Virus

W64/Ryuk.223E!tr.ransom

Analysis

W64/Ryuk.223E!tr.ransom is a generic detection for a Ransomware Ryuk trojan. Since this is a generic detection, this malware may have varying behaviour.
Below are some of its observed characteristics/behaviours:

  • This malware may drop any of the following file(s):
    • %SystemDrive%\Users\Public\sys : This file is non-malicious data file .
    • %SystemDrive%\Users\Public\public : This file contains the RSA public key for the purpose of encryption.
    • %SystemDrive%\Users\Public\unique_id_do_not_remove : This file contains the hardcoded key for the purpose of encryption.
    • %SystemDrive%\Users\Public\window.bat : This bat file deletes the shadow volume copies and other backup files so that the user cannot restore them.
    • ryukreadme.txt/RyukReadMe.txt : This text file is dropped in every infected folder and will serve as ransom notes.
  • This Ransomware either uses the filenaming format {original name.ext}.RYK or does not change the name or extensions of the files that are being encrypted.
  • This Ransomware attempts to inject its code to the address space of all others processes except explorer.exe, csrss.exe, lsaas.exe.
  • Affected victims of this Ransomware are redirected by the attacker via:
    • JohnFraz@protonmail.com
    • JohnFraz@tutanota.com
    • ibfosontsing@protonmail.com
    • ibfosontsing@tutanota.com
    • kbkj@tutanota.com
    • kjhkj@protonmail.com
    • AlanParkerre33@tutanota.com
    • AlanParkerre33@protonmail.com
    • fabonmissreal1971@protonamail.com
    • AlconFetcher@tutanota.com
    • FionaBates90@protonmail.com
    • FionaBates90@tutanota.com
    • DejackomeAjna@protonmail.com
    • ElmersVictoria@tutanota.com
  • This malware was also observed to affect/encrypt files located on shared drive within the same subnet.
  • This malware may apply any of the following registry modification(s):
    • HKCU\Software\Microsoft\Windows\Currentversion\Run
      • Svchos = %currentfile%
      The malware configures itself to run everytime, the infected user logs on to the system.
  • This Ransomware kills processes related to antivirus, database, document editing software and backup.
  • The attacker runs the commandline scripts to perform the following tasks:
    • To gain persistence by adding itself to the autorun registry entry.
  • Below is an illustration of the malware's Ransom notes:
    • Figure 1: Ransom Notes.
    • Figure 2: Ransom Notes variation.

Recommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.