Ryuk Ransomware: Live Demo and Analysis

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello and welcome to the pc security channel today we'll be taking a look at ryok ransomware as usual we'll do a live analysis run the ransomware on a test vm see what happens and give you the best advice to defend against it this video is brought to you by malwarebytes privacy check them out using the link in the description all right so why am i talking about ryuk right now given that this is a ransomware that's been around for about two years now there are several reasons for it first of all there's a brand new variant and this one has a lot of worm capabilities including self-propagation via network shares if you are someone who is managing the network of a company you should take note of some of the ip ranges that it's going to attack so 10.0.0.172.16 192.168. these are very common local ranges of ip addresses and what ryuk is going to do is it's going to look for any network drives system locations that can be found in these address ranges and promptly start to encrypt them one of the things i've noticed about ryuk's multiple variants is that they often start to target the network shares first so you're not going to know the effects on the host system the one that is propagating the infection until everything else is encrypted so that is the system that's going to be encrypted last and this is also something that prevents a lot of investigators from being able to quickly locate and isolate the source of the infection we've got various samples that we could be looking into on vars total i've gone through some graphs as well some of these have automated execution parents and they drop a lot of files so it's gonna be interesting we're gonna run a recent sample and see how it affects our vm so we've got a sample here before we run i'm just going to start process explorer so we can observe it in action now we're good to go so we'll execute the ransomware immediately it spawns a sub process which is going to do i believe most of the encryption activity it's not particularly difficult to notice if you're actively watching the system but let's face it that's not how these attacks happen within seconds the sub process terminates and by now as we will see our network location is probably already encrypted even though we don't you know start to see things on the desktop until a few seconds so if we look at our network location everything is already encrypted with the ryok extension we've also got the riot readme and after some time we start seeing pop-ups like your faults are waiting to be burned to disk and then we're going to see the readme on the desktop as well as our documents and pictures being encrypted now for almost all variants of ryuk you're not going to be able to recover your faults unless you have existing backups and that's because the encryption process is quite secure there are no obvious flaws that can be broken into unless you either have a partially working key something of that sort but without any help from the attackers it's often impossible to recover your data our pictures as you can see are encrypted as well but again the key thing to note here is it's going to attack the shared locations first it's going to navigate the network traverse through the range of ips and then work its way backwards to the host system in this case we just have one network drive was encrypted in a flash but in the case of an actual organization it could take several hours and that is why it's important to examine your network infrastructure and make sure your network drives are adequately protected because it's not going to be easy to narrow down the system that's been compromised that's actually executing the ransomware if your network drives start getting encrypted now if you're thinking that our network locations are not necessarily always active that's not going to save you because ryuk is going to read through the arp table and send a wake on lan packet to each host so if you see something like this in the network logs act immediately it is also worth noting that ryuk is one of the most persistent of ransomware they're actually spread via many different methods including immo tab trick bot z loader and other such exploits emote was recently shut down by enforcement agencies but some of the other ones are still active in a lot of cases the attacks are targeted and quite successful i suspect this is one of the top crossing ransomware in terms of the money brought in and we've had a lot of threats that come and go they have their heyday and then they're shut down or the ransomware authors just decide well we've had enough we don't want to keep going at this game but ryuk is one of the most persistent threats i believe most of the threat actors are based in russia and even after two years we're seeing new variants we're seeing a lot of activity associated with this threat this is partly why we design our test scenarios for testing av products mostly modeling this kind of ransomware behavior in terms of attacking shared locations starting from the host and then encrypting files on other systems because that's just a devastating model that ryuk has used to full effect and other infamous ransomware do as well by the way if you're a business and you'd like to figure out how you would fare in the event of such an attack and test your own security systems feel free to contact us at the pcsecuritychannel.com now some variants of riock will also avoid sandboxes they will not run in an external environment and that prevents a lot of the sandbox-based detection systems that are in place these days for certain avs they will perform a lookup on the cloud if the file is unknown they will run it in their own sandbox and use that data to quickly evaluate if it's malware or not and if the malware just avoids their sandbox doesn't perform anything malicious there well the av is clueless and will let the file continue executing on your system where it will perform the malicious behavior this is also partly why i'm not super impressed with systems that rely entirely on the cloud because at the end of the day the action happens on your system it is on your system that the process is going to execute it is on your system that the instructions will be loaded into the cpu registers it is on your system that the files will get encrypted so it's crucial to have defenses there that are not dependent on external systems necessarily but anyway i hope you enjoyed this quick overview of ryuk it is a pretty infamous ransomware and if you'd like to learn more about how you can prevent ransomware from encrypting your system what you can do if you are encrypted and are looking for options for decryption we've made dedicated videos about that called dealing with ransomware attack and decrypting ransomware make sure you like and share the video if you found it useful we're now one of the largest cyber security channels on youtube and there's a lot of exciting content and announcements coming up so join us we also have a discord link in the description in case you want to post video ideas join the community have any questions i check that every day so you can reach me there and now a word from our sponsors many of you may be familiar with the name malwarebytes when it comes to anti-malware but they have recently launched a brand new vpn service called malwarebytes privacy i've been running and testing this for the last two weeks and one of the most amazing things i've noticed is the speeds and consistency especially in servers in the united states and europe in some cases have noticed it to be faster than some of the mainstream vpn providers and this is a vpn service that focuses on being a vpn they don't offer any cyber security protection with it which means no tracking at all they don't store any logs the cyber security component is offered as an entirely separate browser extension you can connect to servers in any country and once you do so it's going to remember your choice and auto connect you next time so it's a full featured vpn they do have a combined offer where you can get it at a discount so if you are already planning on getting malwarebytes anti-malware or already use it it might be a really good deal for you so show them some love for sponsoring the pc security channel check out malwarebytes privacy link will be on screen and in the description once again thank you so much for watching and as always stay informed stay secure you

Info

Channel: The PC Security Channel

Views: 30,079

Rating: 4.9373603 out of 5

Keywords: The PC Security Channel, TPSC, cybersecurity, cyber security, computer security, internet security, antivirus, anti malware, ransomware, trojan, virus, PUP, best antivirus, best internet security, learn cybersecurity, hacking, hack, security, technology, cyber insurance, cybersecurity degree, EDR, SIEM, best EDR, AI, Ryuk, Ryuk Ransomware, Ryuk worm, Ryuk virus, .ryuk, ryuk analysis, decrypt ryuk

Id: o7p0OdeDZUo

Channel Id: undefined

Length: 9min 19sec (559 seconds)

Published: Sat Mar 20 2021