Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Cyber Attacks
  • REvil, Ryuk and Tycoon Ransomware: How They Work and How to Defend Against Them
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

REvil, Ryuk and Tycoon Ransomware: How They Work and How to Defend Against Them

5 years ago Tripwire Guest Authors
REvil, Ryuk and Tycoon Ransomware: How They Work and How to Defend Against Them

It is the Tuesday morning after a long weekend. You come into work early to get caught up on emails only to find you are completely locked out. You have been hit by a ransomware attack. You ask yourself, “What happened? And how do I fix it?”

This post will explore three of the most significant ransomware families of 2020: Tycoon, Ryuk and REvil. After discussing how these strains work, we’ll share some best practices that organizations can use to defend themselves against a ransomware infection.

Tycoon

Tycoon is compiled in the Java image format, ImageJ, and is deployed using a trojanized version of Java Runtime Environment (JRE). This is an odd methodology for ransomware that is not often seen. The Tycoon ransomware often uses an insecure connection to an RDP server as its way into the network. Once inside the network, it will disable anti-malware software so that it can remain undetected on the system until the attack is finished.

This crypto-malware strain has been around since December of 2019. Tycoon’s code is written to be used against both Windows and Linux systems and is used to target small- and medium-sized businesses (SMBs), primarily in the software and education industries. It is believed that Tycoon may be linked to Dharma (Crysis) due to similarities in the naming conventions and email addresses used.

According to TechRadar, Tycoon has a very limited number of victims due to its specified targets. In early versions of the Tycoon ransomware, some victims were able to recover their encrypted data with the use of an RSA key bought from other victims because the ransomware repeated the use of some keys. However, this is not the case with more recent versions.

Ryuk

Ryuk works in two parts. The first is a dropper that places Ryuk malware onto a system. The second is an executable payload that carries out the encryption. Part of the executable payload’s code is to delete the dropper from the system so that it cannot be retrieved and analyzed.

Unlike most other ransomware, Ryuk doesn’t have an extensive allow list to prevent it from encrypting system files that ensure the running stability of the systems. Ryuk only allows files with the exe, dll, and hrmlog extensions as well as a few folders such as Windows, Microsoft, and Chrome. The issue with this is that files that have the sys extension are not allowed, and if these files are encrypted, it could cause the system to become unstable and potentially crash.

The Ryuk ransomware has been around since August of 2018 and is operated by a Russian eCrime group who call themselves Wizard Spider. Wizard Spider’s sole targets for Ryuk have been large organizations that are capable of paying high ransom fees. This has made Ryuk one of the most profitable ransomware to date as according to ZDNet, with the average ransom demand for Ryuk estimated at around $290,000. Ryuk ransomware is not an originally coded ransomware; instead, it is derived from the Hermes ransomware.

REvil

REvil, named after the Resident Evil franchise, is also known as Sodinokibi and is a Ransomware-as-a-Service (RaaS). It is distributed using several different methods including malicious spam emails, exploit kits and RDP vulnerabilities. This malware also adds a twist in its ransom note in that it tells the victim that if the ransom is not paid by the specified time, the demand will be doubled. The REvil gang even offers a “trial” decryption to prove to the victim that their files can be decrypted.

REvil was first identified in April of 2019 and is considered to be one of the most widespread ransomware families in 2020. Like many other crypto-malware families, REvil exfiltrates data and threatens to release it if the victim doesn’t pay the ransom in time.

A member of the group behind REvil, who goes by the name “Unknown,” has said that REvil is built upon an older codebase, most likely GandCrab. REvil is very configurable, allowing each user to modify the code to their end goal. According to Secureworks, malicious actors can use the ransomware to exploit CVE-2018-8453 to elevate privileges and exfiltrate host information.

Preventing a Ransomware Attack

For anyone looking to keep their network secure, you need to make sure that they KNOW their network. Knowing the network means that you have an inventory of every connected device and system as well as how the traffic flows between them. On top of that, the network needs to be constantly monitored, which can be made easier by utilizing Security Information and Event Management (SIEM) tools. Monitoring the network allows abnormalities to be discovered much more quickly, and it saves precious time during an incident to react and remediate the situation. It is also a strong recommendation to make traversing the network difficult for attackers in order to prevent the spread of any malware that may have found its way into your network.

Organizations also need to consider vulnerability management. Patches and updates to software and devices are created to fix any vulnerabilities that were discovered in those software and devices. One of the first things attackers look for is vulnerable systems, so if updates are neglected, it provides the attackers with an avenue to use those known vulnerabilities to gain access to your systems and carry out their malicious deeds.

You need to accept at some point that malware will find a way into the network or systems. It is not a matter of if but when. Keeping this fact in mind, it is important to create a response plan for when malware is found in the system or network so that when it happens, the response can be quick and efficient to limit the exposure and damage. Along with having a response plan, it is important to test the plan periodically so that all staff know what to do during an incident and to identify any updates to the plan that may be needed. Part of this plan should be to have up-to-date backups of the system and data so that in the case of a ransomware attack, there is little to no data loss, as it can be restored from the backups.

Organizations can’t stop there. They also need to remember the importance of managing their secure configurations, blocking phishing attacks and other email-based operations as well as controlling the use of administrative privileges. Click here to learn more.

About the Author: Brett McFadden is a new entrant to the world of cyber security. With advanced diplomas in both Cyber Security (Fanshawe College) and Mohawk College (Television Broadcasting), he brings a unique insight to a world where streaming accounts for one fifth of all television viewing. Brett is currently a Cyber Security Analyst with Western University in London, Ontario and worked previously as a Cyber Security Analyst with Linamar corporation and as a Business System Analyst with TD Bank’s Cloud Security and Data Protection team. Brett has spent time running internal mock phishing campaigns and ensuring that cloud migrations were compliant with industry standards. In his free time, Brett is an avid Twitch streamer and works toward his career goal of red teaming for either a large corporation or a penetration testing company.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

The post ” REvil, Ryuk and Tycoon Ransomware: How They Work and How to Defend Against Them” appeared first on TripWire

Source:TripWire – Tripwire Guest Authors

Tags: Cloud, Exploit, Finance, Google Chrome, High Severity, Java, Linux, Malware, Medium Severity, Microsoft, Phishing, Ransomware, TripWire

Continue Reading

Previous How the CIS Foundations Benchmarks Are Key to Your Cloud Security
Next 8 Top Technical Resource Providers for ICS Security Professionals

More Stories

  • Cyber Attacks
  • Data Breach

Microsoft Develops Scanner to Detect Backdoors in Open-Weight Large Language Models

2 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

China-Linked Amaranth-Dragon Exploits WinRAR Flaw in Espionage Campaigns

6 hours ago [email protected] (The Hacker News)
  • Data Breach

Orchid Security Introduces Continuous Identity Observability for Enterprise Applications

8 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

The First 90 Seconds: How Early Decisions Shape Incident Response Investigations

10 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Microsoft Warns Python Infostealers Target macOS via Fake Ads and Installers

13 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware

Eclipse Foundation Mandates Pre-Publish Security Checks for Open VSX Extensions

14 hours ago [email protected] (The Hacker News)

Recent Posts

  • Microsoft Develops Scanner to Detect Backdoors in Open-Weight Large Language Models
  • China-Linked Amaranth-Dragon Exploits WinRAR Flaw in Espionage Campaigns
  • Orchid Security Introduces Continuous Identity Observability for Enterprise Applications
  • The First 90 Seconds: How Early Decisions Shape Incident Response Investigations
  • Microsoft Warns Python Infostealers Target macOS via Fake Ads and Installers

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT