What is Ryuk ransomware?

Since 2018, businesses have been targeted by a specific type of ransomware known as Ryuk. Unlike most ransomware attackers, the operators behind Ryuk, known as Wizard Spider, aim for larger targets and demand higher ransoms. What sets Ryuk attacks apart is the extensive surveillance and manual efforts involved in infecting their intended victims. This level of dedication, although uncommon among typical ransomware groups, reduces the cost-effectiveness of their attacks.

Alongside Ryuk, Wizard Spider is also responsible for operating TrickBot, a malicious trojan disguised as harmless files. Ransomware, such as Ryuk, refers to malicious software that encrypts files and data, effectively holding them hostage until the victimized organization pays the ransom. The attackers, who control the ransomware remotely, unlock the files once the demanded ransom is paid.

How does Ryuk ransomware enter an organization?

The Ryuk “virus” commonly infiltrates a network by exploiting a TrickBot infection. TrickBot has multiple entry points into an organization, with spam emails being a prevalent method. Another avenue of propagation is through the Emotet botnet, which utilizes malicious emails, particularly Word document attachments, to compromise computers.

Once a device is infected by TrickBot, the Wizard Spider group takes advantage of it to deploy Ryuk ransomware. Ryuk then propagates within the network, targeting connected devices without triggering security alerts.

To disseminate the Ryuk infection within a network while evading detection, Wizard Spider employs diverse techniques and exploits. In some cases, the process is executed manually, enabling the group to remotely execute malicious scripts using PowerShell (a utility in the Windows operating system) or exploit the Remote Desktop Protocol (RDP), among other methods.

How does Ryuk ransomware work?

Upon execution, Ryuk initiates the encryption process, targeting files and data across infected computers, network drives, and network resources.

According to cybersecurity firm CrowdStrike, Ryuk utilizes the RSA-2048 and AES-256 algorithms for file encryption. RSA operates as a public key encryption algorithm, generating a pair of keys for encrypting files and data: a public key and a private key. The private key is held by Wizard Spider, preventing victims from independently decrypting their files.

Distinguishing itself from typical ransomware, Ryuk actively pursues the encryption of system files. CrowdStrike’s observations indicate that it even attempts to encrypt critical boot files, which, if rebooted, could render the host system unstable or lead to a complete crash.

Usually, a text (.txt) file emerges on the infected system as the ransom note, generated by Ryuk during execution. This ransom note provides instructions to victims on how to contact the attackers and fulfill the ransom payment.

• Ryuk ransom payments

Wizard Spider commonly prefers to receive payment in Bitcoin and frequently demands ransoms amounting to $100,000 or higher. A specific incident involved a US city paying a hefty ransom of $460,000 subsequent to a Ryuk attack.

As of 2021, industry experts approximated that Wizard Spider accumulated over $150 million in ransom payments.

What are some major Ryuk ransomware attacks?

• Tribune Publishing Cyberattack During the year 2018, a cyberattack known as Ryuk infiltrated the systems of various newspapers across the United States by exploiting infected software developed by Tribune Publishing. These malicious attacks resulted in significant disruptions to the printing operations of the affected newspapers, lasting for several consecutive days.

• The Universal Health Services (UHS) infection In 2020, the IT infrastructure of Universal Health Services (UHS) fell victim to the Ryuk ransomware, resulting in a severe infection. The attack rendered the organization unable to access its phone system and patient health records. After a painstaking recovery process lasting approximately three weeks, UHS managed to restore their systems. The financial impact of this incident was estimated at $67 million in losses for the organization.

• 2020 attacks on American hospitals Several American hospitals, including UHS hospitals, fell prey to Ryuk ransomware attacks in 2020. These malicious incidents resulted in the encryption of vital data, leading to treatment disruptions and procedure delays for numerous patients.

How does Ryuk ransomware relate to Hermes ransomware?

Hermes, an initially employed strain of ransomware, emerged in 2017 and bears connections to the ransomware realm. This particular variant, widely disseminated within the underground ransomware landscape, has been employed by numerous attackers, lacking a distinct association with any specific group.

Ryuk ransomware, which drew substantial inspiration from Hermes, initially exhibited significant code similarities. However, as time progressed, Wizard Spider, the entity behind Ryuk, introduced further alterations to differentiate it from its predecessor.

How to prevent a Ryuk ransomware infection

Here’s a rewritten version of the content:

• “To minimize the risk of Ryuk ransomware attacks, it is essential to train users on avoiding unexpected emails and email attachments. User error is a common cause of malware infections, including Ryuk. The initial infection usually occurs when a user opens or downloads a malicious email attachment, leading to a TrickBot or Emotet infection. Conducting user security training can significantly reduce the likelihood of such incidents.

• To detect preexisting infections within systems, it is crucial to analyze them thoroughly. Many Ryuk attacks exploit networks that are already infected with TrickBot or Emotet malware. Implementing anti-malware scanning as a standard endpoint security practice can help identify these infections and empower network administrators to isolate affected devices.

• Adopting a Zero Trust security model is highly recommended. This model operates on the assumption that no computing devices are inherently trusted, and they require continuous verification. By employing this approach, access for infected devices can be restricted, preventing potential network compromises.

• Regularly backing up files and data is another vital measure. In the event of a Ryuk ransomware attack, organizations can restore their data from backups rather than resorting to paying the ransom or rebuilding their entire IT infrastructure.

It is important to note that while these measures can significantly reduce the chances of a Ryuk ransomware attack, it is impossible to guarantee complete prevention of any threat. However, implementing these steps can greatly enhance security and minimize the risk of infection.

For assistance in implementing a Zero Trust security model, consider leveraging Toffs One. Toffs One is a secure access service edge (SASE) platform that offers extensive network connectivity and incorporates Zero Trust security as a fundamental component.”