This year, many financial and healthcare institutions are seeing a significant uptick in Ryuk ransomware attacks. Ryuk is actually the last phase of a multiphase attack, preceded by the TrickBot trojan, which uses the EternalBlue vulnerability to spread through a company’s network. Ryuk is the “business” payload that encrypts the system and demands ransom at the last stage of the attack.
The attack process begins with a phishing email that contains a malicious link. According to Shawn Kanady, director at Trustwave SpiderLabs Digital Forensics and Incident Response, ninety percent of attackers will begin their attack campaigns with a phishing email. And why not? It’s an easy, low-cost delivery method, and today’s phishing emails are targeted at a user and quite convincing. The malware embeds itself in the infected system and is difficult to get rid of.
Defense in Depth
There is no one tool that will stop malware from infecting our systems, but it is a certainty that without these two items anything else we do is like playing “Whack-a-Mole.” We have to establish these front-line defenses so we can focus on the dangers that exist when these defenses are breached. Bad actors are smart, and they figure out ways to combat education and filters. This is why we need defense in depth, and where BigFix can help you combat malware on your systems. Let’s take a look at three defensive areas and see how the real-time visibility, rapid response and continuous enforcement that BigFix provides can help combat these attacks.
Patch Your Systems
According to Crowdstrike, one of the steps to take to prevent the TrickBot malware from impacting systems is to ensure the CVE-2017-0144 (Eternal Blue) vulnerability is addressed, which means applying the Microsoft MS17-010 Security Update. This patch was released in March of 2017, over 1200 days ago, and we are still being advised to install it. If Patching is so important, why don’t we take it more seriously? Any system that doesn’t have this vulnerability addressed today is potentially vulnerable to the TrickBot trojan that facilitates the delivery of Ryuk ransomware.
Most companies have a patch management program, but they find it impossible to keep up with the patching process. One reason for this is the lack of visibility into the compliance state of their endpoints. With BigFix, you can gain real-time visibility into the status of endpoints. You can also implement automated patch policies that automatically check for new, updated and superseded patches to ensure that your systems stay compliant with the latest patch releases. This way, you’re protected against vulnerabilities each month and don’t have to worry about patches released in 2017, or any other year.
Enforce Security Configuration
Implement and enforce security configuration items. Like patch compliance, we should be vigilant about security settings on the network and the systems that access it. We must also be proactive when it comes to enforcing system settings – also known as hardening.
TrickBot and Ryuk exploit several misconfigurations, like SMBv1. BigFix can help you enforce security configurations, including the Center for Internet Security (CIS) Benchmarks and the Defense Information Systems Agency (DISA) Security Technical Implementation Guidelines (STIGs). Use BigFix to apply these checklists in your environment to enforce the recommended configurations and setting values. And BigFix uses policies to enforce these configuration settings on the systems in your environment, to ensure continuous compliance against threats by bad actors.
Utilize BigFix to Locate Indicators of Compromise and Remediate
While BigFix is not a full featured EDR solution, it can be used to detect and remediate the known threat indicators on all of your managed endpoints, and notify you of conditions and indicators that you specify. Ryuk and TrickBot have been around long enough for them to be analyzed, and the components of each, like installation folder, file names and hashes, registry settings, and running processes are known, even if they change somewhat between releases of the malware.
Crowdstrike recommends a three-step process for manually removing TrickBot malware from an endpoint, and these processes can be automated with BigFix:
- Step one: Killing the malicious processes (injected svchost). BigFix can watch for the presence of a running process, and if identified, the process can be stopped. This process can be enforced automatically, as many times as necessary.
- Step two: Locating and removing the persistence mechanism (e.g., scheduled tasks, services). BigFix can watch for the presence of a running service and stop it, as well as change the state and remove the service. BigFix can also determine scheduled tasks and eliminate them.
- Step three: Removing disk artifacts (e.g., binaries and directories). Once the processes and services have been stopped and eliminated, BigFix can also be used to discover the presence of files, folders, registry entries and the like, and notify the administrator of the presence of these artifacts.
As with the WannaCry ransomware attack, BigFix can also alert on the presence of encrypted files (in the case of Ryuk, files with an ‘.ryk’ extension) so that actions might be taken, like quarantining the system so it doesn’t affect others.
Education and Awareness
Educating end-users is also an important step in the prevention and mitigation of TrickBot and Ryuk. If users know not to click on email links, the probability of success of the phishing attack is greatly reduced. Cyber education is not going to stop all attacks, but proper education can make a difference.
Other Tools for the Job
In addition to education, you should implement some actual tools that will help combat email issues specifically, like an email gateway to filter your incoming email. If you can prevent the email from getting to the user, or strip out the suspicious link or attachment, there is even less of a chance that the attack will be successful.
BigFix can make the task of protecting your endpoints more manageable, but you must be vigilant in the security awareness process. Remember that the bad actors know as much as you do about vulnerabilities, and each day that goes by with an unpatched system is another day they can attempt to exploit it.
BigFix can help you orchestrate your defenses by providing you with visibility into the vulnerabilities, the tools needed to respond to those vulnerabilities, and the policy enforcement to maintain continuous compliance in your environment on all your endpoints, regardless of their location or connection type.
If you’re not a current BigFix customer, contact us for a demonstration of the features and benefits BigFix provides. Odds are, we can help you keep your systems free of malware.
 Colon, Marcus, Analysis, Advice and Predictions from a Ransomware First Responder, August 27, 2019, (https://www.trustwave.com/en-us/resources/blogs/trustwave-blog/analysis-advice-and-predictions-from-a-ransomware-first-responder/)
 Hanel, Alexander, Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware, January 10, 2019, (https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/)
 Campbell, Ryan and Cargill, Devin, Automating Remote Remediation of TrickBot via Falcon’s Real Time Response API: Part 1, July 7, 2020, (https://www.crowdstrike.com/blog/automating-remote-remediation-of-trickbot-part-1/)