Introduction

Many major media have reported this security event about New Orleans city including C/NET, BleepingComputer and others. From the information provided by these media, we are almost sure that the attacker is Ryuk ransomware.

Figure 1 - C/NET news about New Orleans ransomware event

Figure 2 - BleepingComputer news about New Orleans ransomware event

Lionic’s Inspection on Ryuk Ransomware

By our survey, the Ryuk ransomware is used mainly for targeted attacks, like enterprise or governmental organizations. Its infection chain is composed of social engineering or spam mails to cheat the users to click the attachments, usually the MS office documents. Inside the office document, it embeds the executable macro trying to download the Trojans like TrickBot or Emotet. Those Trojans will hide in the user’s computers and try to steal other applications’ account/password such as Outlook, VNC, FileZillia FTP or exploit Eternal Blue (MS17-010 SMBv1) vulnerability to spread themselves. On the other hand, the hacker will utilize comprised MikroTik routers that have RCE vulnerability in RouterOS to perform C&C servers. The Ryuk ransomware is then downloaded and executed by TrickBot/Emotet talking with C&C servers.

Summary:

  1. Ryuk ransomware is used mainly for targeted attacks, like enterprise or governmental organizations.
  2. Its infection chain is composed of social engineering or spam mails to cheat the users to click the attachments, usually the MS office documents.
  3. Inside the office document, it embeds the executable macro trying to download the Trojans like TrickBot or Emotet.
  4. Those Trojans will hide in the computers of users and try to steal account/password of other applications such as Outlook, VNC, FileZillia FTP or exploit Eternal Blue (MS17-010 SMBv1) vulnerability to spread themselves.
  5. On the other hand, the cyber-criminal will utilize comprised MikroTik routers that have RCE vulnerability in their RouterOS to perform C&C servers.
  6. The Ryuk ransomware is then downloaded and executed by TrickBot/Emotet talking with C&C servers.

Lionic Solutions on Ryuk Ransomware Invasion

  1. Prevent Malwares OfficeFiles/TrickBot/Emotet/Ryuk from entering user’s computer
  2. Our Anti-Virus module will check the email attachment and scan it with Lionic DPI engine.
  3. Detect Eternal Blue (MS17-010 SMBv1) Attack.
    We made MS17-010 related IPS signatures to detect such attacks, including:
    • Windows SMB privilege elevation vulnerability
    • Windows SMB remote code execution vulnerability
    • Windows SMB protocol suspicious active
  4. Alleviate the damage once malwares triggered
    We created the malware activities IPS rules to block them, including:
    • Trojan Trickbot self-signed certificate session
    • Trojan Trickbot activity
    • Trojan Emotet outgoing communication
    • Trojan Emotet activity

Conclusion

New Orleans city is targeted by cyber-criminals. This Ryuk outbreak is probably started by one staff in New Orleans city who clicked a suspicious email attachment. We guess New Orleans city already adopted a famous UTM on the network gateway. However, that UTM is not able to catch the ransomware in the email immediately. Also, New Orleans city did not install many small security network devices in in their LAN. So the impact of this ransomware is huge.

It should be noted that every UTM has different protection scope. Some UTM claim high detection rate but low detection rate actually. Users should check the anti-malware ability before they purchase UTM. If New Orleans adopted Lionic DPI and signature based security solutions in its network gateway and LAN, the impact would be minimized.

 

About Lionic Corporation

Lionic Corporation is a worldwide provider of innovative Deep Packet Inspection solutions. The technologies of Lionic include the complete DPI-based software engine and related management software which offer the Security Solutions that addresses anti-virus, anti-intrusion, anti-webthreat; and the Content Management Solutions that addresses application identification, device identification, application based QoS, web content filtering, parental control.

Lionic’s security and content management solutions, cloud-based scan services and signature subscription service are widely deployed in the world already. They help service providers, network appliance manufacturers, semiconductor companies, etc. to enable the next generation of business routers, residential gateways, SD WAN edges and cloud gateways, advanced firewalls, UTMs, Smart NICs and mobile devices. Those products powered by Lionic provide better network management and protect the world’s networks from an ever increasing level of security threats.