An attempted ransomware attack on some Louisiana state servers caused the state’s cybersecurity team to shut down their IT systems and websites. Governor John Bel Edwards, however, emphasized that not all of the state’s servers were affected. He added that the shutdown was done more on the side of caution and was not an effect of the attack.

The Office of Technology Services (OTS) is responsible for ensuring the integrity of the state’s IT infrastructure. Among the websites, email services, and applications affected were those of the Office of the Governor, the Department of Corrections, the Office of Motor Vehicles, the Louisiana State Legislature, and the Department of Transportation and Development.

Although the governor did not reveal who the suspect was or what method was used, Reuters cited an unnamed source who said the malware used was Ryuk ransomware. Here’s what we know about this particular ransomware:

• Ryuk cannot move laterally within a network and thus relies on other malware for initial infection.
• “Advance parties” or other malware (e.g., Emotet, Trickbot, Mimikatz, and PowerShell Empire) assess if there is an opportunity for Ryuk installation before it is deployed.
• A potential scenario is that Emotet has distributed Trickbot, before the latter deploys other post-exploitation tools, including Mimikatz and PowerShell Empire.
• Ryuk can access and encrypt files across all devices that are connected to the affected network. It renames encrypted files using the .ryk file extension. It then drops a ransom note named “RyukReadMe” in every infected folder.
• Threat actors who use Ryuk have been known to collect ransoms amounting to more than US$300,000 per victim. Some victims have reportedly paid operators millions of dollars.

The fact that Ryuk can stay undiscovered within a network for months and its need for an advance party can work both ways, depending on how security teams look at it.

For one, it means that threat actors have ample time to assess and infiltrate a target network deeper, thereby causing a lot more damage. On the other hand, this also means that security teams have a better chance of alleviating the ransomware’s effects by detecting and addressing the initial malware.

Our Investigative Tools: Reverse IP/DNS API and Threat Intelligence Platform

The National Cyber Security Centre (NCSC) of the United Kingdom’s Government Communications Headquarters (GCHQ) released an advisory regarding Ryuk in June. The advisory was also endorsed by the U.S. Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), along with several cybersecurity experts.

Given the CISA alert, one could assume that the Louisiana OTS was already on the lookout for indicators of compromise (IoCs) related to Ryuk, Trickbot, and Emotet, possibly explaining why they detected the ransomware and contained the infection before it could cause further damage.

Since Emotet and Trickbot mostly find their way into target networks through phishing emails, one way to avoid them is to do a reverse IP address lookup on incoming messages. If the IP address does not match a valid domain name, then the message can be immediately blocked or rejected.

We examined one IoC related to Trickbot activity cited in the NCSC advisory using our Reverse IP/DNS API and found two domain names hosted on the said IP address.

We then ran one of the domains—socks5[.]demonx[.]ru—on our Threat Intelligence Platform (TIP) and found that its mail server resolves to a different IP address:

The above could point to a spam-sending domain that spread malicious links or files given Ryuk operators’ typical modus operandi discussed earlier. Organizations are advised to block messages from the suspicious IP address to keep networks safe from malware that can download or install Ryuk.

* * *

The state of Louisiana managed to contain potential damage by shutting down all of its IT systems as soon as the ransomware attack was attempted. While it’s true that early detection of cyber threats leads to less damage, it’s also possible to be more proactive and run cybersecurity investigations with reverse IP address lookup and threat intelligence tools. Doing so can prevent malware like Ryuk, Emotet, and Trickbot from entering a network in the first place.