North Korean APT(?) and recent Ryuk Ransomware attacks

Our Threat Intelligence team has been tracking the Emotet botnet throughout 2018. In our previous post we reported a large scale Emotet campaign focused on e-mail content exfiltration.

Today, we review the evidence gathered from our Telltale Threat Intelligence Service, which suggests the involvement of Emotet as the delivery mechanism for the latest wave of Ryuk ransomware attacks being dubbed as North Korean state-sponsored cyber-attacks.

The evidence from the dataset completes the missing narrative needed to show a likely and complete attack chain of compromise via organized crimeware activity. This attack chain consists of initial Emotet infections, which are then used to deliver Trickbot. Completing the attack chain, in a select subset of Trickbot infections, actors then deliver Ryuk. Our analysis shows Emotet infections were lingering for weeks in advance before any Ryuk ransom attacks were deployed. This lends a new piece of intelligence to an ongoing attribution debate over whether or not North Korea is directly targeting organizations with Ryuk.

Background

There are not many known cases of Ryuk infections but there have been at least two victims publicly disclosing their efforts in response to a Ryuk ransomware attack this year. Many others have not publicly come forward but are alleged to have suffered the same attack pattern. One notable incident was in October 2018 where the Onslow Water Authority, in the US, confirmed that they had also suffered attacks as a result of the Ryuk and Emotet families.

Checkpoint recently published a technical report on Ryuk part of which details a campaign in August 2018 attacking various organizations worldwide. Their article links Ryuk to another family of malware known as Hermes, which was previously used by the Lazarus group in the compromise of the Far Eastern International Bank.

In the BAE reporting of the heist, they say that Hermes seems relatively rare but they also suggest that it may have been used as a distraction/cover-up rather than as part of the motive behind the attack.

FireEye’s comprehensive APT38 report1, published in October 2018, points out the use of Hermes as a false flag attack that is presumably designed to distract investigators.

In a publication from the New York times, reporting about one of these victims, Adam Meyers of CrowdStrike says that “cybercriminals appeared to have been infecting victims with Ryuk through a criminal tool called Trickbot.”

What is the nexus between Emotet, Trickbot, and Ryuk?

Machines infected with Emotet periodically check for modules from a command and control server (C2). These modules are typically DLLs or EXEs which are loaded on an infected system for extending capabilities. Additionally, some modules such as Trickbot may receive further payloads, encoded in a C2 command, leading to the decoding and running of an EXE of the actor’s choice, like Ryuk. Our tracking shows that the actors behind Emotet regularly drop malware executables composed of Trickbot and IcedID, among others. The Trickbot and IcedID payloads are observed to be dropped directly via the module loader. However, with the Ryuk ransomware module, it follows a different control-flow path. Ryuk infections are seldom, if ever, dropped directly by Emotet. When the Ryuk module is delivered to a victim, it is done transiently through a Trickbot infection and other tools, not the original Emotet bot.

Ryuk Delivery Workflow (click to expand)

Ryuk, on the contrary, isn’t usually delivered by a standard Trickbot infection. The behavior observed previously points to Ryuk being dropped interactively via the Empire framework, after the actors have scouted and compromised a high-value target on the victim’s network.

North Korean APT or the Crimeware Annoying Persistent Threat?

Our data suggests that some or all of the organizations which were victim to the recently reported Ryuk ransoms during the Holidays, were first infected with Emotet, which subsequently dropped Trickbot and finally lead to Ryuk ransomware. While there is no evidence suggesting that North Korea isn’t working with Emotet actors, there is also little evidence to support that they are and that these are annoyingly-timed attacks by actors who decided to interrupt the Holidays.

Furthermore, McAfee just released an article which is consistent with our knowledge that source code availability to this ransomware has been available on underground forums for some time, openly accessible to any malicious actor, not just North Korea.

Our breach intelligence captured Emotet infections in more than one of the alleged victims during 2018. Given the nexus of Ryuk, Trickbot, and Emotet, along with the tens of millions of connection records over tens of thousands of potential victims in our datasets, it is likely that this method of attack may start to become more prevalent.

Below we provide a timeline of our data points and the October 2018 compromise of the Onslow Water Authority, in order to get an indication of the lifecycle timeline, starting from the initial Emotet compromise to the point of infection by the Ryuk ransom family.

Timeline (click to expand)

Organizations using our Telltale Threat Intelligence Service, such as in the highlighted victim’s case, would have had weeks of advance notice of actionable alert notifications to remediate Emotet infections and avoid the potential damage and risks related to Ryuk.

Conclusion

It appears likely that the trend will continue, such that we will see ransomware, like Ryuk, delivered through proxy-enabled and difficult to take down botnets like Emotet. The attribution of attacks will remain difficult as nation-states can and will use misdirection where possible, and criminal groups are ready to sell access to anyone willing to pay. While, at the same time, the tactics, techniques, and procedures (TTPs) used by both groups are often overlapping, hence yet again increasing the difficulty of attribution.

While attribution is just one part of the picture, what matters at this point is that the trend of crimeware is growing increasingly bold and impactful. We believe that the use of threat intelligence and security analytics are key tools for security professionals which help their organizations prepare, predict, and prevent these events from occurring, stopping attacks like Ryuk before they have inflicted irreparable damage.


  1. Page 25. ↩︎