Trellix Insights: Ryuk ransomware attack rush to attribution misses the point
Technical Articles ID:
KB92422
Last Modified: 2022-08-10 18:55:21 Etc/GMT
Last Modified: 2022-08-10 18:55:21 Etc/GMT
Environment
IMPORTANT: This Knowledge Base article discusses a specific threat that is being automatically tracked by Trellix Insights technology. The content is intended for use by Trellix Insights users, but is provided for general knowledge to all customers. Contact us for more information about Trellix Insights.
Summary
Description of Campaign:
Ryuk is a targeted ransomware, most recently seen used against American Newspaper Organizations. This ransomware family is considered a Big Game Hunter because it specifically targets large organizations with deep pockets. The attackers do not need mass distribution or wide coverage because they are depending on single large paydays.
According to Wikipedia,Ryuk refers to a Japanese manga character from the series Death Note. Ryuk apparently drops a death note, a fitting name for ransomware that drops ransom notes.
Cybercriminal developers usually name their Ransomware, while the security industry usually names state-sponsored malware.
How to use this article:
Campaign IOC:
Minimum Content Versions:
Detection Summary:
Minimum set of Manual Rules to improve protection to block this campaign
IMPORTANT: When you implement new rules or signatures, always first set them to Report mode before setting them to Block.
Mitigate against triggering false positives when enabling new rules and signatures by always following best practices. For best practices for Endpoint Security Dynamic Application Containment rules, see: KB87843 - Dynamic Application Containment rules and best practices.
Endpoint Security - Advanced Threat Protection:Rule ID: 2 Use Enterprise file reputation to identify trusted or malicious files
Endpoint Security – Access Protection:Rule: 1
Executables (Include):
*
Subrules:
Subrule Type: Files
Operations:
Create
Targets (Include):
*.ryk
Aggressive set of Manual Rules to improve protection to block this campaign
IMPORTANT: When you implement new rules or signatures, always first set them to Report mode before setting them to Block.
Mitigate against triggering false positives when enabling new rules and signatures by always following best practices. For best practices for Endpoint Security Dynamic Application Containment rules, see: KB87843 - Dynamic Application Containment rules and best practices.
Host Intrusion Prevention:Rule ID: 6010 Generic Application Hooking Protection.
Ryuk is a targeted ransomware, most recently seen used against American Newspaper Organizations. This ransomware family is considered a Big Game Hunter because it specifically targets large organizations with deep pockets. The attackers do not need mass distribution or wide coverage because they are depending on single large paydays.
According to Wikipedia,
Cybercriminal developers usually name their Ransomware, while the security industry usually names state-sponsored malware.
How to use this article:
- If a Threat Hunting table has been created, use the rules contained to search for malware related to this campaign.
- Review the product detection table and confirm that your environment is at least on the specified content version.
To download the latest content versions, go to the Security Updates page. - Scroll down and review the "Product Countermeasures" section of this article. Consider implementing them if they are not already in place.
- Review
KB91836 - Countermeasures for entry vector threats . - Review KB87843 - Dynamic Application Containment rules and best practices.
- Review KB82925 - Identify what rule corresponds to an Adaptive Threat Protection and Threat Intelligence Exchange event.
Campaign IOC:
Type | Value |
Minimum Content Versions:
Content Type | Version |
Detection Summary:
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
IOC | Scanner | Detection |
Minimum set of Manual Rules to improve protection to block this campaign
IMPORTANT: When you implement new rules or signatures, always first set them to Report mode before setting them to Block.
Mitigate against triggering false positives when enabling new rules and signatures by always following best practices. For best practices for Endpoint Security Dynamic Application Containment rules, see: KB87843 - Dynamic Application Containment rules and best practices.
Endpoint Security - Advanced Threat Protection:
Endpoint Security – Access Protection:
Executables (Include):
*
Subrules:
Subrule Type: Files
Operations:
Create
Targets (Include):
Aggressive set of Manual Rules to improve protection to block this campaign
IMPORTANT: When you implement new rules or signatures, always first set them to Report mode before setting them to Block.
Mitigate against triggering false positives when enabling new rules and signatures by always following best practices. For best practices for Endpoint Security Dynamic Application Containment rules, see: KB87843 - Dynamic Application Containment rules and best practices.
Host Intrusion Prevention: