Ryuk Ransomware Delivered Using Malware-as-a-Service ToolSophos: Cybercriminals Renting Buer Loader
The operators behind the Ryuk strain of ransomware are increasingly relying on a malware-as-a-service tool - the Buer loader - to deliver the malware, rather than botnets such as Trickbot and Emotet, according to the security firm Sophos.
Researchers spotted advertisements for the Buer loader on underground forums starting in August 2019. The Sophos analysis, however, finds that the Ryuk operators have been increasingly relying on the loader to deliver their ransomware over the last several months.
Buer is a malware-as-a-service tool that provides an initial compromise of targets' Windows devices and enables the threat actors to establish a digital foothold within a network, Sean Gallagher, a senior threat analyst with Sophos, notes in the report.
"Buer has previously been tied to banking Trojan attacks and other malware deployments - and now, apparently, has been embraced by ransomware operators," Gallagher notes. "In many ways, Buer is positioned as an alternative to Emotet and Trickbot's emerging Bazar loader."
After a dormant period starting in March, Ryuk activity has surged since the end of the third quarter, says Bill Siegel, the CEO of incident response firm Coveware. This includes a confirmed attack against French IT services company Sopra Steria earlier this month (see: French IT Services Firm Confirms Ryuk Ransomware Attack).
Office furniture giant Steelcase also appears to have sustained a Ryuk ransomware attack within the last week, according to a report in Bleeping Computer, which cited sources familiar with the company's response.
For years, the Ryuk operators used the Emotet and Trickbot botnets to deliver their crypto-locking malware to compromised devices. Some security analysts, however, have noted that cybercriminals may have started scouting for alternatives to Trickbot after Microsoft launched a campaign to dismantle its infrastructure early this month (see: Microsoft Continues Trickbot Crackdown).
"It's clear that Ryuk is back and that the actors behind it are evolving their methods for initial compromise, using multiple loader bots to achieve initial access," Gallagher says. "It's not clear if the same actor is behind all of these attacks, using multiple malware-as-a-service platforms to deliver Ryuk, or if there are multiple Ryuk actors."
Buer, which was first advertised on underground forums as the "Modular Buer Loader," was described by its developers as a modular bot written in the C programming language. It also includes a command-and-control server written in the .NET language that cybercriminals could access as well, according to Sophos.
The Buer developers advertised that the malware loader was available for rent for a flat fee of $350, which included some customization and access to the command-and-control servers' IP address. For an extra $25, cybercriminals could change the IP address to fit their needs, the Sophos report states.
"The [command-and-control] can be used to track the number of successful downloads in a campaign and to assign tasks to bots by filters such as the country they’re in, the 'bitness of the operating system' (32 or 64 bit), the number of processors on the infected machine and the level of permissions obtained by the bot," Gallagher says.
The Sophos team discovered a sample of Buer during a Ryuk ransomware attack in September. The loader was hidden within a Google Doc delivered by a phishing email to the potential victim, according to the report.
"The document required the victim to enable scripted content to activate - a behavior similar to Emotet and other loader attacks via malicious spam emails but leveraging cloud storage to make the forensic analysis more difficult," Sophos says.
The variant of Buer recovered from the September attack uses a now-revoked certificate to help bypass security controls, the researchers say. The loader also checks for the presence of a debugger to evade forensic analysis and scans the device for language and localization settings to determine the geographic region of the targeted device.
Buer also deploys several PowerShell commands that alter settings within the Windows device, including the Windows Defender’s exclusion list. This allows the loader to bypass additional security controls, according to the Sophos report.
Once these checks are done, a dropper then deposits Buer within the device's memory and executes the loader. Once this process is complete, the loader then attempts to download the Ryuk ransomware, the Sophos researchers say.
Gallagher notes that Buer and Ryuk share some of the same shellcode, but it's not clear if that means the two were jointly developed by the same operators.
"This may not be an indication of shared authorship; the developers may have simply used the same sample code as their source," he says.