Big game hunting: How Ryuk ransomware takes down its imposing targets

Max Heinemeyer, Director of Threat Hunting | Wednesday October 2, 2019

In recent years, cyber-criminals have increasingly directed their efforts toward sophisticated, long-haul attacks against major companies — a tactic known as “big game hunting.” Unlike standardized phishing campaigns that aim to deliver malware en masse, big game hunting involves exploiting the particular vulnerabilities of a single, high-value target. Catching such attacks requires AI-powered tools that learn what’s normal for each unique user and device, thereby shining a light on the subtle signs of unusual activity that they introduce.

In the threat detailed below, cyber-criminals targeted a major firm with Ryuk ransomware, which Darktrace observed during a trial deployment period. Leveraged very often in the final stage of such tailored attacks, Ryuk encrypts only crucial assets in each targeted environment that the attackers have handpicked. Here’s how this particular incident unfolded, as well as how AI Autonomous Response technology, if in active mode, would have contained the threat in seconds:

Incident overview

Figure 1: Clustering of alerts during intrusion (top right)

Rooted in its evolving understanding of ‘self’ for the targeted firm, Darktrace AI flagged myriad instances of anomalous behavior over the course of the incident — each represented by a dot in the visualization above. The anomalous activity is organized vertically according to how unusual each behavior was in comparison to “normal” for the users and devices involved. The colored dots represent particularly high-confidence detections, which should have prompted immediate investigation by the security team.

Compromised admin keys

The first sign of attack was the highly unusual use of an administrator account not previously seen on the network, suggesting that the attackers had gained access to the account outside the limited scope of the Darktrace trial before moving laterally to the monitored environments. Had Darktrace been deployed across the digital infrastructure, the initial hijacking of the account would have been obvious right away. Nevertheless, Darktrace alerted on the anomalous admin session repeatedly and in real time, as shown below:

Figure 2: Strong detections of compromised admin credential

This behavior is typical of big game hunting. Rather than firing their payload straight away upon accessing the network, the attackers engaged in a longer-term compromise to attain the best position for a crippling attack.

Infiltration via TrickBot

Darktrace then detected the infamous TrickBot banking trojan being downloaded onto the network. While the attacker already had access via the compromised admin credentials, Trickbot was used as a loader for further malicious files and as an additional command & control (C&C) channel. Among the most common post-exploitation steps were:

Figure 3: Detection of later-stage Trickbot download

Command & Control communication

Once the Trickbot infection had begun, Darktrace observed C&C communication back to the attackers. And whereas many devices exhibited anomalous behavior, Darktrace pinpointed one such device at the nexus of the infection. The below image illustrates the plethora of suspicious connections detected on this single device:

Figure 4: Every coloured dot represents a Darktrace detection — very obvious chains of malicious activity is seen above

Using TLS Fingerprinting — also called JA3, the subject of a previous blog post — Darktrace detected a new piece of software making encrypted connections from this device to multiple unusual destinations, a behavior known as beaconing.

Figure 5: The communication in this graph is filtered down to unusual TLS connections — clearly showing a spike in communication during the compromise

Ransomware encryption commences

Following the establishment of the connection with the C&C infrastructure, the Ryuk ransomware was finally deployed. During this “noisy” period with many suspicious SMB activities, Darktrace even more clearly indicated the seriousness and extent of the attack:

Figure 6: A sample of different, non-signature dependant Ransomware detections that fired

In just 12 hours, Ryuk had encrypted more than 200,000 files. The entire incident took place over 36 hours — after that, the company shut down its network to prevent further damage.

Ransomware retrospective

Following the incident, the business traced the initial compromise back to a part of their network in another country that Darktrace did not have visibility over during this trial period. The infection spread until it reached a recently installed file server that Darktrace was, in fact, monitoring. The attacker likely got access to an administrative account that had been used to build this server and, at that point, they had the access needed to fire the Ryuk ransomware.

This incident put Darktrace in the unique position of observing a ransomware attack wherein none of the alerts were seen or actioned by the internal IT team, demonstrating what such an attack can do absent any intervention and response. Had the company actively monitored its Darktrace deployment, the security team would have received and actioned the alerts in real time, as its thousands of users do on a daily basis.

Autonomous Response to the rescue

Had the firm deployed Autonomous Response technology, the lack of attention afforded to Darktrace’s alerts would not have mattered. Whereas four hours passed from the executable download to the first encrypted file, Autonomous Response would have neutralized the threat within seconds, preventing widespread damage and giving the security team the crucial time to catch up.

The screenshot below shows an excerpt of Darktrace’s detections at the beginning of the file server compromise. The detections are listed in chronological order from bottom to top, along with the action that Darktrace’s AI Autonomous Response tool, Antigena, would have taken:

  • Unusual Admin SMB Session — The attacker logged in to the file server with compromised credentials
    • Antigena action: This single anomaly prompts no action yet, but Antigena is now on heightened alert and primed to intervene.
  • New Admin Credentials on Client — The attacker using multiple new admin credentials on the device
    • Antigena action: Now with high-confidence evidence of a threat, Antigena enforces the device’s typical ‘pattern of life’; all admins who normally log in to this device can continue to do so, whereas new logins are blocked for one hour.
  • Suspicious TLS Beaconing — Command & Control traffic over TLS
    • Antigena action: Antigena again enforces the ‘pattern of life’, in this case meaning that usual outbound communication like software updates is allowed, but new and unusual communication like C&C traffic is blocked for two hours.
  • Network Scan — The attacker scanning the network to identify further victims
    • Antigena action: This server has never scanned the network before — only admin devices do this. Antigena therefore stops the device from scanning the network for two hours.
  • EXE from Rare External Location (second from the top) — The attacker downloads later-stage payloads for further infection
    • Antigena action: Antigena still allows the device to conduct normal downloads while blocking downloads from rare locations, behavior which it had never exhibited previously.

In sum, Antigena would have taken appropriate action by enforcing normal behavior, rather than applying a binary block (e.g. completely quarantining the device) as legacy tools would.

To learn how Antigena neutralizes threats without interrupting normal business operations, check out our in-depth white paper: Darktrace Antigena: The Future of AI-Powered Autonomous Response.

Max Heinemeyer

Max is a cyber security expert with over nine years’ experience in the field, specializing in network monitoring and offensive security. At Darktrace, Max works with strategic customers to help them investigate and respond to threats, as well as overseeing the cyber security analyst team in the Cambridge UK headquarters. Prior to his current role, Max led the Threat and Vulnerability Management department for Hewlett-Packard in Central Europe. In this role he worked as a white hat hacker, leading penetration tests and red team engagements. He was also part of the German Chaos Computer Club when he was still living in Germany. Max holds a MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.