ANSSI have spotted a new Ryuk ransomware variant that implements worm-like capabilities that allow within local networks.

This version holds a new attribute allowing it to self replicate over the local network. Through the use of scheduled tasks, the malware propagates itself machine to machine within the Windows domain. Once launched, it will thus spread itself on every reachable machine on which Windows RPC accesses are possible. It doesn’t include any mechanism for blocking the execution of the ransomware (MUTEX like or else), it copies itself with a rep.exe or lan.exe suffix.

The ransomware generates every possible IP address on local networks and sends them an ICMP ping. It lists the IP addresses of the local ARP cache and sends them a packet, then it lists all the sharing resources opened on the found IPs, mounts each of them, and attempts to encrypt their content. Its capable of creating remote schedule task . It removes volume shadow copy to prevent file recovery

The ransomware does not check if a machine has already been infected, the malicious code uses a privileged account of the domain for its propagation. French experts pointed out that even if the user’s password is changed, the replication will continue as long as the Kerberos tickets are not expired.

To tackle the problem could be to change the password or disable the user account and then proceed to a double KRBTGT domain password change. This would induce many disturbances on the domain and most likely require many reboots but would also immediately contain the propagation.