How Ryuk Ransomware Targets AV Solutions, Not Just Your Files

Since mid-August, the recent Ryuk ransomware has netted a tidy sum for its authors and shown that simply having AV and backup solutions on board may not be enough.

Linked to the notorious APT Lazarus group and the earlier HERMES variant of ransomware, Ryuk’s bitcoin wallets have already accumulated over $640,000 in bitcoins, indicating just how successful their strategy has been so far. The particular sample we tested is responsible for 50.41 BTC (316,265 dollars as of today).
Ryuk’s attempts would be ineffective against the SentinelOne agent, as it has several detection layers and anti-tampering protections.

Pre-execution – as seen in the video, once the malware is copied to disk, it is detected. In a real-life scenario, this occurs as the threat is quarantined, ensuring the user never has a chance to execute it.

On execution – this is where the behavioral AI comes into play. As seen in the video, the Ryuk sample is spawning multiple processes, using a bat file to complete its operation. The behavioral AI is capable of connecting all the dots and creating what we call a “group”.

This leads to the third layer that makes a difference, Deep Visibility. The group contains all the files, processes, registry entries (created registry auto run key in this case), and other IOCs related to this malware. Even if the device were set to a Detect-only policy, a SOC analyst would be able to perform a threat hunt operation that would reveal all items related to this threat

-~-