GRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER, a criminal enterprise of which GRIM SPIDER appears to be a cell. The WIZARD SPIDER threat group, known as the Russia-based operator of the TrickBot banking malware, had focused primarily on wire fraud in the past. Similar to Samas and BitPaymer, Ryuk is specifically used to target enterprise environments. Code comparison between versions of Ryuk and Hermes ransomware indicates that Ryuk was derived from the Hermes source code and has been under steady development since its release. Hermes is commodity ransomware that has been observed for sale on forums and used by multiple threat actors. However, Ryuk is only used by GRIM SPIDER and, unlike Hermes, Ryuk has only been used to target enterprise environments. Since Ryuk’s appearance in August, the threat actors operating it have netted over 705.80 BTC across 52 transactions for a total current value of $3,701,893.98 USD. Grim Spider is reportedly associated with Lunar Spider and Wizard Spider.
How Ryuk is distributed
The first incident saw attackers using TrickBot, which is leveraged for lateral movement via the Eternal Blue vulnerability as well as through harvested credentials, to deploy Ryuk.
MikroTik routers were most likely chosen because of the ready availability of exploits targeting these specific models — threat actors can easily compromise an unpatched Mikrotik router and turn it into a C&C server. In addition, it can also be used to blend into an organization‘s network. The versions of MikroTik routers that were identified also suggest that the attacker may have used the RCE (Remote Code Execution) vulnerabilities CVE-2018-1156 andCVE-2018-14847, with the latter being the same vulnerability used for a cryptojacking campaign in August 2018.
The infection chain begins with a malicious spam mail containing a downloader for TrickBot, which once downloaded, will propagate within the network via two methods: the first is through the SMB exploit of EternalBlue; while the second uses harvested credentials combined with several modules. Trickbot then communicates with a compromised internet-facing Mikrotik router, which acts as the C&C server, to send and receive instructions from an infected machine.
TrickBot is leveraged for lateral movement and to infect as many machines as possible. It then deploys Ryuk at a randomly determined time.
The following table shows a summary of TrickBot modules for specific tasks:
| Tasks | Module |
| Gather information from the infected user’s system |
|
| Infect more machines within the system |
|
| Steal credentials and intercept connections to certain banking sites |
|
| PowerShell Empire module for reverse shell |
|
The two most notable modules in the list are wormdll32 and NewBCtestnDll64. The first, wormdll32, is the module used to perform lateral movement via the Eternal Blue vulnerability. The other, NewBCtestnDll64, spawns a PowerShell script which downloads Empire PowerShell. This establishes a reverse shell and acts as a backdoor within the infected machine. It executes and downloads the Empire PowerShell as shown in the image below:
Empire PowerShell provides increased flexibility for threat actors to launch their attacks since it provides a wide array of modules that can be used for privilege escalation, lateral movement, persistence, and reconnaissance, among others.
The TrickBot module’s config files also revealed the compromised MikroTik router IP addresses — discovered via MDR sensors — which the infected machine communicated with.
Case 2: Organizational security breach used to deploy Ryuk
The second example involves an attacker deploying Ryuk inside the network by gaining administrator access. In this scenario, an attacker who possesses stolen administrative credentials would be able to perform the following:
- Disable security software.
- Transfer the dropper into the system.
- Load the Ryuk ransomware to encrypt multiple servers.
This form requires that the attacker has already penetrated and is able to move freely within the internal network. The service accounts used by software distribution tools, which have administrator access on all the workstations and servers in the domain, also pose as additional targets. In the incident that we handled, the threat actor extensively used Powershell to move laterally to their targets, as seen in the image below:
The screenshot below shows the code used by the threat actor to transfer a kill.bat. In this case, the account that was used to distribute kill.bat was the service account associated with the Microsoft Systems Center Operations Manager — which had elevated privileges for all hosts within the network.
Once the kill.bat was copied and executed, it used several methods to disable any security software (seen in the image below), after which the Ryuk ransomware file was copied.
Aside from executing the built-in Windows utility taskkill to terminate security software, it tries other methods to stop the same set of services. In the incident that we handled, the threat actor was also using the built-in Windows utility net stop and, for safe measure, disabling the services via the built-in Windows methodology of using sc config.
Once executed, svchost.exe dropped Ryuk into the system, encrypting servers and workstations. However, the attacker did not encrypt all domain controllers as only three of the organization’s five domain controllers were found to be encrypted.
It would also be worthwhile to note that the threat actor also used the command-line methodology of copying files via UNC path and psexec.
How Managed Detection and Response (MDR) can help fight against Ryuk
We discussed here two different cases for Ryuk and how each presents different challenges for administrators and security personnel.
In the first case, as with majority of spam attacks, the struggle lies not only with the identification of what is malicious but also with the volume of data that an organization needs to process each day. Looking for outliers in an ocean of data can be very difficult, especially for personnel that have neither the knowledge nor the experience to properly identify red flags. It requires skills and resources to decide which among the plethora of alerts are merely “grey alerts” and which of them are actually malicious in nature. In addition, IT and security personnel may be untrained or lack the experience in correlating disparate elements to accurately determine the nature of the threat at hand.
As for the second case, it shows how organizations facing an internal breach by someone who had access to critical parts of the network would have difficulty detecting and addressing the attack within a short timeframe. The need for a prompt response is especially critical since evidence points to what might be part of a larger targeted campaign.
In both cases, the Trend Micro MDR and IR teams were able to quickly identify the compromised machines as well as the chain of attack. MDR gathers data from various sources, such as endpoints, networks, and servers, to determine the source, distribution, and spread of an attack — therefore creating a clearer picture of what an organization is dealing with. For instance, in the first case, the team used Shodan, a search engine for IoT devices, to determine that external IP addresses communicating with numerous machines were actually public-facing MikroTik routers. The communications seem normal or insignificant at first, making them easy to overlook for untrained personnel.
In addition to being well-versed in internal and external threat intelligence resources, the MDR team has experience in using advanced security solutions from the Trend Micro suite. One of these is the Trend Micro™ Deep Discovery™ solution, which can be used to prevent an attacker’s internal access by identifying a compromised system and shutting it down. Another is the Deep Discovery Inspector, which allows for the detection of a threat‘s lateral movement within the organization, as in the second Ryuk example where lateral movement from the unencrypted domain controller to the MSP’s server was found.
Trend Micro Solutions
The list of rule names that can be triggered for Eternal Blue (SMB Exploit) are as follows:
Deep Discovery Inspector rule names:
- Rule 2435 – MS17-010 – Metasploit – SMB (Request)
- Rule 2435 – MS17-010 – Remote Code Execution – SMB (Request)
- Rule 2528 – MS17-010 – Remote Code Execution – SMB (Request) – Variant 2
Deep Security™ IPS rule name:
- Microsoft Windows SMB Remote Code Execution Vulnerability (MS17-010)
These are the rules and detections for TrickBot and Ryuk:
- Rule 2413 – TRICKBOT – HTTP (Request)
- Rule 1628 – DYREZA – HTTP (Request) – Variant 2
- Possible_TrickBot-Cfg
- TSPY_TRICKBOT.SMB
- TrojanSpy.Win32.TRICKBOT.AE
- Ransom_RYUK.THHBAAI
It is worthwhile to note that the Deep Discovery Inspector rules mentioned above are strong indicators of compromise. There are, however, other informational rules and detections that support these high confidence rules. For brevity, we only mention the medium/high confidence rules.
Posted in Cybercrime & Digital Threats, Ransomware