Friday, Feb 7, 2020
BY: Justin Heard - Security Analytics Team
Ryuk Ransomware, is ran by a group called Wizard Spider, which is known as the Russia-based operator of the TrickBot banking malware. First appearing in August 2018, Ryuk is now one of the most evasive ransomware out there targeting large enterprise organizations demanding ransom of millions of dollars, impacting an organization’s brand reputation, stealing customer information and having a significant influence on a company’s finances.
Early Stages of Ryuk
In the third quarter of 2019, Ryuk made an appearance in what we called the triple threat with Trickbot, Emotet and Ryuk Ransomware. As noted in our Q3 threat report “The return of Emotet in early September also brought a new term to light called the “triple threat” which security researchers referenced when Emotet partnered with TrickBot and Ryuk ransomware in order to cause the most damage to a network so valuable data may be stolen or sold for profit while the rest is encrypted in order to extort organizations into paying the ransom to retrieve their files”
Emotet has been on the rise for a while now and Ryuk has been using it in conjunction with Trickbot to gain initial access via its phishing campaign. Its process of infection was as followed;
- Emotet was used in email phishing campaigns, which usually contain malicious word documents with macros inside that would reach out to the command and control and download Trickbot, which is a credential stealer.
- Trickbot is then used to extract information from banking sites or anything else that you could potentially be logging into via a keylogger.
- They would harvest those credentials and those credentials could be used with Ryuk ransomware for a lateral movement so they can use it to access shares, make changes to the devices and things of that nature.
As we know, hackers and the threat landscape are consistently evolving where hackers are changing their tactics. Our Security Analytics team here at Nuspire have been on the lookout for changes in technique with these threats, and sure enough we’re now seeing Ryuk appear itself and without Emotet and Trickbot.
In one of our latest findings, we just saw the Ryuk ransomware, which used SMB share to spread the ransomware across the network. It started on one computer and then used an account to profile the network and then eventually opened an SMB share, where all the other computers could access it. It then pushed that malware out across the network using scripts such as. P.S. Exac, which is an admin on Windows machines, in order to download that payload across multiple systems. Its final step is encrypting all the systems and demanding ransom.
Who it’s Targeting
When Ryuk first made an appearance, Ryuk was concentrated at the financial sector, but recently our team highly detected Ryuk in manufacturing. As you can see in the timeline below, Ryuk now seems to be targeting large organizations across all industries.
1/21/2020 – Nuspire identifies Ryuk in Manufacturing
1/23/2020—Ryuk Hit Multiple Oil and Gas Facilities
1/29/2020—Ryuk Strikes Again, Affecting Tampa Bay Times
1/31/2020—Ryuk Targets US Defense Contractor
2/5/2020—Australian Delivery Firm Hit With Ryuk Ransomware
It targets large corporations, large businesses because it’s known to demand a very high ransom. It’s a more sophisticated ransomware as opposed to some of the lower sophisticated ransom. We’ve started to see this strand of malware being used across different industries where it isn’t so targeted as it was before.
How bad is it?
The threat landscape is moving around and the coverage that we’re seeing with Ryuk ransomware and the targeted organizations that this particular ransomware is getting a little broader. Because it has been so effective in its delivery, I estimate this ransomware will continue its path of target large organizations across the spectrum.
Our security analytics team at Nuspire and our full-service Security Operations Center continues to monitor and track Ryuk ransomware campaigns. From what we’re seeing, there unfortunately isn’t one solution to prevent this evasive threat. However, to mitigate this threat, ensure that you are doing the following steps;
- Educate employees on phishing emails
- Pay attention to patching CVE-2017-0144, which will help prevent TrickBot and other malware from spreading.
- Implement a managed endpoint security platform that includes a full-service SOC and SIEM as a service to monitor activity across your endpoints 24x7x365 with remediation services.
No matter how much technology you put in place in your security operations, your organization needs to be monitoring their network activity 24x7x365 to catch these complex threats like Ryuk Ransomware.
If you want to discuss Ryuk ransomware, and other malware further with our team, feel free to contact us today.