Protecting Your Business Against the Evolved Version of Ryuk Ransomware

Firstly, what is the ryuk ransomware?

Ryuk is a type of ransomware that is utilised for targeted attacks against organisations and enterprises. The method in which these ransomware attacks are conducted involve seizing and encrypting essential files and then demanding large ransom payments. The amount that is commonly demanded can range up to few hundred thousand dollars or more.  

The ransomware was first detected back in August 2018 and since then has been deployed in numerous cyberattacks including the highly publicised attack levied on Tampa Bay Times and other newspapers in January 2020.   

Ryuk is one of the first ransomwares designed with identification and encryption capabilities as well as the ability to delete shadow copies on the endpoint, meaning that Windows System Restore can be disabled resulting in the recovery of the attack being impossible without external backups or rollback technology.  

Usual delivery method  

Typically, a Ryuk attack is delivered upon the targeted network using a Microsoft Office document sent as an attachment in the phishing email. Upon the opening of the attachment, a malicious macro performs a PowerShell Command which seeks to download the banking trojan Emotet. The trojan is able to download additional malware upon the infected device. From the completion of this step, the trojan then retrieves and executes Trickbot, which commonly implements the use of spyware.  

This is done to collect admin details, enabling threat actors to move laterally to critical assets contained in the network until all assets are seized.  

As an enterprise owner, be aware that Ryuk is not always deployed upon the initial system intrusion. If your network has been compromised, threat actors may decide to quietly observe your network’s activities before deciding if it is worth further infiltrating the network. Once the threat actors have decided that they have gathered enough leverage to demand a ransom, they will deploy Ryuk.  

How it has evolved 

It has been found that Ryuk can now spread itself within a Windows domain from system to system, until every accessible device fitted with Windows Remote Procedure Call (RPC) is compromised. Windows Remote Procedure Call is a service that enables Windows Processes to communicate with each other.    

Prior to this newfound ability, Ryuk was deployed and spread throughout a targeted network manually by a human threat actor or by other malware. This evolution may be connected to the fact that the Emotet botnet which was commonly used as a dropping tool fell into the control of law enforcement (27th January 2021) after a series of coordinated attacks. As a result of the collapse of Emotet, newer methods to deploy and spread Ryuk have emerged. 

The emergence of the new worm-like capabilities associated with the evolution of Ryuk (early 2021) can only be leveraged after access to the targeted system is gained, not as a means to gain access to a system. 

In addition to this, discovered in 2019, Ryuk had been updated with the capability to scan Address Resolution Rrotocol (ARP) tables on compromised systems to acquire a list of established networks and their IP and MAC addresses. Upon the networks within the private IP address range, the malware can use the Windows-on-LAN command, sending the malware to the devices MAC address, instructing it to ‘wake up’, enabling remote encryption of the drive. Wake-on-LAN grants network professionals the ability to remotely power a device or turn it on from sleep mode.  

Prevention methods  

Suggested prevention methods against the evolved Ryuk ransomware include: 

• Ensuring that your organisation’s network is equipped with a reliable patching program that can test and install urgent operating system and software patches as soon as they are available.  
• Making sure that your SOC-as-a-service provider (Security Operations Centre) is equipped with the knowledge required to detect this malware including wide range extensive network telemetry and regular monitoring and updating of TTPs and IOCs. 
• Providing employees with cybersecurity awareness training. Employees do not have to undergo a professional course however it is important for them to have frequent access to a course or a training program so they are able to recognise phishing attempts or other forms of intrusion attempts, as well as the consequences should the company become successfully targeted. 

Your business should have an established incident response procedure in place in the case of a successful system intrusion.  It is also important for your organisation’s system to enforce regular backups of sensitive data, including off-site and off-line copies.  

By ensuring that data is backed up, threat actors may reconsider demanding a ransom due to increased time and resource drainage on their end.  

Regardless of the industry, your organisation needs to take Ryuk ransomware seriously now and the best defence against this ransomware, likewise with other forms of cybersecurity breaches is prevention. Understanding how Ryuk operates, detection methods and defence methods is key to preventing your system from becoming targeted. 

How Securiwiser can help 

We aim to provide our clients advice concerning implementation of various specific cyber security methods, some of which will be more suitable than others depending on the business type to help ensure the cyber health of our client’s system.  

We advise our clients (whether they are individual users or business owners) regarding various cyber threats that their businesses and operating systems may face. This includes increasing trends of certain threats and prevention methods that are cost effective and time saving.   

Furthermore, business owners, employees and general users may forget to conduct regular scans to monitor the health of their operating system, which criminals can take advantage of to gain unauthorised access by exploiting unrecognised, underlying vulnerabilities.  

Securiwiser can conduct regular scans for your system and provide a detailed cybersecurity risk assessment and a cybersecurity vulnerability assessment. We can further explain detected vulnerabilities and risks in detail to our clients and provide the best course of action that will save your business time and money.