Universal Encryption

7/30/2020

Ransomware variants like Ryuk, WastedLocker, and Dopplepaymer are also file level encryption. These groups will gain access to the network and perform reconnaissance to identify the victim, understand their business, identify critical sys­tems, and delete backups to force their victims into making a payment.

The groups can have ac­cess to the network for a few hours or upwards of over a month. Ryuk is commonly associated with precursor trojans such as Trickbot and Emotet. Arete has observed Ryuk deployed as quickly as 6 hours after a Trickbot infection. Ryuk infec­tions result with *.ryk appended to the file name.

Comparatively, the deployment of WastedLocker is much more calculated with the TA staying on the network for an average of 2 weeks from ini­tial infection to ransomware deployment. Wast­ed infections result with *.abcwasted appended to the file name where “abc” is a 3 letter abbrevi­ation relating directly to the victims name.

Communication preference: Email usually pro­tonmail.com domains or TOR Website

Average ransom payment: Ryuk $598,000; WastedLocker $2,400,000; Dopplepaymer $304,000

Preferred currency: Bitcoin (BTC)

Decryptor received: 100% of the time. The decryptor received is universal. It is typically a 32-bit executable that will work on any windows OS version. While these groups are known for a high ransom price, their decryptor is probably the simplest to run.

Watch out: WastedLocker is extremely difficult to negotiate. In fact, if negotiation is attempted, they may threaten to increase the ransom by approximately 5% of the ransom per day until it is paid. They are also very slow to respond to email and even post their business hours of UTC 5am-8am and 5pm-8pm.

Notes: Dopplepaymer has been linked to gain­ing access to large environments and deploying cryptomining malware before launching their ransomware attack.