RYUK Ransomware - A First Hand Account

I've previously blogged about cryptoware and what you can do to protect your IT assets. Today I blog about a first hand account with the nastiest cryptoware of them all called RYUK. The perpetrators behind RYUK are active adversaries who combine advanced attack techniques with interactive, hands-on hacking to increase their rate of success. To date they've netted over 4 million US dollars.

Below is a first hand account of cryptoware in action. The story begins when our helpdesk received a call after-hours from the IT manager of an ASX listed organisation in the healthcare sector. The company shall remain anonymous.

They'd just suffered a power outage, so we didn't suspect anything malicious. As we rule out hardware issues and the like, further investigation revealed that all the physical/virtual servers had been cryptolocked. 20 servers all up. 100 workstations were also cryptolocked. Basically, everything is offline and the entire company cannot operate.

Exigence: OK, lets restore the servers from backups. You have backups, don't you?

Victim: Yes, backups are stored on a NAS device.

We log onto the NAS. Oh no! There's no backups on the NAS. They've all been deleted. Not encrypted but deleted!

With RYUK, the cyber-criminals purposely remove your safety net, disabling all your recovery mechanisms. This was not some automated attack. Someone manually hacked the servers, gained full domain administrative privileges, audited the entire IT Infrastructure to discover what backup systems were in place and purposely deleted them.

Exigence: You have off-site backups, don't you?

Victim: Yes, of course. Our backups are replicated to the cloud with controls on retention.

We log onto the cloud platform. Oh no! The backups in the cloud are 6 months old. Replication hasn't been working. That's an issue for another day. However, things are looking very bleak! It looks like 6 months worth of data is gone forever.

After some further investigation, we discovered their SAN also had a copy of the backups. The cyber-criminals missed it. Phew! More luck than brains. We all thank our lucky stars that we've been thrown a life-line.

Before we commence restoring backups, we disconnect every workstation from the network to prevent reinfections. We lock down the firewall so servers cannot access the Internet. Then we start the slow and arduous process of restoring server backups one-by-one. We decide to restore from a backup 3 days before the infection took place.

We've been on the job for 4 days now, and we've restored most of the servers. Unfortunately, the backups on one of the servers wasn't operational, so they've lost 6 months of data on that one. They don't have a DR system, so it all a slow, manual and arduous task. Nobody can work yet because they haven't got any clean workstations to work on. That's a separate task for next week. The productivity losses from 100 staff who can't work is immense.

We've still got more work to do on the servers. We need to forensically analyse the restored servers to ensure there's no malware still lurking in the background, ready to reinfect them. And we still need to wipe and rebuild the entire fleet of workstations.

What lessons can we learn from all this?

Firstly, this organisation did not have adequate security systems in place. The infection could have most likely been prevented in the first place.

Secondly, backups are the remediation tool of last resort. Make sure you have working off-site backups with an air-gap between that and your network.

Thirdly, invest in a good disaster recovery (DR) system. Having backups is all well and good, but if it takes you a week to get back up and running, the amount of lost productivity is immense.

Disclosure: This organisation does not have an Exigence Managed Services and/or Managed Security Services contract.