Saugat Adhikari

Saugat Adhikari 18029221
Module Code & Module Title

CC6003NI & Digital Crime Investigation
Digital Crime Evolution and the Detections: Ryuk Ransomware
Assessment Weightage & Type

50% Individual Coursework
Year and Semester

2020-2021 Autumn, Year Long
Assignment Due Date: 31st December 2020

Assignment Submission Date: 29 December 2020
Word Count: 2350
I confirm that I understand my coursework needs to be submitted online via Google Classroom
under the relevant module page before the deadline in order for my assignment to be accepted
and marked. I am fully aware that late submissions will be treated as non-submission and a
mark of zero will be awarded.
Table of Contents
1. Introduction ............................................................................................................................ 1
1.1 Subject Matter.................................................................................................................. 1
1.2 Aims and Objectives ......................................................................................................... 2
1.2.1 Aims........................................................................................................................... 2
1.2.2 Objectives.................................................................................................................. 2
1.3 Report Structure ................................................................................................................... 3
2. Background ............................................................................................................................. 4
2.1 Brief History...................................................................................................................... 4
2.2 Literature Review ............................................................................................................. 6
2.2.1 Ryuk Ransomware .................................................................................................... 6
2.2.2 Case Study ................................................................................................................. 6
2.2.3 Case Analysis ............................................................................................................. 7
3. Attack Demonstration ............................................................................................................. 8
4. Forensics Study ..................................................................................................................... 14
4.1 Malware Analysis (Sandboxing) ..................................................................................... 14
4.1.1 Ryuk Sample Information ....................................................................................... 15
4.1.2 Ransomware Behavior Activities ............................................................................ 16
4.1.3 Dropped Files and File Activity................................................................................ 17
4.1.4 Processes and Registry Activities ............................................................................ 18
4.1.5 Mapping to MITRE ATT&CK MATRIX ...................................................................... 19
4.2 Detection Techniques .................................................................................................... 20
4.2.1 Monitor Windows Processes for any suspicious activities. .................................... 20
4.2.2 Track for unusual resource consumption. .............................................................. 21
4.2.3 Look for Files with extension. RYK .......................................................................... 22
4.2.4 Check for suspicious IPs in the Windows host file .................................................. 23
4.3 The Next Step ................................................................................................................. 24
5. Recommendation.................................................................................................................. 31
6. Conclusion ............................................................................................................................. 33
References .................................................................................................................................... 34
Bibliography .................................................................................................................................. 36
Appendix ....................................................................................................................................... 37
A.1 Ransomware Attacks .......................................................................................................... 37
A.1.1 Current Scenario .......................................................................................................... 37
A.1.2 Ransomware Kill Chain ................................................................................................ 40
A.1.3 Ransomware Families .................................................................................................. 42
A.2 History and Evolution of Ransomware ............................................................................... 46
A.3 Ryuk Ransomware .............................................................................................................. 51
A.4 Mapping Ryuk Ransomware to MITRE ATT&CK Matrix ..................................................... 54
A.5 Further Detection Techniques ............................................................................................ 55
A.6 Case Study........................................................................................................................... 56
Table of Figures
Figure 1: Stages of Ransomware Attacks (Abdullahi et al., 2019) .................................................. 1

Figure 2: A timeline of ransomware evolution (Frieswick, 2020) ................................................... 5
Figure 3: Taking a snapshot of Windows 7 ..................................................................................... 8
Figure 4: Sending a phishing mail to victim's address .................................................................... 9
Figure 5: Received mail on the victim's machine ......................................................................... 10
Figure 6: Zip file downloaded by Victim ....................................................................................... 11
Figure 7: Extraction of Zip file ....................................................................................................... 11
Figure 8: Win 7 before infection ................................................................................................... 12
Figure 9: Win 7 after infection ...................................................................................................... 13
Figure 10: Ryuk Ransomware Ransom Note................................................................................. 13
Figure 11: Ransomware Sample in Any Run ................................................................................. 14
Figure 12: General Information on Ryuk Ransomware Sample ................................................... 15
Figure 13: Behavior Activities of Ryuk .......................................................................................... 16
Figure 14: Dropped Files by Ryuk ................................................................................................. 17
Figure 15: File activities by the malware ...................................................................................... 17
Figure 16: Processes Scenario ....................................................................................................... 18
Figure 17: Modified File Permissions by Ryuk .............................................................................. 18
Figure 18: Registry Activity by Ryuk .............................................................................................. 18
Figure 19: Suspicious Use of WriteProcessMemory ..................................................................... 19
Figure 20: MITRE ATT&CK Matrix of Ryuk .................................................................................... 19
Figure 21: Background Processes during Ransomware Infection ................................................ 20
Figure 22: Resource Consumption ................................................................................................ 21
Figure 23: Ryuk Encrypted File Extension ..................................................................................... 22
Figure 24: Windows hosts file ....................................................................................................... 23
Figure 25: Disable Network Connections...................................................................................... 24
Figure 26: Boot Windows in Safe Mode. ...................................................................................... 25
Figure 27: Advance Boot Options ................................................................................................. 26
Figure 28: Show hidden files in Folder Options. ........................................................................... 27
Figure 29: Startup Folder .............................................................................................................. 27
Figure 30: File Creation in Appdata .............................................................................................. 28
Figure 31: Commands to start Windows Restore ......................................................................... 29
Figure 32: Restore Wizard 1.......................................................................................................... 29
Figure 33: Automatic Restore Point .............................................................................................. 30
Figure 34: Windows System Restore Initialized............................................................................ 30
Figure 35: Flowchart to deal with Ransomware (Maurya et al., 2018) ........................................ 32
Figure 36: Ransomware Related Findings (ENISA, 2020).............................................................. 38
Figure 37: Top 10 countries by share of ransomware attack users (ENISA, 2020) ...................... 39
Figure 38: Ransomware Kill Chain (exabeam, 2016) .................................................................... 40
Figure 39: exabeam SOC Ransomware Cheat Sheet (exabeam, 2016) ........................................ 41
Figure 40: Crypto-base VS Locker-base Ransomware Techniques (Abdullahi et al., 2019) ......... 42
Figure 41: Received Payment per Ransomware Family (2013-2017) (Hassan, 2019) .................. 45
Figure 42: Ransomware Infection pretending to be from law enforcement agency (Hassan, 2019)
....................................................................................................................................................... 48
Figure 43: Attack Chain of Ryuk Ransomware (Infoblox, 2019) ................................................... 53
Figure 44: Case Study Page 1 (Infocyte, 2018) ............................................................................. 56
1. Introduction
1.1 Subject Matter
Digital crimes or cybercrimes, particularly in the last ten years, are not a mystery. People rely on
computers or mobile devices to do their job every day, they often use them to connect with their
friends and family on social networks, both of these things create a huge amount of data and
knowledge on computers/mobile devices or flow through multiple forms of computer networks
(Mohammed, 2015) . If there is inadequate authentication and safety for such data and
documents, it would be open to misuse and destruction (Mohammed, 2015). Digital crime starts
where there is criminal activity on computers or networks containing data or information
(Mohammed, 2015).
There are different forms of digital crimes today, and ransomware, also called digital extortion
or digital blackmail, is one of the new and most feared (Hassan, 2019). Ransomware is a form of
malware that blocks users from accessing their compute device resources and/or personal data
(Hassan, 2019).
Figure 1: Stages of Ransomware Attacks (Abdullahi et al., 2019)
The current scenario, Ransomware families and kill chain are discussed here in Appendix.1.
Page 1 of 64
1.2 Aims and Objectives
1.2.1 Aims
The report aims to perform a detailed technical analysis on the evolution of Ransomware through
the years and demonstrate a Ryuk Ransomware attack on a victim machine; along with forensics
study and detection techniques for that particular attack.
1.2.2 Objectives
The objectives of the report are:
➢ To understand the evolution of Ransomware as a digital crime.

➢ To have a clear knowledge of all the domains under the topic Ransomware.
➢ To study the working mechanism and impact of Ryuk Ransomware.
➢ To provide a relevant case study regarding a Ryuk Ransomware Infection.
➢ To demonstrate a successful Ryuk Ransomware infection scenario on a victim machine.
➢ To provide a malware analysis on the particular Ransomware sample.
➢ To offer detection techniques against Ryuk Ransomware.
➢ To deliver an in-depth forensics study on the attack and recovery options.
Page 2 of 64
1.3 Report Structure
Background
Brief History
Literature Review
Ryuk Ransomware
Case Study
Case Analysis
Attack Demonstration
Forensics Study
Malware Analysis (Sandboxing)
Detection Techniques
The Next Step
Recommendation
Conclusion
References
Bibliography
Appendix
Page 3 of 64
2. Background
2.1 Brief History
Since the earliest days of the original computer virus, the ransomware threat has always been
around (Hassan, 2019). The very first recorded ransomware, dubbed AIDS Trojan (also known as
the PC Cyborg virus), emerged in 1989, several studies suggest (Hassan, 2019). A biologist named
Joseph Popp, the perpetrator, mailed 20,000 contaminated floppy disks to the World Health
Organization's AIDS Conference attendees (Loman, 2019). The disks were called "Aids
Information-Introductory Diskettes" and included an interactive questionnaire used after about
90 reboots of the victim's computer to activate the malware (Hassan, 2019).
Detailed information about the history of Ransomware can be found here – Appendix.2
Page 4 of 64
Figure 2: A timeline of ransomware evolution (Frieswick, 2020)
Page 5 of 64
2.2 Literature Review
2.2.1 Ryuk Ransomware
Ryuk has been traced to the Wizard Spider danger community operating out of Russia and
Eastern Europe by defense analysts, it was first detected in October 2018 (Security On Demand
(SOD), 2020). Prior to Ryuk, the "TrickBot" banking Trojan was run by this hacker group trying to
collect credit card and banking details to commit wire fraud (Security On Demand (SOD), 2020).
The group's transformation from "TrickBot" to ransomware confirms the development of
cybercriminals and the introduction of new retrieval techniques and for higher cybercrime gains
too (Security On Demand (SOD), 2020).
Further information on Ryuk Ransomware can be found here – Appendix.3
2.2.2 Case Study
The Case Study presented in this report is based on a Ryuk Ransomware attack on a
Biotechnology Firm in U.S. on Q3 of 2018. The Case study is created by the Infocyte HUNT team,
who were the cybersecurity partner of the victim company and conducted a proper forensic
study and analysis of the attack.
Law enforcement authorities responded to a Ryuk ransomware attack in Q3 of 2018, on a US-

based biotechnology company with worldwide practices and high-value intellectual property, not
to mention lucrative customers and financial properties and data (Infocyte, 2018). After request
of incident response assistance form the victim company, Infocyte HUNT directed a thorough
assessment on the firm’s network and hunted for attack vectors and backdoors (Infocyte, 2018).
Page 6 of 64
The Key Findings from the scan of Critical Assets and Endpoints within 15 minutes were:
➢ Ryuk Ransomware
➢ 20 systems with memory injected Trickbot trojans; that used in-memory remote access.
➢ Mimikatz credential dumper.
➢ 70+ execution artifacts.
➢ Identified patient zero and entry vector of the Ryuk Ransomware attack.
Finally, the Infocyte Hunt team was able to close the attacker’s entry vector, contain the infection
and develop a proper timeline for further analysis.
2.2.3 Case Analysis
The Ransomware attack that occurred on the above case, is one on many high-level Ryuk
Ransomware cases that occurred in 2018. Similar to the above incident, the attackers are
exclusively targeting large corporations that have critical assets and confidential information that
assures high Return of Investment (RTO) for them. According to the research conducted by Trend
Micro in 2019, Ryuk Ransomware is the costliest ransomware currently wreaking havoc in the
recent computing domain. In the above case, the attackers targeted the large Biotech company;
which have thousands of employees and large number of endpoints and network devices, that
makes discovering patient zero an immense trouble and hectic task for the investigators.
Alongside the ransomware, Mimikatz was used for dumping all the credentials back to the
attacker-controlled machines. Fortunately, this Biotech Company got off easy due to the quick
incident response by the InfoCyte Hunt team and their ability to close off the attacker’s entry
vector.
Based on the above incident, this report includes a demonstration of a Ryuk Ransomware attack
on a Windows machine that is delivered via a targeted spear-phishing mail to the victim. Unlike
the above incident, due to the small scale of the simulated attack, the demonstrated attack is
only restricted to one machine and doesn’t depict the infection of multiple Network or Network
drives.
Page 7 of 64
3. Attack Demonstration
Step 1: Create a snapshot of the image file.
Before infecting the machine with ransomware, a snapshot of the Windows 7 image file is taken;
as a safety measure.
Figure 3: Taking a snapshot of Windows 7
Step 2: Sent and Received a targeted phishing mail via a spoofed E-mail address.
A phishing mail will be sent from the attacker machine to the victim’s E-mail address with an
attachment that contains the malware. As seen on Figure 4: Sending a phishing mail to victim's
address, the e-mail is tricked out to look like a normal pay slip mail from Finance Department;
but is sent from a spoofed address and contains an attached zip file named Payslip- Target
Employee.zip.
Page 8 of 64
Figure 4: Sending a phishing mail to victim's address
Page 9 of 64
Figure 5: Received mail on the victim's machine
Figure 5: Received mail on the victim's machine shows the phishing mail received on the victim’s
inbox and then, as the victim downloads the attached document; his/her machine will be infected
with ransomware.
Page 10 of 64
Step 3: Download and extract the zip file.
At this point, the victim will download and extract the zip file without knowing the actual motive
of the file.
Figure 6: Zip file downloaded by Victim
Figure 7: Extraction of Zip file
Page 11 of 64
Step 4: Run the executable file and the victim’s pc is infected with Ryuk Ransomware.
Now, as soon as the victim double clicks on the executable file, his/her machine will be infected
with the ransomware.
Figure 8: Win 7 before infection shows the normal functioning of victim’s Windows 7 machine.
Figure 8: Win 7 before infection
Figure 9: Win 7 after infection demonstrates the machine after infection with Ryuk Ransomware.
As seen on the above figure, all the files are encrypted, and number of process are running in the
background. Like many ransomwares, Ryuk also creates a Readme file for the victim to pay the
ransom that contains a proton mail address; as seen on Figure 10: Ryuk Ransomware Ransom
Not.
Page 12 of 64
Figure 9: Win 7 after infection
Figure 10: Ryuk Ransomware Ransom Note
Page 13 of 64
4. Forensics Study
4.1 Malware Analysis (Sandboxing)
For detailed analysis on how this Ryuk Ransomware operates and its deliverables, the malware
was uploaded into the Any Run Sandbox Environment for technical analysis. Figure 11:
Ransomware Sample in Any Run shows the dashboard of Any Run sandbox when Ryuk
Ransomware is being infected on the machine; along with file hashes, background processes,
network activities and IOCs.
Figure 11: Ransomware Sample in Any Run
Page 14 of 64
4.1.1 Ryuk Sample Information
Figure 12: General Information on Ryuk Ransomware Sample
Figure 12: General Information on Ryuk Ransomware Sample shows general information about
the ransomware sample, its MD5 hash, SHA256, and other information.
File name: d7333223dcc1002aae04e25e31d8c297efa791a2c1e609d67ac6d9af338efbe8.exe
File info: PE32 executable (GUI) for MS Windows
SHA256: d7333223dcc1002aae04e25e31d8c297efa791a2c1e609d67ac6d9af338efbe8
Page 15 of 64
4.1.2 Ransomware Behavior Activities
Figure 13: Behavior Activities of Ryuk illustrates all the suspicious behavior shown by the
ransomware file. As seen in the figure, the malware:
• uses ICACLS.exe to modify access control list,

• writes to a desktop.ini file to cloak folders,
• creates files in the program directory and executable content was dropped.
Figure 13: Behavior Activities of Ryuk
Page 16 of 64
4.1.3 Dropped Files and File Activity
Figure 14: Dropped Files by Ryuk depicts the number of files that were dropped during the
execution period of the ransomware. As seen in Figure 15: File activities by the malware, Ryuk
Ransomware encrypted 2233 files in its period of execution and mostly, dropped files into
directories; such as, Program Files, Appdata, and so on.
Figure 14: Dropped Files by Ryuk
Figure 15: File activities by the malware
Page 17 of 64
4.1.4 Processes and Registry Activities
As seen in Figure 16: Processes Scenario, the malware ran a total of 4 processes and 1 malicious
process; named icalcs.exe; that modified the file permissions inside the Windows directories.
Figure 16: Processes Scenario
Figure 17: Modified File Permissions by Ryuk
Similarly, the malware also made a total of 401 Registry events, among which:
• 320 were Read Events

• 80 were Write Events
• 1 was Delete Event
Figure 18: Registry Activity by Ryuk
Page 18 of 64
Figure 19: Suspicious Use of WriteProcessMemory
4.1.5 Mapping to MITRE ATT&CK MATRIX
The MITRE ATT&CK™ Framework is a systematic collection of tools and tactics used to help
identify threats and evaluate the vulnerability to an enterprise among hazard hunters, red
teammates, and defenders. The purpose of the system is to facilitate the identification of
adversaries in organizations after breach by demonstrating the behavior that an attacker might
have taken.
In Figure 20: MITRE ATT&CK Matrix of Ryuk, the Ryuk Ransomware attack is mapped to the MITRE
ATT&CK Matrix,
and detailed description of these attack techniques can be found here – Appendix.4
Figure 20: MITRE ATT&CK Matrix of Ryuk
Page 19 of 64
4.2 Detection Techniques
4.2.1 Monitor Windows Processes for any suspicious activities.
Open Windows Task Manager and check for any suspicious and sketchy processes that are
running in the background due to the ransomware infection.
Figure 21: Background Processes during Ransomware Infection
As seen on Figure 21: Background Processes during Ransomware Infection, multiple processes
named Payroll Schedule.exe are running in the background along with icacls.exe. If you notice
any suspicious processes, end those processes to be on the safe side.
Page 20 of 64
4.2.2 Track for unusual resource consumption.
Figure 22: Resource Consumption
As soon as the Ryuk Ransomware starts its encryption process, the CPU and memory usage of
the victim’s machine will rise drastically. Such resource consumption of 100% CPU Usage in Figure
22: Resource Consumption is a sign of ransomware running its encryption and other malicious
tools in the background.
Page 21 of 64
4.2.3 Look for Files with extension. RYK
Ryuk encrypts the victim’s computer files with either a symmetric algorithm (AES-256) or an
asymmetric one (RSA-4096) and changes the file extension into. RYK. So, if the files in your
computer have this extension, it is certain that your computer has been infected with Ryuk
Ransomware.
Figure 23: Ryuk Encrypted File Extension
Page 22 of 64
4.2.4 Check for suspicious IPs in the Windows host file
Window 7 keeps its hosts file used by Microsoft TCP/IP in the following path:
C:/Windows/System32/drivers/etc/hosts
Follow this path and open the hosts file with notepad and look for any suspicious IP addresses
that has been added into this file by the Ransomware. Such IPs could be the malware’s
communication medium to the C&C server. If such IPs appear, delete those IP addresses from
the file.
Figure 24: Windows hosts file
Further Detection Techniques: Appendix.5
Page 23 of 64
4.3 The Next Step
After the detection of the ransomware, the next step is to learn how to control or suppress the
extensive damage by the ransomware. Some investigation and remedial steps are shown below:
1. Disable the network adapter from your computer.
Ryuk Ransomware doesn’t limit its encryption to the computer files, but in some scenarios, it also
encrypts the Network drives if possible. Hence, the best step after the knowledge of infection is
to go to Network Adapter Settings and disable any currently operating Network Adapter. This
measure will limit the extent of the Ransomware to the currently infected machine.
Figure 25: Disable Network Connections
Page 24 of 64
2. Restart Windows in Safe Mode without Network.
Another crucial step after infection, is to restart your Windows machine in Safe boot mode with
minimal options. There are two ways to achieve Safe Boot mode in Windows:
• Go to System Configuration from Search Bar and check the Safe boot option under the
Boot tab. Then, Apply the settings and your machine will restart in Safe mode.
Figure 26: Boot Windows in Safe Mode.
Page 25 of 64
• Shut down your machine and on the Windows Load Screen, press F8 key to open the
advanced boot options. In here, choose the option with Safe Mode.
Figure 27: Advance Boot Options
3. Check Show hidden Files Option in Windows.
For the investigation process, enable the show hidden files in Folder Options of your Windows
machine. This step is crucial, as no files will be left unseen during the investigation process.
Page 26 of 64
Figure 28: Show hidden files in Folder Options.
4. Look for unwanted applications/programs in the Startup Folder and delete them.
Many Ransomwares; including Ryuk, use encryption tools in Startup; so that the files remain
encrypted even after the victim reboots his/her computer. So, we can look into the Startup Folder
and delete such suspicious programs to suppress the encryption to some extent.
Windows path to Startup Folder:
C:/Users/ [Username]/AppData/Roaming/Microsoft/Windows/StartMenu/Programs/Startup
Fortunately in Figure 29: Startup Folder, no programs seems to be appeared on the Startup
Folder except the Ransom note.
Figure 29: Startup Folder
Page 27 of 64
5. Look for newly created files in Appdata, WinDir, ProgramData and Temp and
delete them.
Ryuk creates suspicious files usually inside the Appdata, WinDir, ProgramData and Temp folder.
Make sure to delete such files inside these folders. Figure 30: File Creation in Appdata shows
creation of suspicious files in AppData directory.
Figure 30: File Creation in Appdata
Since there is no available decryption tool for Ryuk Ransomware, the next step would be to
restore the Windows back to previous System Restore point in order to be able to access the
computer.
6. Restore to last known System Restore Point
In order to revert the Windows back to any previous System Restore Point, use Command Prompt
to enter following commands to start the Restore Wizard.
>cd restore
>rstrui.exe
After the System Restore Wizard open, simply click next to revert back to an Automatic Restore
Point.
Page 28 of 64
Figure 31: Commands to start Windows Restore
Figure 32: Restore Wizard 1
Page 29 of 64
Figure 33: Automatic Restore Point
Figure 34: Windows System Restore Initialized
Page 30 of 64
5. Recommendation
The best way to protect your computer/network from Ransomware; such as Ryuk; is awareness
and partaking in some safety measures.
Endpoint Defense Recommendations:

➢ Install Security Solutions; such as, Antivirus.
➢ Regularly Update OS and installed Applications.
➢ Use Virtualization Technology, if possible.
➢ Secure your Web Browsing.
➢ Block Web Page Redirect.
➢ Only use trusted Web Browser Add-ons.
➢ Disable Macros in Office Files.
➢ Use a Least Privilege Account.
➢ Do Not Install Pirated Software.
➢ Create Regular Backup of your data.
Enterprise Defense Recommendations:
➢ Use Patch Management Tools for Efficient Patch Management.

➢ Harden your Environment (Physical Security).
➢ Implement Network Segmentation.
➢ Deploy a Generic Anti-ransomware Product.
➢ Deploy Next-generation Firewalls.
➢ Use Intrusion Detection Systems and Intrusion Prevention Systems.
➢ Implement Malicious URL Blocking.
➢ Maintain Effective Backup and Recovery Strategy.
Page 31 of 64
Figure 35: Flowchart to deal with Ransomware (Maurya et al., 2018)
Page 32 of 64
6. Conclusion
Over time, ransomware, like any malware, grows. With advances in technologies, protection
advancements, and people's psychology, the methods of contamination will still change. It is an
open reality that ransomware or some other form of malware extorting models have come to
remain with a stable growth in sophistication, adversity and multiplicity, giving the unskilled
criminals with money and time to boost their productivity with a lot of ready-to-go solutions.
Attacks such as shown in this report clearly depicts a strong need to be aware, vigilant and to
hunt for such risks.
As we enter 2021, fresh and unforeseen developments in malware and other digital crimes are
unavoidable. Hence, if our networks are more stable and robust, the less likely we are to fall prey
to Ryuk, WannaCry or some new version of ransomware on the horizon.
Page 33 of 64
References
Abdullahi, M.M. et al. (2019) Systematic literature review and metadata analysis of ransomware.
Journal of Reliable Intelligent Environments, 5, pp.67-89.
Delaney, D. (2018) How to Detect RYUK Ransomware on Your Network [Online]. Available from:
https://www.netfort.com/blog/how-to-detect-ryuk-ransomware-on-your-network/ [Accessed 5
December 2020].
ENISA. (2020) Ransomware: ENISA Threat Landscape. Company Report. Attiki: ENISA European
Union Agency for Cybersecurity.
exabeam. (2016) THE ANATOMY OF A RANSOMWARE ATTACK. Threat Research Report.
exabeam.
Frieswick, T. (2020) History of Ransomware [Document]. Kivy (26) Available at:
https://kivuconsulting.com/wp-content/uploads/2020/06/Kivu-Cyber-Report_The-History-of-
Ransomware_May2020.pdf [Accessed 12 Decemeber 2020].
Gorman, O. & McDonald, G. (2012) Ransomware: A growing menace. White Paper. Symantec
Corporation.
Hassan, N.A. (2019) Ransomware Revealed. 1st ed. New York: Apress.
Infoblox. (2019) Ryuk Ransomware Cyber Report [Document]. Infoblox Available at:
https://www.infoblox.com/wp-content/uploads/threat-intelligence-report-ryuk-ransomeware-
cyber-report.pdf [Accessed 14 December 2020].
Infocyte. (2018) CASE STUDY/ BIOTECHNOLOGY [Document]. Infocyte Available at:
https://www.infocyte.com/wp-content/uploads/infocyte_hunt-biotech_case_study.pdf
[Accessed 12 November 2020].
Loman, M. (2019) How Ransomware Attacks [PDF]. Sophos Available at:
https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-ransomware-
behavior-report.pdf [Accessed 10 December 2020].
Maurya, A.K., Kumar, N. & Agrawal, A. (2018) Ransomware: Evolution, Target and Safety
Measures. International Journal of Computer Sciences and Engineering, 6(1), pp.80-85.
MITRE. (2015) ATT&CK Matrix for Enterprise [Online]. Available from: https://attack.mitre.org/
[Accessed 8 December 2020].
Mohammed, S. (2015) AN INTRODUCTION TO DIGITAL CRIMES. International Journal in
Foundations of Computer Science & Technology (IJFCST), 5(3), pp.13-24.
Page 34 of 64
Muslim, A.K., Dzulkifli, D.Z.M. & Nadhim, H.M. (2019) A Study of Ransomware Attacks: Evolution
and Prevention. JOURNAL OF SOCIAL TRANSFORMATION AND REGIONAL DEVELOPMENT, 1(1),
pp.18-25.
Richardson, R. & North, M. (2017) Ransomware : Evolution , Mitigation and Prevention.
International Managment Review, 13(1), pp.10-21.
Security On Demand (SOD). (2020) MAZE & RYUK RANSOMWARE THREAT ASSESSMENT REPORT
[Document]. Security On Demand (SOD) Available at: https://www.securityondemand.com/wp-
content/uploads/2020/11/maze-ryuk-wp.pdf [Accessed 13 December 2020].
Shah, N. & Farik, M. (2017) Ransomware - Threats, Vulnerabilities And Recommendations.
INTERNATIONAL JOURNAL OF SCIENTIFIC & TECHNOLOGY RESEARCH, 6(6), pp.307-09.
Trendmicro. (2019) Ransomware: Past, Present, and Future [Document]. Trendmicro Available
at: https://documents.trendmicro.com/assets/wp/wp-ransomware-past-present-and-
future.pdf [Accessed 14 December 2020].
Page 35 of 64
Bibliography
Berrueta, E., Daniel, M., Eduardo, M. & Mikel, I. (2019) A Survey on Detection Techniques for
Cryptographic Ransomware. IEEE Access, 1(1).
Lee, B. & Berlin, A. (2017) Defensive Security Handbook: Best Practices for Securing Infrastructure.
1st ed. California: O'Reilly Media.
Levison, M. (2017) Ransomware Attack: A Guide to Basic protection from malware and
ransomware attacks for Employee and Employers. 1st ed. CreateSpace Independent Publishing
Platform.
Liska, A. & Galo, T. (2016) Ransomware: Defending Against Digital Extortion. 1st ed. O'Reilly
Media, Inc.
Maurya, A.R. (2019) Study of Ryuk Ransomware Attack. GRD Journals- Global Research and
Development Journal for Engineering, 4(7), pp.48-50.
Trend Micro. (2020) Solutions and Protections against RYUK Ransomware [Online]. Available
from: https://success.trendmicro.com/solution/1123892-ryuk-ransomware-
information#:~:text=Ryuk%20is%20a%20ransomware%20which,critical%20assets%20of%20its
%20victims. [Accessed 3 December 2020 ].
Page 36 of 64
Appendix
A.1 Ransomware Attacks
A.1.1 Current Scenario
Ransomware is a common tool in the possession of malicious people, that are seeking to hurt
states, companies and people on a day-to-day basis (ENISA, 2020). In such situations, the victim
of ransomware can suffer economic harm either through the payment of the ransom or through
the payment of the expense of recovering from the defeat; if they do not fulfill the attacker's
criteria requests (ENISA, 2020).
Baltimore, Maryland suffered a lockout after an event in 2019; where recovery is expected to pay
US $18.2 million (approx. €15.4 million), although the city declined to pay the ransom (ENISA,
2020). However, with the growing number of ransomware events, it is apparent that being a
survivor is not a 'if' but a 'if' A 'where' hypothesis instead (ENISA, 2020).
Although there have been cyber insurance plans since the start of 20002, ransomware is one of
the key reasons for the renewed interest in this form of insurance for the last 5 years (ENISA,
2020).
Page 37 of 64
Figure 36: Ransomware Related Findings (ENISA, 2020)
Page 38 of 64
Figure 37: Top 10 countries by share of ransomware attack users (ENISA, 2020)
According to a recent study by Kaspersky, Figure 37: Top 10 countries by share of ransomware
attack users demonstrates the Top 10 countries by share of users attacked by mobile
ransomware Trojans in Q2 2019.
Page 39 of 64
A.1.2 Ransomware Kill Chain
The six stages of Ransomware Kill Chain are as follows:
Figure 38: Ransomware Kill Chain (exabeam, 2016)
1. Distribution Campaign: To manipulate or compel, attackers use tactics such as social

engineering and weaponized websites; where users download a dropper that begins the
infection (exabeam, 2016).
2. Malicious Code Infection: An executable is downloaded by the dropper that downloads

the ransomware itself.
3. Malicious Payload Staging: The ransomware is set up, embedded in a device and starts
itself in order to persevere beyond a rebuild (exabeam, 2016).
4. Scanning: The ransomware scans for encryption material available on the local device as
well as on the network infrastructure (exabeam, 2016).
5. Encryption: The ransomware then starts encryption algorithms on all the revealed files.
6. Payday: A ransom note is then produced, showed to the victim and the hacker waits for
the ransom to be received (exabeam, 2016).
Page 40 of 64
Figure 39: exabeam SOC Ransomware Cheat Sheet (exabeam, 2016)
According to the findings by the SOC team of exabeam, the Figure 39: exabeam SOC Ransomware
Cheat Sheet shows the common activities demonstrated by ransomware throughout its kill chain.
Page 41 of 64
A.1.3 Ransomware Families
There are two common categories of Ransomware based on their techniques/functionalities:
1. Crypto-Based Ransomware
Encrypting ransomware is the type of ransomware that blends innovative algorithms for
encryption, targeted at blocking links to files that require payment of a ransom for file decryption
(Shah & Farik, 2017). Some widely known encrypting ransomware are: ‘CryptoLocker’, ‘Locky’,
‘CryptoWall’, ‘WannaCrypt’, etc.
2. Locker-Based Ransomware
Locker Ransomware is a form of malware that blocks the target out of the operating system, thus
avoiding entry into Browser, Applications and Files (Shah & Farik, 2017). The most famous locker
ransomware is ‘WinLocker’.
Figure 40: Crypto-base VS Locker-base Ransomware Techniques (Abdullahi et al., 2019)
Page 42 of 64
Now, based on the method used by the attacker for spreading the injection, ransomware is
divided into three categories:
1. Crypto worm
A discrete malware that replicates itself to other machines for optimum reach and affect (Loman,
2019).
2. Ransomware-as-a-Service (RaaS)
A ransomware that was marketed as a delivery package to anyone who could afford it on the
dark web (Loman, 2019). This RaaS kits make it possible for individuals with little technological
ability to strike with relative ease (Loman, 2019). Usually, they are deployed via malicious spam
e-mails (malspam), as a drive-through download via exploit kits, or semi-manually by automated
active opponents (Loman, 2019).
3. Automated Active Adversary
Ransomware is installed here by attackers who use software to randomly search the internet for
weak-protected IT systems (Loman, 2019). The attackers create a foothold when such systems
are detected and from there prepare the ransomware attack cautiously for optimum damage
(Loman, 2019).
Page 43 of 64
The Most Prominent Ransomware Strains
➢ Ryuk
➢ WannaCry
➢ Locky
➢ SamSam
➢ APT
➢ CryptoWall
➢ CryptXXX
➢ DMA Locker
➢ Peyta
The same infection vectors are used by distinct ransomware families for distribution (Hassan,
2019). At present, the key tools used by ransomware operators to distribution are malicious e-
mail and exploit kits (Hassan, 2019). Notice also that the Bitcoin blockchain system is used by
most ransomware families to collect ransom payments and host their TOR dark web command -
and - control server (Hassan, 2019). The encryption algorithm used for encrypting victim files and
the sum of ransom money are the key discrepancies between the ransomware families (Hassan,
2019).
Figure 41: Received Payment per Ransomware Family (2013-2017) demonstrates the types of
Ransomware families and the amount of payment received by each type from 2013-2017; based
on the study of Go secure.
Page 44 of 64
Figure 41: Received Payment per Ransomware Family (2013-2017) (Hassan, 2019)
Page 45 of 64
A.2 History and Evolution of Ransomware
Although the first ransomware was very useful, the first prototype asymmetric ransomware was
introduced in 1996 by Adam L. Young and Moti Yung (Gorman & McDonald, 2012). In 2015, the
first new ransomware was introduced, known as GPCoder. This ransomware was distributed as
a work application through spam email attachments that wrongly emerged (Richardson & North,
2017). For the ransom, users who accessed the attachment were forced to pay. Besides that,
Locker ransomware targeted the operating systems of users who pressured users to pay via SMS
text messaging or call a premium rate phone number (Muslim et al., 2019).
2008: The Invention of Bitcoin
Bitcoin, which first appeared online in August 2008, is a decentralized cryptocurrency. It enabled
cyber criminals to make crypto currency ransom requests, starting convergence from
conventional currency transaction type (Frieswick, 2020). Bitcoin turn out to be extensively used
in ransomware attacks in 2009.
2009: Vundo, The Turing Point
Low financial returns were generated by earlier incarnations of Trojan ransomware like GPCoder
and Archievus; since the anti-malware program quickly spotted and disabled them (Frieswick,
2020). Accordingly, cyber Criminals and offenders preferred to launch attacks to mislead victims
through phishing and hacking; with anti-viral fictional scams previous to 2009 (Frieswick, 2020).
In 2009, a recognized 'scareware' virus named Vundo developed techniques and started
operating as ransomware (Frieswick, 2020). Vundo has previously compromised computer
networks and activated its own false security warning, triggering a false patch for victims. Even
so, by using it to encrypt data on victims' devices, criminals converted Vundo into ransomware,
and then sold them a legal remedy to decrypt the files in 2009 (Frieswick, 2020).
Page 46 of 64
2011: Trojan Winlock
In 2011, the WinLock Trojan emerged and is regarded the first mainstream "Locker" ransomware
example. Rather than just encrypting the data, the locker blocks the ransomware user from
logging into their laptop and the entire machine (Frieswick, 2020). The WinLock Trojan attacked
and copied the product activation mechanism for Windows operating systems, leaving victims
locked out until they bought an activation key (Frieswick, 2020).
2012: ‘Police’ Ransomware
The tendency to mimic software to deceive victims into paying for bogus subscriptions has grown
with 'Police' ransomware production (Frieswick, 2020). Attackers will spread malware targeted
at infected networks with texts appearing to serve law enforcement departments (Frieswick,
2020).
Page 47 of 64
Figure 42: Ransomware Infection pretending to be from law enforcement agency (Hassan, 2019)
2013-2015: Stronger Encryption

Promoted by Reveton's performance in generating a large sum of cash, various ransomware
variants such as Cryptolocker, Torrentlocker, Cryptowall, and Teslacrypt started to emerge from
its users in 2013 through 2015 (Hassan, 2019). Strong encryption mechanisms (e.g., AES and RSA-
2048 bit) were used by these ransomware systems, contributing to the exponential rise in ransom
payments that by late 2015 surpassed more than $325 million (Hassan, 2019).
Page 48 of 64
2016: Introduction of new Ransomware families (Locky, KeRanger, SamSam)
Ransomware began to grow in 2016 by adding more sophisticated functionality to its actions,
such as a clock timer (with a demand that raises over period if the victim does not pay), in addition
to having new ransomware variants capable of automatically spreading through networked
computers (Hassan, 2019). For the number of new ransomware families introduced, 2016 was
impressive. The amount of ransomware families detected in 2016 was 247, a 752 percent rise
over 2015 (Trendmicro, 2019).
2017: Global Campaigns: WannaCry and Petya
The first ransomware attacks that happened on a widespread global scale were Wannacry and
Petya. In May 2016, Wannacry impacted its first victims in Spain (Frieswick, 2020). A quarter of a
million machines were compromised by Wannacry within days, marking the biggest ransomware
attack in history (Frieswick, 2020).
Despite the targeted release of security fixes to fix the problem, Petya was another cryptoworm
that abused the same Windows vulnerabilities as Wannacry (Frieswick, 2020). The performance
of Petya shows the urgency and requirement of operating systems and ecosystems for updates
(Frieswick, 2020).
2018: A Neutral Year
2018 saw a drop in ransomware attacks. Ransomware infections declined 30 percent globally, as
per studies released by Kaspersky and Malwarebytes (Hassan, 2019). While these numbers are
somehow promising, the data suggest that while the number of ransomwares reduced in 2018,
Page 49 of 64
it got more advanced and several more versions had the potential to self-propagate (Hassan,
2019).
2020: Ransomware Forecast
The Internet Crime Complaint Center (IC3) of the Federal Bureau of Investigation (FBI) released
a 'high-impact' alert to U.S. corporations and malware organizations in October 2019 (Hassan,
2019). In addition, it is expected that after the fear of the pandemic dissipates, there'll be a spike
in Ryuk ransomware attacks (Hassan, 2019).
Cybersecurity Innovations estimates that by 2021, cybercrime damage would exceed $6 trillion;
the same study forecasts that by 2021, a ransomware attack would strike an organization every
11 seconds, and the total damage incurred by ransomware in 2021 would cost the earth $20
billion (Frieswick, 2020).
Page 50 of 64
A.3 Ryuk Ransomware
Ryuk encrypts files and manages to encrypt drives on the network. In order to erase the
encryption key, shadow copies of files, and any available backup files, Ryuk then runs a Windows
batch script (Infoblox, 2019). Allegedly, preliminary ransom money to decrypt files was between
15 and 50 Bitcoin (BTC) (Infoblox, 2019). The attackers pressured in their notes to raise the
necessary ransom payments by 0.5 BTC per day before the victim paid (Infoblox, 2019).
Malwarebytes reported highly targeted attacks during the last week of December 2018 that
spread Ryuk ransomware and disrupted at least two businesses: cloud storage service Data
Resolution and the umbrella company Tribune Publishing (responsible for publishing multiple
newspapers) (Infoblox, 2019). It was confirmed that the viruses were secondary payloads of
Emotet and Trickbot trojans (Infoblox, 2019).
How Ryuk Works
The Ryuk ransomware, spanning from national governments to pharmaceutical providers and
media giants, was deliberately designed to attack corporate networks (Security On Demand
(SOD), 2020). In a multitude of instances, the original attack is perpetrated. It has spread through
well-crafted spear-phishing, similar to most other ransomware attacks (Security On Demand
(SOD), 2020). However, threats have also been equally successful by conventional manipulation
of bugs and drive-by-download attacks using "click-bait" ads and websites (Security On Demand
(SOD), 2020).
A first stage malware, commonly the Trickbot or Emotet Trojans, is downloaded and installed
following a recent early stage implementation (Security On Demand (SOD), 2020). By scanning
for and extracting passwords installed on the victim's web browsers and cached password areas,
these Trojans do the initial "investigative" job on the compromised device, then it downloads and
installs the Ryuk ransomware (Security On Demand (SOD), 2020).
Page 51 of 64
Ryuk Proliferation
The greatest differentiator for Ryuk is its ability to deploy and evade detection while making
advances on the victimized computer as it continues to distribute itself around the network
(Security On Demand (SOD), 2020). Ryuk spreads internally in some attacks, close to the NotPetya
disruptive malware attack in 2017, by leveraging the MS17-010 SMB vulnerability made popular
in the same year in the WannaCry ransomware attack (Security On Demand (SOD), 2020). In other
instances, through stolen passwords, Ryuk spreads by manipulating Network Shares, PSExec, or
compromising devices or servers (Security On Demand (SOD), 2020). The Ryuk software searches
strictly at data copies and aims to encrypt those as extra protection to ensure that the target
does not recover (Security On Demand (SOD), 2020).
The Ransom Part
When all the files are locked, the screen is taken over by a ransom note that is characteristic of
all ransomware (Security On Demand (SOD), 2020). The message advises the user what has
happened and that if they attempt to unlock their computers, they will not succeed (Security On
Demand (SOD), 2020). With their current tools, leaving them no choice, but to pay on the screen
the appropriate bitcoin number (Security On Demand (SOD), 2020).
The outrageously high ransom demand is another crucial aspect that Ryuk varies from a standard
ransomware (Security On Demand (SOD), 2020). For eg, in 2017, the WannaCry attack that
infected over 200,000 users in a 24-hour period culminated in the hackers only having a total of
around $150,000 USD (Security On Demand (SOD), 2020). That is less than $1000 per system that
is hacked. Conversely, Ryuk allegedly made over $3 million during the onslaught of Ryuk attacks
in August 2018, despite sacrificing far fewer organizations and computers (Security On Demand
(SOD), 2020).
Page 52 of 64
Figure 43: Attack Chain of Ryuk Ransomware (Infoblox, 2019)
Page 53 of 64
A.4 Mapping Ryuk Ransomware to MITRE ATT&CK Matrix
• EXECUTION:
➢ Execution through API: This ransomware directly interacted with the Windows OS
Application Programming Interface (API) to perform behaviors (MITRE, 2015).
➢ User Execution: It also relied upon actions from user for execution.
• Defense Evasion:
➢ File Permissions Modification: It altered file permissions/attributes in order to
elude ACLs and access protected files.
➢ Install Root Certificate: In public key cryptography, root certificates are used to
define the Root Certificate Authority (CA) (MITRE, 2015). When a root certificate is
installed, the device or program trusts the certificates that have been signed by the
root certificate in the root trust chain (MITRE, 2015). This malware installed root
certificate in the system to reduce the security of the system.
➢ Modify Registry: It communicated with the Windows Registry to mask configuration

information within the registry keys, to uninstall information as part of the clean-up
process (MITRE, 2015).
• Discovery:
➢ Query registry: The malware communicated with the Windows Registry to collect
device information, setup, and installed software information (MITRE, 2015).
Page 54 of 64
A.5 Further Detection Techniques
1. Watch out for dramatic increase in File renames.

File renames are not a normal operation when it comes to network file sharing activity (Delaney,
2018). Over the course of a typical day, even though you have hundreds of users on your network,
you can end up with only a few renames. If ransomware like RYUK attacks, when the data gets
encrypted, it can result in a huge spike in file renames (Delaney, 2018).
2. Check into files for ransom notes

It will leave a ransom note in the format of a text file when files are encrypted on your machine
by RYUK Ransomware (Delaney, 2018). The ransom message inside "RyukReadMe.txt" is from
RYUK developers who warn victims that a powerful cryptography algorithm has encrypted all
details (Delaney, 2018). They note that they have encrypted encrypted backups and shadow
copies.
3. Monitor any recently registered entries in the AppData, WinDir and ProgramData inside
the Regeditor.
Ryuk generates multiple registry entries into AppData, WinDir and ProgramData for lateral
movement and privilege escalation. So, look into those entries and delete any newly registered
ones.
Page 55 of 64
A.6 Case Study
Figure 44: Case Study Page 1 (Infocyte, 2018)
Page 56 of 64
Page 57 of 64
Page 58 of 64
Page 59 of 64

Saugat Adhikari

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Saugat Adhikari

Uploaded by

Copyright:

Available Formats

Saugat Adhikari 18029221

Module Code & Module Title

Digital Crime Evolution and the Detections: Ryuk Ransomware

Assessment Weightage & Type

Year and Semester

Assignment Due Date: 31st December 2020

Figure 1: Stages of Ransomware Attacks (Abdullahi et al., 2019) .................................................. 1

1.1 Subject Matter

Figure 1: Stages of Ransomware Attacks (Abdullahi et al., 2019)

1.2 Aims and Objectives

The objectives of the report are:

➢ To understand the evolution of Ransomware as a digital crime.

1.3 Report Structure

2.1 Brief History

Figure 2: A timeline of ransomware evolution (Frieswick, 2020)

2.2 Literature Review

2.2.1 Ryuk Ransomware

Further information on Ryuk Ransomware can be found here – Appendix.3

2.2.2 Case Study

Law enforcement authorities responded to a Ryuk ransomware attack in Q3 of 2018, on a US-

2.2.3 Case Analysis

Step 1: Create a snapshot of the image file.

Figure 3: Taking a snapshot of Windows 7

Figure 4: Sending a phishing mail to victim's address

Figure 5: Received mail on the victim's machine

Step 3: Download and extract the zip file.

Figure 6: Zip file downloaded by Victim

Figure 7: Extraction of Zip file

Figure 8: Win 7 before infection

Figure 9: Win 7 after infection

Figure 10: Ryuk Ransomware Ransom Note

4.1 Malware Analysis (Sandboxing)

Figure 11: Ransomware Sample in Any Run

4.1.1 Ryuk Sample Information

Figure 12: General Information on Ryuk Ransomware Sample

4.1.2 Ransomware Behavior Activities

• uses ICACLS.exe to modify access control list,

Figure 13: Behavior Activities of Ryuk

4.1.3 Dropped Files and File Activity

Figure 14: Dropped Files by Ryuk

Figure 15: File activities by the malware

4.1.4 Processes and Registry Activities

Figure 16: Processes Scenario

Figure 17: Modified File Permissions by Ryuk

• 320 were Read Events

Figure 18: Registry Activity by Ryuk

Figure 19: Suspicious Use of WriteProcessMemory

4.1.5 Mapping to MITRE ATT&CK MATRIX

Figure 20: MITRE ATT&CK Matrix of Ryuk

4.2 Detection Techniques

4.2.1 Monitor Windows Processes for any suspicious activities.

Figure 21: Background Processes during Ransomware Infection

4.2.2 Track for unusual resource consumption.

Figure 22: Resource Consumption

4.2.3 Look for Files with extension. RYK

Figure 23: Ryuk Encrypted File Extension

4.2.4 Check for suspicious IPs in the Windows host file

Figure 24: Windows hosts file

Further Detection Techniques: Appendix.5

4.3 The Next Step

1. Disable the network adapter from your computer.

Figure 25: Disable Network Connections

2. Restart Windows in Safe Mode without Network.