One of the most dangerous ransomware groups has amended the ransomware it is using, adding worm-like capabilities that can lead to it self-propagating and being distributed to other devices on the local database.
Ryuk ransomware initially came on the scene during the summer of 2018 and has evolved to become one of the most serious strains of ransomware. It is thought that the ransomware attacks are being conducted by an Eastern European threat group referred to as Wizard Spider, aka UNC1878.
In 2020, Ryuk ransomware was witnessed being included in ransomware attacks on large groups and companies. While some ransomware gangs opted to leave frontline healthcare organizations out of their attacks, that was not so with Ryuk. In fact, the threat group initiated a major campaign specifically targeting the healthcare sector in the United States. In October 2020, the gang targeted 6 U.S. hospitals in a single day. If security experts had not discovered a plan by the gang to attack around 400 hospitals, the campaign would have been much more successful.
The ransomware remediation company Coveware said that Ryuk ransomware was the third most prolific ransomware strain during 2020 and was deployed in 9% of all ransomware attacks. A review of the Bitcoin wallets linked with the gang suggest more than $150 million in ransoms have been transferred to the gang.
Ryuk ransomware is always being updated. The Ryuk gang was one of the first ransomware operators to use double-extortion tactics first launched by the operators of Sodinokibi and Maze ransomware, which include stealing data before the use of encryption and threatening to publish or sell the stolen data if the ransom is not transferred.
Ryuk ransomware was also amended to allow it to attack and encrypt the drives of remote computers. The ransomware uses the ARP table on a compromised device to capture a list of IP addresses and mac addresses, and a wake-on-LAN packet is shared to the devices to power them up to permit them to be encrypted.
The most recent update was first seen by the French national cybersecurity agency ANSSI during an incident response it managed in January. ANSSI discovered the most recent strain had worm-like capabilities that allow it to propagate automatically and infect all devices within the Windows domain. Every reachable device on which Windows RPC accesses are possible can be attacked and encrypted.
Ryuk is a human-operated ransomware strain, but the new update will greatly cut the manual tasks that need to be completed. This will allow the group to complete a greater number of attacks and will cut the amount of time from infection to encryption, which gives security teams even less time to identify and address an attack in progress.
While various methods are used for first access, Ryuk ransomware is usually shared by a malware dropper such as Emotet, TrickBot, Zloader, Qakbot, Buer Loader, or Bazar Loader. These malware droppers are distributed using phishing and spear phishing emails. Approximately 80% of Ryuk ransomware attacks use phishing emails as the first attack vector.
Once a device has been infiltrated it is often too late to spot and prevent the attack before data theft and file encryption, especially since the attacks normally take place overnight and during the weekend when IT teams are depleted. The best security is to prevent the initial attack vector: The phishing emails that distribute the malware droppers.
Having an advanced spam filtering solution in place is crucial for preventing Ryuk ransomware attacks. By spotting and quarantining the phishing emails and blocking them from reaching inboxes, the malware droppers that deliver Ryuk will not be installed.
To prevent these attacks, think about augmenting your email security tactics with SpamTitan. SpamTitan is an award-winning email security solution that will prevent phishing emails that deliver malware downloaders.