Skip to content

AI vs. RYUK Ransomware: Is your organization prepared?

Most security specialists remember the devasting Not Petya-attacks that hit global companies such as Maersk, MERCK, Saint Gobain, and many more. Although IT-professionals (and their non-IT colleagues) are painfully aware of the threat ransomware-attacks pose, these tiny, menacing pieces of code continue to cause huge disruptions – and the stakes keep growing.

Mortal outcomes of a ransomware attack are no longer theoretical. Two months ago, Dusseldorf University Hospital suffered a ransomware attack and, as a direct consequence of the operational downtime following the attack, had to divert a woman in need of emergency medical care to a hospital 30 minutes away. Tragically, the patient did not survive.

Once the threat actor breaches the first lines of defense (usually firewalls, endpoint-security, and spam-filters) and successfully deploys the script, ransomware can spread laterally through a company in a matter of seconds, taking down entire systems. Too often, the victim organization suffers catastrophic damage.

The hacker tends to strike outside ordinary office hours when security teams are less capable of responding in time. Machine-speed attacks require machine-speed response capabilities that autonomously (without human guidance) detect and stop the highest severity threats, for instance ransomware.

Examining an example of RYUK ransomware caught by MUNINN in a customer’s environment, this blog post takes you through the ways in which AI autonomously learns what normal network behaviors look like and uses this understanding to automatically prevent ransomware attacks.

How does MUNINN detect ransomware?

When deployed on a network, MUNINN immediately starts learning the normal behaviors of every user and device across the organization. This allows the technology to detect all behaviors and connections that deviate from legitimate business activities on the network.

Recently, MUNINN detected RYUK ransomware targeting a pharmaceutical company. MUNINN immediately detected every phase of the attack, providing the security team with a full overview of the incident as it occurred.

Upon breaching the first layers of cyber-security, the hacker started to engage in network scanning activities to gain a stronger foothold within the organization. MUNINN detected several indicators of an ongoing ransomware attack, for instance:

Action: MUNINN Detection
Execution of obfuscated PowerShell and subsequent connections to a remote IP address of C2 (Command and Control center).   Unusual communication to external C2 host.
A reverse shell is downloaded and executed on the compromised host.   Suspicious download from unknown, external host.
Reconnaissance of the network is conducted using tools that were uploaded externally.   Detected port-scans, arp-scans, ping sweeps, Bloodhound AD activities.
Lateral movement throughout the network is enabled using Remote Desktop Protocol (RDP).   RDP brute-force attempts detected.
PowerShell Empire is downloaded and installed as a service.   File transfer from unusual external host detected.
Lateral movement is continued until privileges are recovered to obtain access to a domain controller.   Various vulnerability scans detected, including Mimikatz , Cobalt Strike, and other tools for escalating privileges.  
PSEXEC is used to push out the Ryuk binary to individual hosts. Remote command execution, unusual DCE and RPC detected  
Batch scripts are executed to terminate processes/services and remove backups, followed by the Ryuk binary.   Process/Service Termination: net stop BMR Boot Service /y
net stop NetBackup BMR MTFTP Service /y net stop avpsus /y
net stop McAfeeDLPAgentService /y
net stop mfewc /y   Ati-recovery commands: vssadmin Delete Shadows /all  /quiet  

FREKI Auto-Prevent, the MUNINN-platform’s autonomous response capability, will (when activated) instantly block the encryption protocols, mitigating the worst effects of the ransomware attack.

Conclusion

We have in recent months witnessed a surge in dangerous, double-threat attacks such as RYUK. The targeted organization risks losing data, but also risks having the data sold on the Dark Web if they refuse to pay the ransom.  Organizations are beginning to leverage the power of cyber-AI to detect and investigate ransomware intrusions. Increasingly, organizations are also turning to AI to autonomously respond to cyber-threats as they occur. Ransomware attacks such as RYUK show companies why autonomous response is necessary: fast-moving, machine-speed threats require machine-speed response.