Since mid-August, the recent Ryuk ransomware has netted a tidy sum for its authors and shown that simply having AV and backup solutions on board may not be enough.
Linked to the notorious APT Lazarus group and the earlier HERMES variant of ransomware, Ryuk’s bitcoin wallets have already accumulated over $640,000 in bitcoins, indicating just how successful their strategy has been so far. The particular sample we tested is responsible for 50.41 BTC (316,265 dollars as of today).
What we found particularly interesting was Ryuk’s attempts to disable legacy AV products and to delete Windows VSS shadow copies before the ransomware started its encryption procedure.
By default, Windows makes up to 64 shadow copy backups of volumes and files, enabling users to recover data from snapshots at different points in time in the event of data loss or overwrite.
Ryuk, however, begins by deleting the snapshots and resizing the storage space to zero-out any chance of recovery:
Not content with ensuring that the built-in backups are unavailable, Ryuk also disables several 3rd-party backup services, including Acronis, SQLSafe, VEEAM, and Zoolz.
Ryuk also attempts to stop processes belonging to some legacy AV protection software, among them Sophos and Symantec System Recovery processes.
As can be seen in the demonstration video below, Sophos comes in for particular attention, as this view from the SentinelOne Management Console shows:
Ryuk’s attempts would be ineffective against the SentinelOne agent, as it has several detection layers and anti-tampering protections.
- Pre-execution – as seen in the video below, once the malware is copied to disk, it is detected. In a real-life scenario, this occurs as the threat is quarantined, ensuring the user never has a chance to execute it.
- On execution – this is where the behavioral AI comes into play. As seen in the video, the Ryuk sample is spawning multiple processes, using a
batfile to complete its operation. The behavioral AI is capable of connecting all the dots and creating what we call a “group”.
- This leads to the third layer that makes a difference, Deep Visibility. The group contains all the files, processes, registry entries (
created registry auto run keyin this case), and other IOCs related to this malware. Even if the device were set to a Detect-only policy, a SOC analyst would be able to perform a threat hunt operation that would reveal all items related to this threat, as shown in the example below:
Anti-tampering – the SentinelOne agent protects its services, processes, registry entries and others by default. It also protects all VSS shadow copies, so users can quickly rollback and recover their files.
Ryuk’s behaviour underlies the importance of a security solution like SentinelOne that provides defense in depth and is immune to tampering. It should never be possible to disable or cripple reliable endpoint protection.