What you should know about Ryuk ransomware
Introduction
The ransomware called Ryuk has established ransomware as a lucrative enterprise product. This sentence may sound provocative, as it is treating cybercriminals like businesspeople, but this is what Ryuk is about — making money. This strain of ransomware is estimated by Crowdstrike to have made the gang behind it over $3.7 million USD since its entry into the wild in August 2018.
Ryuk and its ransomware compatriots don’t just end in lost money and encrypted files. They also have a personal cost. Lake City, Florida, was a recent victim of the Ryuk ransomware, and the city ended up paying the $460,000 ransom. The IT Director of Lake City, Brian Hawkins, was sacked as part of the fallout from the attack — even though he had done everything in his power to prevent the infection.
See Infosec IQ in action
So who is behind Ryuk, how does it work and how can it be stopped?
Who is behind Ryuk?
According to an FBI notification, Ryuk ransomware has been found in over 100 international government and enterprise institutions. The cybercriminals behind Ryuk are following the money as they choose targets likely to have high revenues and high profiles, the hope being that they will pay up to keep the business running.
The hacking group behind Ryuk is believed to be the aptly named GRIM SPIDER. This conclusion was evidenced by CrowdStrike, with GRIM SPIDER being a cell of the larger Russian group WIZARD SPIDER. This latter group is also behind the Trojan Trickbot which, as we will see, is intrinsically linked to some Ryuk infections.
The trick in the tail
Ryuk is a tricky proposition. It uses cybercrime’s favorite technique: stealth. It can lurk in the target network for months, even up to a year according to an analysis by Crowdstrike. To do this, it works by piggybacking the Trojans Trickbot or Emotet (or both), which act as a dropper for the Ryuk payload. The time spent in stealth mode is believed to be for surveillance, in order to understand critical areas of a network that can be used to optimize the impact of the ransomware.
The infection appears to be a multi-part, complex dance of dropper Trojan(s), surveillance and ransomware infection. If you have a Ryuk infection, chances are you have already been infected with Emotet, Trickbot or both.
However, nothing is straightforward in the world of Ryuk. According to the FBI, some infections have been the result of unsecured or applied brute force against Remote Desktop Protocols (RDPs) to gain access. Again, even this can be part of a multi-part exploit involving lateral attacks.
A post-infection analysis of Ryuk often turns up a chain of infection. This chain typically begins with Emotet, which in turns drops Trickbot. The Trojans are then used to deploy post-infection tools such as Mimikatz and PowerShell Empire modules.
These tools act as a post-exploitation framework. Empire, for example, can be used to run PowerShell agents and can deploy keyloggers; Mimikatz can be used to steal administrator credentials and create persistent backdoors.
Once ensconced in an organization, these post-exploitation tools create the perfect backdrop for infection with the money-maker, Ryuk. And, of course, the setup can be sold to the highest bidder on a darknet marketplace to exploit further.
The exploit itself needs to then be carefully orchestrated. The Ryuk ransomware typically encrypts files using the standard encryption algorithm AES-256. The ransom note left as part of the attack, “RyukReadMe,” contains two private email addresses which must be used to make contact. Although some early infections demanded a set amount, later infections waited for contact to be made before the demand was set. This is perhaps a useful tactic, as the attackers might be able to negotiate a higher ransom price.
There is the usual promise of a “decryptor” if the ransom is paid, and sample decrypted files are offered as proof of purchase.
Payment is, of course, in bitcoin, to avoid detection. The bitcoin wallet address is given out with the ransom note.
Mitigation for Ryuk
The best tactic for dealing with Ryuk is avoidance. However, the following are useful in defending your organization against Ryuk infection.
- Check out MITRE ATT&CK for advisories on the indicators of compromise (IoC) and mitigation methods for the attack, covering the likes of TrickBot and PowerShell
- Make sure all staff have been through security awareness training to be able spot any tell-tale signs of malware infection and phishing attempts
- Perform regular system backups scans to check registry persistence (although some builds of Ryuk may not maintain persistence)
- Use off-site, secure backups and scan regularly for signs of a malware infection
- Use multi-factor authentication (MFA) wherever supported
- Keep devices and software up to date
- Use network segmentation to reduce the impact of an infection
- Use a next-gen anti-malware product
Conclusion
Ryuk, apparently, means “Gift of God.” This devilish offering is an unwanted gift you need to send back.
Ryuk and its perpetrators should not be underestimated. This is no kid in a hoodie playing with malware. The execution of Ryuk requires a sophisticated mix of delivery and communication to extort the ransom.
Various experts are suggesting that we have not seen the last of Ryuk. Something so lucrative is likely to be continued among the cybercriminal fraternity. However, as always, it will morph and evolve, and in doing so, help to hide itself from detection and make itself even more effective.
Get six free posters
Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.
Sources
- Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware, Crowdstrike
- Ransomware Fall-Out of Lake City, Florida, WatchPoint
- Indicators of Compromise Associated with Ryuk Ransomware, FBI Flash
- GRIM SPIDER, Malpedia
- POST-EXPLOITATION WITH POWERSHELL EMPIRE 2.0, Ethical Hacking Blog
- TrickBot, MITRE
- PowerShell, MITRE
In this Series
- What you should know about Ryuk ransomware
- Tax scam season: How to protect your data from common scams in 2024
- Security awareness for kids: Tips for safe internet use
- Celebrate Data Privacy Week: Free privacy and security awareness resources
- Consumer data, who owns it and who protects it?
- Human error is responsible for 74% of data breaches
- What is a social engineering attack?
- Biggest cybersecurity mistakes by large organizations
- 4 common social media scams (and how to avoid them)
- From theory to practice: Designing a successful security awareness training program
- Understanding cyberattacks: Types, risks and prevention strategies
- Securing digital frontiers: The importance of information and IT security awareness training
- Optimizing your corporate security awareness training: Strategies and techniques
- What is security awareness: Definition, history and types
- Top 10 security awareness training topics for your employees in 2023 and beyond
- AI best practices: How to securely use tools like ChatGPT
- Connecting a malicious thumb drive: An undetectable cyberattack
- 5 ways to prevent APT ransomware attacks
- 4 mistakes every higher ed IT leader should avoid when building a cybersecurity awareness program
- ISO 27001 security awareness training: How to achieve compliance
- Run your security awareness program like a marketer with these campaign kits
- Deepfake phishing: Can you trust that call from the CEO?
- Fake shopping stores: A real and dangerous threat
- 10 best security awareness training vendors in 2022
- How to hack two-factor authentication: Which type is most secure?
- Malicious push notifications: Is that a real or fake Windows Defender update?
- Free Cybersecurity and Infrastructure Security Agency (CISA) ransomware resources to help reduce your risk
- How IIE moved mountains to build a culture of cybersecurity
- At Johnson County Government, success starts with engaging employees
- How to transform compliance training into a catalyst for behavior change
- Specialty Steel Works turns cyber skills into life skills
- The other sextortion: Data breach extortion and how to spot it
- Texas HB 3834: Security awareness training requirements for state employees
- SOCs spend nearly a quarter of their time on email security
- Security awareness manager: Is it the career for you?
- Risks of preinstalled smartphone malware in a BYOD environment
- The ROI of security awareness training
- 5 reasons to implement a self-doxxing program at your organization
- What is a security champion? Definition, necessity and employee empowerment [Updated 2021]
- Excel 4.0 malicious macro exploits: What you need to know
- Worst passwords of the decade: A historical analysis
- ID for Facebook, Twitter and other sites? Not so fast, says security expert
- 3 surprising ways your password could be hacked
- Fake online shopping websites: 6 ways to identify a fraudulent shopping website
- All about carding (for noobs only) [updated 2021]
- Password security: Complexity vs. length [updated 2021]
- What senior citizens need to know about security awareness
- 55 federal and state regulations that require employee security awareness and training
- Brand impersonation attacks targeting SMB organizations
- How to avoid getting locked out of your own account with multi-factor authentication
- Breached passwords: The most frequently used and compromised passwords of the year
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
Security awareness
Tax scam season: How to protect your data from common scams in 2024
Security awareness
Security awareness
Celebrate Data Privacy Week: Free privacy and security awareness resources
Security awareness