimessgcyber-attack-virus-ryuk-disrupts-watertown-daily-times-sunday-paper-delivery-
30503bull How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
bull httpswwwdarkreadingcomattacks-breacheshow-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attackdd-id1334760
bull Florida LAN Someone clicks link again giving Key Biscayne ransomwarebull httpsarstechnicacominformation-technology201906is-there-something-in-the-water-third-florida-
city-hit-by-ransomwarebull New Warning on Ryuk Ransomware
bull httpswwwdarkreadingcomdocumentaspdoc_id=1335101bull La Porte County Pays $130000 Ransom To Ryuk Ransomware
bull httpswwwbleepingcomputercomnewssecurityla-porte-county-pays-130-000-ransom-to-ryuk-ransomware
bull China on Ryuk Virus alert Deadly ransomware sneaks through the countryrsquos computer systemsbull httpswwwcryptopolitancomchina-on-ryuk-virus-alert
Ryuk Sodinokibi Ransomware Responsible for Higher Average Ransomshttpswwwbleepingcomputercomnewssecurityryuk-sodinokibi-ransomware-responsible-for-higher-average-ransoms
Ryuk Related Malware Steals Confidential Military Financial Fileshttpswwwbleepingcomputercomnewssecurityryuk-related-malware-steals-confidential-military-financial-files
Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarehttpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
27
References
TLP WHITE ID 202001301000
bull Rolling back Ryuk Ransomwarebull httpsnewssophoscomen-us20191004rolling-back-ryuk-ransomware
bull DCH Hospital Pays Ryuk Ransomware for Decryption Keybull httpswwwbleepingcomputercomnewssecuritydch-hospital-pays-ryuk-ransomware-for-decryption-
key
bull Louisiana was hit by Ryuk triggering another cyber-emergencybull httpsarstechnicacominformation-technology201911louisiana-was-hit-by-ryuk-triggering-another-
cyber-emergency
bull Security firm Prosegur Weve shut our IT network after Ryuk ransomware attackbull httpswwwzdnetcomarticlesecurity-firm-prosegur-weve-shut-our-it-network-after-ryuk-ransomware-
attack
bull Cash-moving giant Prosegur knocked offline by Ryuk ransomwarebull httpswwwcsoonlinecomarticle3504492cash-moving-giant-prosegur-knocked-offline-by-ryuk-
ransomwarehtml
bull New ransomware rakes in $4 million by adopting a ldquobig game huntingrdquo strategy Ryuk lies in wait for as long as a year then pounces on only the biggest prey
bull httpsarstechnicacominformation-technology201901new-ransomware-rakes-in-4-million-by-adopting-a-big-game-hunting-strategy
bull A Nasty Trick From Credential Theft Malware to Business Disruptionbull httpswwwfireeyecomblogthreat-research201901a-nasty-trick-from-credential-theft-malware-to-
business-disruptionhtml
28
References
TLP WHITE ID 202001301000
bull Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarebull httpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
bull Hackers Demand Bitcoin Ransom in Cyberattack on Big Canadian Restaurantsbull qhttpswwwcbccanewsbusinessransomware-hack-recipe-unlimited-restaurant-cyberattack-
14847487
bull Ryuk Ransomware Is Making Victims Left and Rightbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-is-making-victims-left-and-right
bull Ryuk Cult Character to Ransomware Villainbull httpssecurityboulevardcom201912ryuk-cult-character-to-ransomware-villain
bull Hermes ransomware distributed to South Koreans via recent Flash zero-daybull httpsblogmalwarebytescomthreat-analysis201803hermes-ransomware-distributed-to-south-
koreans-via-recent-flash-zero-day
Questions
30
Questions
Upcoming Briefsbull Artificial Intelligence ndash Application to the Healthcare Industry
bull Electronic Health Record systems
bull PyXie RAT
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide feedback to HC3HHSGOV
Requests for InformationNeed information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
TLP WHITE ID 202001301000
31
About Us
HC3 works with private and public sector partners to improve cybersecurity throughout the Healthcare and Public Health (HPH) Sector
Sector amp Victim Notifications White PapersDirected communications to victims or potential victims of compromises vulnerable equipment or PIIPHI theft and general notifications to the HPH about currently impacting threats via the HHS OIG
Document that provides in-depth information on a cybersecurity topic to increase comprehensive situational awareness and provide risk recommendations to a wide audience
Threat Briefings amp WebinarBriefing document and presentation that provides actionable information on health sector cybersecurity threats and mitigations Analysts present current cybersecurity topics engage in discussions with participants on current threats and highlight best practices and mitigation tactics
Need information on a specific cybersecurity topic or want to join our listserv Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
Products
TLP WHITE ID 202001301000
Contact
Health Sector Cybersecurity Coordination Center (HC3)
(202) 691-2110 HC3HHSGOV
- Ryuk Update
- Agenda
- Overview
- Functionality
- Shifting Attribution
- Shifting Attribution
- Slide Number 7
- Threat Actors
- Threat Actors
- Slide Number 10
- Slide Number 11
- Ransom Demands
- Slide Number 13
- Slide Number 14
- Slide Number 15
- Slide Number 16
- Slide Number 17
- Slide Number 18
- Slide Number 19
- Slide Number 20
- References
- References
- References
- References
- References
- References
- References
- References
- Slide Number 29
- Questions
- About Us
- Slide Number 32
-
23
References
TLP WHITE ID 202001301000
bull Cybercrime and Other Threats Faced by the Healthcare Industrybull httpswwwtrendmicrocomcontentdamtrendmicroglobalensecurity-
intelligenceresearchreportswp-cybercrime-amp-other-threats-faced-by-the-healthcare-industrypdf
bull Ryuk ransomware targets big businesses New ransomware group waits and gathers intel before attacking large enterprises
bull httpswwwtechradarcomnewsryuk-ransomware-targets-big-businesses
bull Computer virus hits newspapers coast-to-coastbull httpswwwnbcnewscomnewsus-newscomputer-virus-hits-southern-california-newspapers-
n953001
bull Ryuk Ransomware A Targeted Campaign Break-Down CheckPoint Researchbull httpsresearchcheckpointcomryuk-ransomware-targeted-campaign-break
bull Ryuk ransomware targets big businessesbull httpswwwtechradarcomnewsryuk-ransomware-targets-big-businesses
bull United States Department of Homeland Security Cybersecurity and Infrastructure Security Agency Alert (TA18-201A) Emotet Malware
bull httpswwwus-certgovncasalertsTA18-201A
bull Research Suggests Russian-Based Hackers Behind Ryuk Ransomwarersquos $25 Million Gainsbull httpsfinanceyahoocomnewsresearch-suggests-russian-based-hackers-131700487html
bull Long Island Ransomware Attack New York School Pays $100000bull httpswwwmsspalertcomcybersecurity-breaches-and-attacksransomwareryuk-hits-rockville-centre
24
References
TLP WHITE ID 202001301000
bull Ransomware hits computer networks of North Carolina water utility CyberScoopbull httpswwwcyberscoopcomransomware-hits-onwasa-computer-network-north-carolina-water-utility
bull Media Release Cyber-Criminals Target Critical Utility in Hurricane-Ravaged Area Onslow Water and Sewer Authority
bull httpswwwonwasacomDocumentCenterView3701Scan-from-2018-10-15-08_08_13-Abull Origin of virus that hobbled newspapers still unclear - The origins of a suspected computer attack that
disrupted the Los Angeles Times and Tribune Publishing newspapers remain unclearbull httpsabcnewsgocomUSwireStoryorigin-virus-hobbled-newspapers-unclear-60083516
bull Meet CrowdStrikersquos Adversary of the Month for February MUMMY SPIDERbull httpswwwcrowdstrikecomblogmeet-crowdstrikes-adversary-of-the-month-for-february-mummy-
spider February 8 2018 bull North Korea APT() and recent Ryuk Ransomware attacks
bull httpsblogkryptoslogiccommalware20190110dprk-emotethtmlbull US Coast Guard Warns Over Ryuk Ransomware Attacks
bull httpswwwbankinfosecuritycomus-coast-guard-warns-over-ryuk-ransomware-attacks-a-13563bull Georgia county pays a whopping $400000 to get rid of a ransomware infection
bull httpswwwzdnetcomarticlegeorgia-county-pays-a-whopping-400000-to-get-rid-of-a-ransomware-infection
bull Informations Concernant Les Rancongiciels Lockergoga Et Ryukbull httpswwwcertssigouvfruploadsCERTFR-2019-ACT-005pdf
bull Cybereason Researchers Discover a Triple Threat Attack Utilizing Emotet to Deploy TrickBot Which Steals Data and Spreads Ryuk Ransomware
bull httpswwwbenzingacompressreleases1904p13470755cybereason-researchers-discover-a-triple-threat-attack-utilizing-emote
25
References
TLP WHITE ID 202001301000
bull Ryuk Ransomware Adds IP and Computer Name Blacklistingbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-adds-ip-and-computer-name-
blacklistingbull US Coast Guard - Marine Safety Information Bulletin
bull httpswwwdcouscgmilPortals9DCO20Documents5pMSIB2019MSIB_10_19pdfbull Wizard Spider Upgrades Ryuk Ransomware to Reach Deep into LANs
bull httpsthreatpostcomwizard-spider-upgrades-ryuk-ransomware149853bull US Coast Guard Says Ryuk Ransomware Took Down Maritime Facility
bull httpswwwbleepingcomputercomnewssecurityus-coast-guard-says-ryuk-ransomware-took-down-maritime-facility
bull Mistaken For North Koreans The Ryuk Ransomware Hackers Are Making Millionsbull httpswwwforbescomsitesthomasbrewster20190220mistaken-for-north-koreans-the-ryuk-
ransomware-hackers-are-making-millions6d47034775f4bull Ryuk Ransomware Exploring the Technical and Human Connections
bull httpswwwcovewarecomblog2019219ryuk-ransomware-exploring-the-technical-and-human-connections
bull Stuarts city hall ransomware attack more than likely caused by phishing email scambull httpswwwtcpalmcomstorynewslocalmartin-county20190422city-halls-ransomware-attack-
may-linked-phishing-email-scam-ryuk3540067002bull 7 Florida municipalities have fallen prey to cyber attacks since last year
bull httpswwwnaplesnewscomstorynewscrime201908207-florida-municipalities-have-fallen-prey-cyber-attacks-ryuk-ransomware-phishing2065063001
bull Tampa Bay Times hit with Ryuk ransomware attackbull httpsblogmalwarebytescomransomware202001tampa-bay-times-hit-with-ryuk-ransomware-
attack
26
References
TLP WHITE ID 202001301000
bull Cyber attack Virus Ryuk disrupts The Watertown Daily Times Sunday paper deliverybull httpswwwibtimessgcyber-attack-virus-ryuk-disrupts-watertown-daily-times-sunday-paper-delivery-
30503bull How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
bull httpswwwdarkreadingcomattacks-breacheshow-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attackdd-id1334760
bull Florida LAN Someone clicks link again giving Key Biscayne ransomwarebull httpsarstechnicacominformation-technology201906is-there-something-in-the-water-third-florida-
city-hit-by-ransomwarebull New Warning on Ryuk Ransomware
bull httpswwwdarkreadingcomdocumentaspdoc_id=1335101bull La Porte County Pays $130000 Ransom To Ryuk Ransomware
bull httpswwwbleepingcomputercomnewssecurityla-porte-county-pays-130-000-ransom-to-ryuk-ransomware
bull China on Ryuk Virus alert Deadly ransomware sneaks through the countryrsquos computer systemsbull httpswwwcryptopolitancomchina-on-ryuk-virus-alert
Ryuk Sodinokibi Ransomware Responsible for Higher Average Ransomshttpswwwbleepingcomputercomnewssecurityryuk-sodinokibi-ransomware-responsible-for-higher-average-ransoms
Ryuk Related Malware Steals Confidential Military Financial Fileshttpswwwbleepingcomputercomnewssecurityryuk-related-malware-steals-confidential-military-financial-files
Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarehttpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
27
References
TLP WHITE ID 202001301000
bull Rolling back Ryuk Ransomwarebull httpsnewssophoscomen-us20191004rolling-back-ryuk-ransomware
bull DCH Hospital Pays Ryuk Ransomware for Decryption Keybull httpswwwbleepingcomputercomnewssecuritydch-hospital-pays-ryuk-ransomware-for-decryption-
key
bull Louisiana was hit by Ryuk triggering another cyber-emergencybull httpsarstechnicacominformation-technology201911louisiana-was-hit-by-ryuk-triggering-another-
cyber-emergency
bull Security firm Prosegur Weve shut our IT network after Ryuk ransomware attackbull httpswwwzdnetcomarticlesecurity-firm-prosegur-weve-shut-our-it-network-after-ryuk-ransomware-
attack
bull Cash-moving giant Prosegur knocked offline by Ryuk ransomwarebull httpswwwcsoonlinecomarticle3504492cash-moving-giant-prosegur-knocked-offline-by-ryuk-
ransomwarehtml
bull New ransomware rakes in $4 million by adopting a ldquobig game huntingrdquo strategy Ryuk lies in wait for as long as a year then pounces on only the biggest prey
bull httpsarstechnicacominformation-technology201901new-ransomware-rakes-in-4-million-by-adopting-a-big-game-hunting-strategy
bull A Nasty Trick From Credential Theft Malware to Business Disruptionbull httpswwwfireeyecomblogthreat-research201901a-nasty-trick-from-credential-theft-malware-to-
business-disruptionhtml
28
References
TLP WHITE ID 202001301000
bull Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarebull httpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
bull Hackers Demand Bitcoin Ransom in Cyberattack on Big Canadian Restaurantsbull qhttpswwwcbccanewsbusinessransomware-hack-recipe-unlimited-restaurant-cyberattack-
14847487
bull Ryuk Ransomware Is Making Victims Left and Rightbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-is-making-victims-left-and-right
bull Ryuk Cult Character to Ransomware Villainbull httpssecurityboulevardcom201912ryuk-cult-character-to-ransomware-villain
bull Hermes ransomware distributed to South Koreans via recent Flash zero-daybull httpsblogmalwarebytescomthreat-analysis201803hermes-ransomware-distributed-to-south-
koreans-via-recent-flash-zero-day
Questions
30
Questions
Upcoming Briefsbull Artificial Intelligence ndash Application to the Healthcare Industry
bull Electronic Health Record systems
bull PyXie RAT
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide feedback to HC3HHSGOV
Requests for InformationNeed information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
TLP WHITE ID 202001301000
31
About Us
HC3 works with private and public sector partners to improve cybersecurity throughout the Healthcare and Public Health (HPH) Sector
Sector amp Victim Notifications White PapersDirected communications to victims or potential victims of compromises vulnerable equipment or PIIPHI theft and general notifications to the HPH about currently impacting threats via the HHS OIG
Document that provides in-depth information on a cybersecurity topic to increase comprehensive situational awareness and provide risk recommendations to a wide audience
Threat Briefings amp WebinarBriefing document and presentation that provides actionable information on health sector cybersecurity threats and mitigations Analysts present current cybersecurity topics engage in discussions with participants on current threats and highlight best practices and mitigation tactics
Need information on a specific cybersecurity topic or want to join our listserv Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
Products
TLP WHITE ID 202001301000
Contact
Health Sector Cybersecurity Coordination Center (HC3)
(202) 691-2110 HC3HHSGOV
- Ryuk Update
- Agenda
- Overview
- Functionality
- Shifting Attribution
- Shifting Attribution
- Slide Number 7
- Threat Actors
- Threat Actors
- Slide Number 10
- Slide Number 11
- Ransom Demands
- Slide Number 13
- Slide Number 14
- Slide Number 15
- Slide Number 16
- Slide Number 17
- Slide Number 18
- Slide Number 19
- Slide Number 20
- References
- References
- References
- References
- References
- References
- References
- References
- Slide Number 29
- Questions
- About Us
- Slide Number 32
-
24
References
TLP WHITE ID 202001301000
bull Ransomware hits computer networks of North Carolina water utility CyberScoopbull httpswwwcyberscoopcomransomware-hits-onwasa-computer-network-north-carolina-water-utility
bull Media Release Cyber-Criminals Target Critical Utility in Hurricane-Ravaged Area Onslow Water and Sewer Authority
bull httpswwwonwasacomDocumentCenterView3701Scan-from-2018-10-15-08_08_13-Abull Origin of virus that hobbled newspapers still unclear - The origins of a suspected computer attack that
disrupted the Los Angeles Times and Tribune Publishing newspapers remain unclearbull httpsabcnewsgocomUSwireStoryorigin-virus-hobbled-newspapers-unclear-60083516
bull Meet CrowdStrikersquos Adversary of the Month for February MUMMY SPIDERbull httpswwwcrowdstrikecomblogmeet-crowdstrikes-adversary-of-the-month-for-february-mummy-
spider February 8 2018 bull North Korea APT() and recent Ryuk Ransomware attacks
bull httpsblogkryptoslogiccommalware20190110dprk-emotethtmlbull US Coast Guard Warns Over Ryuk Ransomware Attacks
bull httpswwwbankinfosecuritycomus-coast-guard-warns-over-ryuk-ransomware-attacks-a-13563bull Georgia county pays a whopping $400000 to get rid of a ransomware infection
bull httpswwwzdnetcomarticlegeorgia-county-pays-a-whopping-400000-to-get-rid-of-a-ransomware-infection
bull Informations Concernant Les Rancongiciels Lockergoga Et Ryukbull httpswwwcertssigouvfruploadsCERTFR-2019-ACT-005pdf
bull Cybereason Researchers Discover a Triple Threat Attack Utilizing Emotet to Deploy TrickBot Which Steals Data and Spreads Ryuk Ransomware
bull httpswwwbenzingacompressreleases1904p13470755cybereason-researchers-discover-a-triple-threat-attack-utilizing-emote
25
References
TLP WHITE ID 202001301000
bull Ryuk Ransomware Adds IP and Computer Name Blacklistingbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-adds-ip-and-computer-name-
blacklistingbull US Coast Guard - Marine Safety Information Bulletin
bull httpswwwdcouscgmilPortals9DCO20Documents5pMSIB2019MSIB_10_19pdfbull Wizard Spider Upgrades Ryuk Ransomware to Reach Deep into LANs
bull httpsthreatpostcomwizard-spider-upgrades-ryuk-ransomware149853bull US Coast Guard Says Ryuk Ransomware Took Down Maritime Facility
bull httpswwwbleepingcomputercomnewssecurityus-coast-guard-says-ryuk-ransomware-took-down-maritime-facility
bull Mistaken For North Koreans The Ryuk Ransomware Hackers Are Making Millionsbull httpswwwforbescomsitesthomasbrewster20190220mistaken-for-north-koreans-the-ryuk-
ransomware-hackers-are-making-millions6d47034775f4bull Ryuk Ransomware Exploring the Technical and Human Connections
bull httpswwwcovewarecomblog2019219ryuk-ransomware-exploring-the-technical-and-human-connections
bull Stuarts city hall ransomware attack more than likely caused by phishing email scambull httpswwwtcpalmcomstorynewslocalmartin-county20190422city-halls-ransomware-attack-
may-linked-phishing-email-scam-ryuk3540067002bull 7 Florida municipalities have fallen prey to cyber attacks since last year
bull httpswwwnaplesnewscomstorynewscrime201908207-florida-municipalities-have-fallen-prey-cyber-attacks-ryuk-ransomware-phishing2065063001
bull Tampa Bay Times hit with Ryuk ransomware attackbull httpsblogmalwarebytescomransomware202001tampa-bay-times-hit-with-ryuk-ransomware-
attack
26
References
TLP WHITE ID 202001301000
bull Cyber attack Virus Ryuk disrupts The Watertown Daily Times Sunday paper deliverybull httpswwwibtimessgcyber-attack-virus-ryuk-disrupts-watertown-daily-times-sunday-paper-delivery-
30503bull How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
bull httpswwwdarkreadingcomattacks-breacheshow-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attackdd-id1334760
bull Florida LAN Someone clicks link again giving Key Biscayne ransomwarebull httpsarstechnicacominformation-technology201906is-there-something-in-the-water-third-florida-
city-hit-by-ransomwarebull New Warning on Ryuk Ransomware
bull httpswwwdarkreadingcomdocumentaspdoc_id=1335101bull La Porte County Pays $130000 Ransom To Ryuk Ransomware
bull httpswwwbleepingcomputercomnewssecurityla-porte-county-pays-130-000-ransom-to-ryuk-ransomware
bull China on Ryuk Virus alert Deadly ransomware sneaks through the countryrsquos computer systemsbull httpswwwcryptopolitancomchina-on-ryuk-virus-alert
Ryuk Sodinokibi Ransomware Responsible for Higher Average Ransomshttpswwwbleepingcomputercomnewssecurityryuk-sodinokibi-ransomware-responsible-for-higher-average-ransoms
Ryuk Related Malware Steals Confidential Military Financial Fileshttpswwwbleepingcomputercomnewssecurityryuk-related-malware-steals-confidential-military-financial-files
Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarehttpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
27
References
TLP WHITE ID 202001301000
bull Rolling back Ryuk Ransomwarebull httpsnewssophoscomen-us20191004rolling-back-ryuk-ransomware
bull DCH Hospital Pays Ryuk Ransomware for Decryption Keybull httpswwwbleepingcomputercomnewssecuritydch-hospital-pays-ryuk-ransomware-for-decryption-
key
bull Louisiana was hit by Ryuk triggering another cyber-emergencybull httpsarstechnicacominformation-technology201911louisiana-was-hit-by-ryuk-triggering-another-
cyber-emergency
bull Security firm Prosegur Weve shut our IT network after Ryuk ransomware attackbull httpswwwzdnetcomarticlesecurity-firm-prosegur-weve-shut-our-it-network-after-ryuk-ransomware-
attack
bull Cash-moving giant Prosegur knocked offline by Ryuk ransomwarebull httpswwwcsoonlinecomarticle3504492cash-moving-giant-prosegur-knocked-offline-by-ryuk-
ransomwarehtml
bull New ransomware rakes in $4 million by adopting a ldquobig game huntingrdquo strategy Ryuk lies in wait for as long as a year then pounces on only the biggest prey
bull httpsarstechnicacominformation-technology201901new-ransomware-rakes-in-4-million-by-adopting-a-big-game-hunting-strategy
bull A Nasty Trick From Credential Theft Malware to Business Disruptionbull httpswwwfireeyecomblogthreat-research201901a-nasty-trick-from-credential-theft-malware-to-
business-disruptionhtml
28
References
TLP WHITE ID 202001301000
bull Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarebull httpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
bull Hackers Demand Bitcoin Ransom in Cyberattack on Big Canadian Restaurantsbull qhttpswwwcbccanewsbusinessransomware-hack-recipe-unlimited-restaurant-cyberattack-
14847487
bull Ryuk Ransomware Is Making Victims Left and Rightbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-is-making-victims-left-and-right
bull Ryuk Cult Character to Ransomware Villainbull httpssecurityboulevardcom201912ryuk-cult-character-to-ransomware-villain
bull Hermes ransomware distributed to South Koreans via recent Flash zero-daybull httpsblogmalwarebytescomthreat-analysis201803hermes-ransomware-distributed-to-south-
koreans-via-recent-flash-zero-day
Questions
30
Questions
Upcoming Briefsbull Artificial Intelligence ndash Application to the Healthcare Industry
bull Electronic Health Record systems
bull PyXie RAT
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide feedback to HC3HHSGOV
Requests for InformationNeed information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
TLP WHITE ID 202001301000
31
About Us
HC3 works with private and public sector partners to improve cybersecurity throughout the Healthcare and Public Health (HPH) Sector
Sector amp Victim Notifications White PapersDirected communications to victims or potential victims of compromises vulnerable equipment or PIIPHI theft and general notifications to the HPH about currently impacting threats via the HHS OIG
Document that provides in-depth information on a cybersecurity topic to increase comprehensive situational awareness and provide risk recommendations to a wide audience
Threat Briefings amp WebinarBriefing document and presentation that provides actionable information on health sector cybersecurity threats and mitigations Analysts present current cybersecurity topics engage in discussions with participants on current threats and highlight best practices and mitigation tactics
Need information on a specific cybersecurity topic or want to join our listserv Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
Products
TLP WHITE ID 202001301000
Contact
Health Sector Cybersecurity Coordination Center (HC3)
(202) 691-2110 HC3HHSGOV
- Ryuk Update
- Agenda
- Overview
- Functionality
- Shifting Attribution
- Shifting Attribution
- Slide Number 7
- Threat Actors
- Threat Actors
- Slide Number 10
- Slide Number 11
- Ransom Demands
- Slide Number 13
- Slide Number 14
- Slide Number 15
- Slide Number 16
- Slide Number 17
- Slide Number 18
- Slide Number 19
- Slide Number 20
- References
- References
- References
- References
- References
- References
- References
- References
- Slide Number 29
- Questions
- About Us
- Slide Number 32
-
25
References
TLP WHITE ID 202001301000
bull Ryuk Ransomware Adds IP and Computer Name Blacklistingbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-adds-ip-and-computer-name-
blacklistingbull US Coast Guard - Marine Safety Information Bulletin
bull httpswwwdcouscgmilPortals9DCO20Documents5pMSIB2019MSIB_10_19pdfbull Wizard Spider Upgrades Ryuk Ransomware to Reach Deep into LANs
bull httpsthreatpostcomwizard-spider-upgrades-ryuk-ransomware149853bull US Coast Guard Says Ryuk Ransomware Took Down Maritime Facility
bull httpswwwbleepingcomputercomnewssecurityus-coast-guard-says-ryuk-ransomware-took-down-maritime-facility
bull Mistaken For North Koreans The Ryuk Ransomware Hackers Are Making Millionsbull httpswwwforbescomsitesthomasbrewster20190220mistaken-for-north-koreans-the-ryuk-
ransomware-hackers-are-making-millions6d47034775f4bull Ryuk Ransomware Exploring the Technical and Human Connections
bull httpswwwcovewarecomblog2019219ryuk-ransomware-exploring-the-technical-and-human-connections
bull Stuarts city hall ransomware attack more than likely caused by phishing email scambull httpswwwtcpalmcomstorynewslocalmartin-county20190422city-halls-ransomware-attack-
may-linked-phishing-email-scam-ryuk3540067002bull 7 Florida municipalities have fallen prey to cyber attacks since last year
bull httpswwwnaplesnewscomstorynewscrime201908207-florida-municipalities-have-fallen-prey-cyber-attacks-ryuk-ransomware-phishing2065063001
bull Tampa Bay Times hit with Ryuk ransomware attackbull httpsblogmalwarebytescomransomware202001tampa-bay-times-hit-with-ryuk-ransomware-
attack
26
References
TLP WHITE ID 202001301000
bull Cyber attack Virus Ryuk disrupts The Watertown Daily Times Sunday paper deliverybull httpswwwibtimessgcyber-attack-virus-ryuk-disrupts-watertown-daily-times-sunday-paper-delivery-
30503bull How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
bull httpswwwdarkreadingcomattacks-breacheshow-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attackdd-id1334760
bull Florida LAN Someone clicks link again giving Key Biscayne ransomwarebull httpsarstechnicacominformation-technology201906is-there-something-in-the-water-third-florida-
city-hit-by-ransomwarebull New Warning on Ryuk Ransomware
bull httpswwwdarkreadingcomdocumentaspdoc_id=1335101bull La Porte County Pays $130000 Ransom To Ryuk Ransomware
bull httpswwwbleepingcomputercomnewssecurityla-porte-county-pays-130-000-ransom-to-ryuk-ransomware
bull China on Ryuk Virus alert Deadly ransomware sneaks through the countryrsquos computer systemsbull httpswwwcryptopolitancomchina-on-ryuk-virus-alert
Ryuk Sodinokibi Ransomware Responsible for Higher Average Ransomshttpswwwbleepingcomputercomnewssecurityryuk-sodinokibi-ransomware-responsible-for-higher-average-ransoms
Ryuk Related Malware Steals Confidential Military Financial Fileshttpswwwbleepingcomputercomnewssecurityryuk-related-malware-steals-confidential-military-financial-files
Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarehttpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
27
References
TLP WHITE ID 202001301000
bull Rolling back Ryuk Ransomwarebull httpsnewssophoscomen-us20191004rolling-back-ryuk-ransomware
bull DCH Hospital Pays Ryuk Ransomware for Decryption Keybull httpswwwbleepingcomputercomnewssecuritydch-hospital-pays-ryuk-ransomware-for-decryption-
key
bull Louisiana was hit by Ryuk triggering another cyber-emergencybull httpsarstechnicacominformation-technology201911louisiana-was-hit-by-ryuk-triggering-another-
cyber-emergency
bull Security firm Prosegur Weve shut our IT network after Ryuk ransomware attackbull httpswwwzdnetcomarticlesecurity-firm-prosegur-weve-shut-our-it-network-after-ryuk-ransomware-
attack
bull Cash-moving giant Prosegur knocked offline by Ryuk ransomwarebull httpswwwcsoonlinecomarticle3504492cash-moving-giant-prosegur-knocked-offline-by-ryuk-
ransomwarehtml
bull New ransomware rakes in $4 million by adopting a ldquobig game huntingrdquo strategy Ryuk lies in wait for as long as a year then pounces on only the biggest prey
bull httpsarstechnicacominformation-technology201901new-ransomware-rakes-in-4-million-by-adopting-a-big-game-hunting-strategy
bull A Nasty Trick From Credential Theft Malware to Business Disruptionbull httpswwwfireeyecomblogthreat-research201901a-nasty-trick-from-credential-theft-malware-to-
business-disruptionhtml
28
References
TLP WHITE ID 202001301000
bull Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarebull httpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
bull Hackers Demand Bitcoin Ransom in Cyberattack on Big Canadian Restaurantsbull qhttpswwwcbccanewsbusinessransomware-hack-recipe-unlimited-restaurant-cyberattack-
14847487
bull Ryuk Ransomware Is Making Victims Left and Rightbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-is-making-victims-left-and-right
bull Ryuk Cult Character to Ransomware Villainbull httpssecurityboulevardcom201912ryuk-cult-character-to-ransomware-villain
bull Hermes ransomware distributed to South Koreans via recent Flash zero-daybull httpsblogmalwarebytescomthreat-analysis201803hermes-ransomware-distributed-to-south-
koreans-via-recent-flash-zero-day
Questions
30
Questions
Upcoming Briefsbull Artificial Intelligence ndash Application to the Healthcare Industry
bull Electronic Health Record systems
bull PyXie RAT
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide feedback to HC3HHSGOV
Requests for InformationNeed information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
TLP WHITE ID 202001301000
31
About Us
HC3 works with private and public sector partners to improve cybersecurity throughout the Healthcare and Public Health (HPH) Sector
Sector amp Victim Notifications White PapersDirected communications to victims or potential victims of compromises vulnerable equipment or PIIPHI theft and general notifications to the HPH about currently impacting threats via the HHS OIG
Document that provides in-depth information on a cybersecurity topic to increase comprehensive situational awareness and provide risk recommendations to a wide audience
Threat Briefings amp WebinarBriefing document and presentation that provides actionable information on health sector cybersecurity threats and mitigations Analysts present current cybersecurity topics engage in discussions with participants on current threats and highlight best practices and mitigation tactics
Need information on a specific cybersecurity topic or want to join our listserv Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
Products
TLP WHITE ID 202001301000
Contact
Health Sector Cybersecurity Coordination Center (HC3)
(202) 691-2110 HC3HHSGOV
- Ryuk Update
- Agenda
- Overview
- Functionality
- Shifting Attribution
- Shifting Attribution
- Slide Number 7
- Threat Actors
- Threat Actors
- Slide Number 10
- Slide Number 11
- Ransom Demands
- Slide Number 13
- Slide Number 14
- Slide Number 15
- Slide Number 16
- Slide Number 17
- Slide Number 18
- Slide Number 19
- Slide Number 20
- References
- References
- References
- References
- References
- References
- References
- References
- Slide Number 29
- Questions
- About Us
- Slide Number 32
-
26
References
TLP WHITE ID 202001301000
bull Cyber attack Virus Ryuk disrupts The Watertown Daily Times Sunday paper deliverybull httpswwwibtimessgcyber-attack-virus-ryuk-disrupts-watertown-daily-times-sunday-paper-delivery-
30503bull How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
bull httpswwwdarkreadingcomattacks-breacheshow-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attackdd-id1334760
bull Florida LAN Someone clicks link again giving Key Biscayne ransomwarebull httpsarstechnicacominformation-technology201906is-there-something-in-the-water-third-florida-
city-hit-by-ransomwarebull New Warning on Ryuk Ransomware
bull httpswwwdarkreadingcomdocumentaspdoc_id=1335101bull La Porte County Pays $130000 Ransom To Ryuk Ransomware
bull httpswwwbleepingcomputercomnewssecurityla-porte-county-pays-130-000-ransom-to-ryuk-ransomware
bull China on Ryuk Virus alert Deadly ransomware sneaks through the countryrsquos computer systemsbull httpswwwcryptopolitancomchina-on-ryuk-virus-alert
Ryuk Sodinokibi Ransomware Responsible for Higher Average Ransomshttpswwwbleepingcomputercomnewssecurityryuk-sodinokibi-ransomware-responsible-for-higher-average-ransoms
Ryuk Related Malware Steals Confidential Military Financial Fileshttpswwwbleepingcomputercomnewssecurityryuk-related-malware-steals-confidential-military-financial-files
Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarehttpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
27
References
TLP WHITE ID 202001301000
bull Rolling back Ryuk Ransomwarebull httpsnewssophoscomen-us20191004rolling-back-ryuk-ransomware
bull DCH Hospital Pays Ryuk Ransomware for Decryption Keybull httpswwwbleepingcomputercomnewssecuritydch-hospital-pays-ryuk-ransomware-for-decryption-
key
bull Louisiana was hit by Ryuk triggering another cyber-emergencybull httpsarstechnicacominformation-technology201911louisiana-was-hit-by-ryuk-triggering-another-
cyber-emergency
bull Security firm Prosegur Weve shut our IT network after Ryuk ransomware attackbull httpswwwzdnetcomarticlesecurity-firm-prosegur-weve-shut-our-it-network-after-ryuk-ransomware-
attack
bull Cash-moving giant Prosegur knocked offline by Ryuk ransomwarebull httpswwwcsoonlinecomarticle3504492cash-moving-giant-prosegur-knocked-offline-by-ryuk-
ransomwarehtml
bull New ransomware rakes in $4 million by adopting a ldquobig game huntingrdquo strategy Ryuk lies in wait for as long as a year then pounces on only the biggest prey
bull httpsarstechnicacominformation-technology201901new-ransomware-rakes-in-4-million-by-adopting-a-big-game-hunting-strategy
bull A Nasty Trick From Credential Theft Malware to Business Disruptionbull httpswwwfireeyecomblogthreat-research201901a-nasty-trick-from-credential-theft-malware-to-
business-disruptionhtml
28
References
TLP WHITE ID 202001301000
bull Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarebull httpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
bull Hackers Demand Bitcoin Ransom in Cyberattack on Big Canadian Restaurantsbull qhttpswwwcbccanewsbusinessransomware-hack-recipe-unlimited-restaurant-cyberattack-
14847487
bull Ryuk Ransomware Is Making Victims Left and Rightbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-is-making-victims-left-and-right
bull Ryuk Cult Character to Ransomware Villainbull httpssecurityboulevardcom201912ryuk-cult-character-to-ransomware-villain
bull Hermes ransomware distributed to South Koreans via recent Flash zero-daybull httpsblogmalwarebytescomthreat-analysis201803hermes-ransomware-distributed-to-south-
koreans-via-recent-flash-zero-day
Questions
30
Questions
Upcoming Briefsbull Artificial Intelligence ndash Application to the Healthcare Industry
bull Electronic Health Record systems
bull PyXie RAT
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide feedback to HC3HHSGOV
Requests for InformationNeed information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
TLP WHITE ID 202001301000
31
About Us
HC3 works with private and public sector partners to improve cybersecurity throughout the Healthcare and Public Health (HPH) Sector
Sector amp Victim Notifications White PapersDirected communications to victims or potential victims of compromises vulnerable equipment or PIIPHI theft and general notifications to the HPH about currently impacting threats via the HHS OIG
Document that provides in-depth information on a cybersecurity topic to increase comprehensive situational awareness and provide risk recommendations to a wide audience
Threat Briefings amp WebinarBriefing document and presentation that provides actionable information on health sector cybersecurity threats and mitigations Analysts present current cybersecurity topics engage in discussions with participants on current threats and highlight best practices and mitigation tactics
Need information on a specific cybersecurity topic or want to join our listserv Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
Products
TLP WHITE ID 202001301000
Contact
Health Sector Cybersecurity Coordination Center (HC3)
(202) 691-2110 HC3HHSGOV
- Ryuk Update
- Agenda
- Overview
- Functionality
- Shifting Attribution
- Shifting Attribution
- Slide Number 7
- Threat Actors
- Threat Actors
- Slide Number 10
- Slide Number 11
- Ransom Demands
- Slide Number 13
- Slide Number 14
- Slide Number 15
- Slide Number 16
- Slide Number 17
- Slide Number 18
- Slide Number 19
- Slide Number 20
- References
- References
- References
- References
- References
- References
- References
- References
- Slide Number 29
- Questions
- About Us
- Slide Number 32
-
27
References
TLP WHITE ID 202001301000
bull Rolling back Ryuk Ransomwarebull httpsnewssophoscomen-us20191004rolling-back-ryuk-ransomware
bull DCH Hospital Pays Ryuk Ransomware for Decryption Keybull httpswwwbleepingcomputercomnewssecuritydch-hospital-pays-ryuk-ransomware-for-decryption-
key
bull Louisiana was hit by Ryuk triggering another cyber-emergencybull httpsarstechnicacominformation-technology201911louisiana-was-hit-by-ryuk-triggering-another-
cyber-emergency
bull Security firm Prosegur Weve shut our IT network after Ryuk ransomware attackbull httpswwwzdnetcomarticlesecurity-firm-prosegur-weve-shut-our-it-network-after-ryuk-ransomware-
attack
bull Cash-moving giant Prosegur knocked offline by Ryuk ransomwarebull httpswwwcsoonlinecomarticle3504492cash-moving-giant-prosegur-knocked-offline-by-ryuk-
ransomwarehtml
bull New ransomware rakes in $4 million by adopting a ldquobig game huntingrdquo strategy Ryuk lies in wait for as long as a year then pounces on only the biggest prey
bull httpsarstechnicacominformation-technology201901new-ransomware-rakes-in-4-million-by-adopting-a-big-game-hunting-strategy
bull A Nasty Trick From Credential Theft Malware to Business Disruptionbull httpswwwfireeyecomblogthreat-research201901a-nasty-trick-from-credential-theft-malware-to-
business-disruptionhtml
28
References
TLP WHITE ID 202001301000
bull Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarebull httpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
bull Hackers Demand Bitcoin Ransom in Cyberattack on Big Canadian Restaurantsbull qhttpswwwcbccanewsbusinessransomware-hack-recipe-unlimited-restaurant-cyberattack-
14847487
bull Ryuk Ransomware Is Making Victims Left and Rightbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-is-making-victims-left-and-right
bull Ryuk Cult Character to Ransomware Villainbull httpssecurityboulevardcom201912ryuk-cult-character-to-ransomware-villain
bull Hermes ransomware distributed to South Koreans via recent Flash zero-daybull httpsblogmalwarebytescomthreat-analysis201803hermes-ransomware-distributed-to-south-
koreans-via-recent-flash-zero-day
Questions
30
Questions
Upcoming Briefsbull Artificial Intelligence ndash Application to the Healthcare Industry
bull Electronic Health Record systems
bull PyXie RAT
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide feedback to HC3HHSGOV
Requests for InformationNeed information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
TLP WHITE ID 202001301000
31
About Us
HC3 works with private and public sector partners to improve cybersecurity throughout the Healthcare and Public Health (HPH) Sector
Sector amp Victim Notifications White PapersDirected communications to victims or potential victims of compromises vulnerable equipment or PIIPHI theft and general notifications to the HPH about currently impacting threats via the HHS OIG
Document that provides in-depth information on a cybersecurity topic to increase comprehensive situational awareness and provide risk recommendations to a wide audience
Threat Briefings amp WebinarBriefing document and presentation that provides actionable information on health sector cybersecurity threats and mitigations Analysts present current cybersecurity topics engage in discussions with participants on current threats and highlight best practices and mitigation tactics
Need information on a specific cybersecurity topic or want to join our listserv Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
Products
TLP WHITE ID 202001301000
Contact
Health Sector Cybersecurity Coordination Center (HC3)
(202) 691-2110 HC3HHSGOV
- Ryuk Update
- Agenda
- Overview
- Functionality
- Shifting Attribution
- Shifting Attribution
- Slide Number 7
- Threat Actors
- Threat Actors
- Slide Number 10
- Slide Number 11
- Ransom Demands
- Slide Number 13
- Slide Number 14
- Slide Number 15
- Slide Number 16
- Slide Number 17
- Slide Number 18
- Slide Number 19
- Slide Number 20
- References
- References
- References
- References
- References
- References
- References
- References
- Slide Number 29
- Questions
- About Us
- Slide Number 32
-
28
References
TLP WHITE ID 202001301000
bull Big Game Hunting with Ryuk Another Lucrative Targeted Ransomwarebull httpswwwcrowdstrikecomblogbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware
bull Hackers Demand Bitcoin Ransom in Cyberattack on Big Canadian Restaurantsbull qhttpswwwcbccanewsbusinessransomware-hack-recipe-unlimited-restaurant-cyberattack-
14847487
bull Ryuk Ransomware Is Making Victims Left and Rightbull httpswwwbleepingcomputercomnewssecurityryuk-ransomware-is-making-victims-left-and-right
bull Ryuk Cult Character to Ransomware Villainbull httpssecurityboulevardcom201912ryuk-cult-character-to-ransomware-villain
bull Hermes ransomware distributed to South Koreans via recent Flash zero-daybull httpsblogmalwarebytescomthreat-analysis201803hermes-ransomware-distributed-to-south-
koreans-via-recent-flash-zero-day
Questions
30
Questions
Upcoming Briefsbull Artificial Intelligence ndash Application to the Healthcare Industry
bull Electronic Health Record systems
bull PyXie RAT
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide feedback to HC3HHSGOV
Requests for InformationNeed information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
TLP WHITE ID 202001301000
31
About Us
HC3 works with private and public sector partners to improve cybersecurity throughout the Healthcare and Public Health (HPH) Sector
Sector amp Victim Notifications White PapersDirected communications to victims or potential victims of compromises vulnerable equipment or PIIPHI theft and general notifications to the HPH about currently impacting threats via the HHS OIG
Document that provides in-depth information on a cybersecurity topic to increase comprehensive situational awareness and provide risk recommendations to a wide audience
Threat Briefings amp WebinarBriefing document and presentation that provides actionable information on health sector cybersecurity threats and mitigations Analysts present current cybersecurity topics engage in discussions with participants on current threats and highlight best practices and mitigation tactics
Need information on a specific cybersecurity topic or want to join our listserv Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
Products
TLP WHITE ID 202001301000
Contact
Health Sector Cybersecurity Coordination Center (HC3)
(202) 691-2110 HC3HHSGOV
- Ryuk Update
- Agenda
- Overview
- Functionality
- Shifting Attribution
- Shifting Attribution
- Slide Number 7
- Threat Actors
- Threat Actors
- Slide Number 10
- Slide Number 11
- Ransom Demands
- Slide Number 13
- Slide Number 14
- Slide Number 15
- Slide Number 16
- Slide Number 17
- Slide Number 18
- Slide Number 19
- Slide Number 20
- References
- References
- References
- References
- References
- References
- References
- References
- Slide Number 29
- Questions
- About Us
- Slide Number 32
-
Questions
30
Questions
Upcoming Briefsbull Artificial Intelligence ndash Application to the Healthcare Industry
bull Electronic Health Record systems
bull PyXie RAT
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide feedback to HC3HHSGOV
Requests for InformationNeed information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
TLP WHITE ID 202001301000
31
About Us
HC3 works with private and public sector partners to improve cybersecurity throughout the Healthcare and Public Health (HPH) Sector
Sector amp Victim Notifications White PapersDirected communications to victims or potential victims of compromises vulnerable equipment or PIIPHI theft and general notifications to the HPH about currently impacting threats via the HHS OIG
Document that provides in-depth information on a cybersecurity topic to increase comprehensive situational awareness and provide risk recommendations to a wide audience
Threat Briefings amp WebinarBriefing document and presentation that provides actionable information on health sector cybersecurity threats and mitigations Analysts present current cybersecurity topics engage in discussions with participants on current threats and highlight best practices and mitigation tactics
Need information on a specific cybersecurity topic or want to join our listserv Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
Products
TLP WHITE ID 202001301000
Contact
Health Sector Cybersecurity Coordination Center (HC3)
(202) 691-2110 HC3HHSGOV
- Ryuk Update
- Agenda
- Overview
- Functionality
- Shifting Attribution
- Shifting Attribution
- Slide Number 7
- Threat Actors
- Threat Actors
- Slide Number 10
- Slide Number 11
- Ransom Demands
- Slide Number 13
- Slide Number 14
- Slide Number 15
- Slide Number 16
- Slide Number 17
- Slide Number 18
- Slide Number 19
- Slide Number 20
- References
- References
- References
- References
- References
- References
- References
- References
- Slide Number 29
- Questions
- About Us
- Slide Number 32
-
30
Questions
Upcoming Briefsbull Artificial Intelligence ndash Application to the Healthcare Industry
bull Electronic Health Record systems
bull PyXie RAT
Product EvaluationsRecipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products are highly encouraged to provide feedback to HC3HHSGOV
Requests for InformationNeed information on a specific cybersecurity topic Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
TLP WHITE ID 202001301000
31
About Us
HC3 works with private and public sector partners to improve cybersecurity throughout the Healthcare and Public Health (HPH) Sector
Sector amp Victim Notifications White PapersDirected communications to victims or potential victims of compromises vulnerable equipment or PIIPHI theft and general notifications to the HPH about currently impacting threats via the HHS OIG
Document that provides in-depth information on a cybersecurity topic to increase comprehensive situational awareness and provide risk recommendations to a wide audience
Threat Briefings amp WebinarBriefing document and presentation that provides actionable information on health sector cybersecurity threats and mitigations Analysts present current cybersecurity topics engage in discussions with participants on current threats and highlight best practices and mitigation tactics
Need information on a specific cybersecurity topic or want to join our listserv Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
Products
TLP WHITE ID 202001301000
Contact
Health Sector Cybersecurity Coordination Center (HC3)
(202) 691-2110 HC3HHSGOV
- Ryuk Update
- Agenda
- Overview
- Functionality
- Shifting Attribution
- Shifting Attribution
- Slide Number 7
- Threat Actors
- Threat Actors
- Slide Number 10
- Slide Number 11
- Ransom Demands
- Slide Number 13
- Slide Number 14
- Slide Number 15
- Slide Number 16
- Slide Number 17
- Slide Number 18
- Slide Number 19
- Slide Number 20
- References
- References
- References
- References
- References
- References
- References
- References
- Slide Number 29
- Questions
- About Us
- Slide Number 32
-
31
About Us
HC3 works with private and public sector partners to improve cybersecurity throughout the Healthcare and Public Health (HPH) Sector
Sector amp Victim Notifications White PapersDirected communications to victims or potential victims of compromises vulnerable equipment or PIIPHI theft and general notifications to the HPH about currently impacting threats via the HHS OIG
Document that provides in-depth information on a cybersecurity topic to increase comprehensive situational awareness and provide risk recommendations to a wide audience
Threat Briefings amp WebinarBriefing document and presentation that provides actionable information on health sector cybersecurity threats and mitigations Analysts present current cybersecurity topics engage in discussions with participants on current threats and highlight best practices and mitigation tactics
Need information on a specific cybersecurity topic or want to join our listserv Send your request for information (RFI) to HC3HHSGOV or call us Monday-Friday between 9am-5pm (EST) at (202) 691-2110
Products
TLP WHITE ID 202001301000
Contact
Health Sector Cybersecurity Coordination Center (HC3)
(202) 691-2110 HC3HHSGOV
- Ryuk Update
- Agenda
- Overview
- Functionality
- Shifting Attribution
- Shifting Attribution
- Slide Number 7
- Threat Actors
- Threat Actors
- Slide Number 10
- Slide Number 11
- Ransom Demands
- Slide Number 13
- Slide Number 14
- Slide Number 15
- Slide Number 16
- Slide Number 17
- Slide Number 18
- Slide Number 19
- Slide Number 20
- References
- References
- References
- References
- References
- References
- References
- References
- Slide Number 29
- Questions
- About Us
- Slide Number 32
-
Contact
Health Sector Cybersecurity Coordination Center (HC3)
(202) 691-2110 HC3HHSGOV
- Ryuk Update
- Agenda
- Overview
- Functionality
- Shifting Attribution
- Shifting Attribution
- Slide Number 7
- Threat Actors
- Threat Actors
- Slide Number 10
- Slide Number 11
- Ransom Demands
- Slide Number 13
- Slide Number 14
- Slide Number 15
- Slide Number 16
- Slide Number 17
- Slide Number 18
- Slide Number 19
- Slide Number 20
- References
- References
- References
- References
- References
- References
- References
- References
- Slide Number 29
- Questions
- About Us
- Slide Number 32
-