The Ryuk Ransomware Spree

Ryuk (Death Note) From Wikipedia

CI Security’s threat of the quarter in Fall 2019; Security Boulevard’s Malware of the Month in January 2020, these are just two of the most recent “accreditations” received by Ryuk ransomware. They will probably not be the last…

 

In case your teenager glances at your screen and asks, “What are YOU doing reading about Ryuk?” it might help to know that before Ryuk was a piece of software it was a character in Death Note, a cult classic anime that currently airs on Netflix.

That is where the differences between code and character dissolve. Both are the cause of devastation and corruption. The scary part is that at this point, the code Ryuk is worse.

Ryuk Ransomware Basic Facts: How it became malware of the month

  • Cyber defense experts believe Ryuk to be involved in hundreds of attacks on U.S. governments and businesses in 2019. (Government Technology, Feb 7, 2020)
  • Though Ryuk was not the only effective ransomware in 2019, it caused a large piece of an estimated $7.5 billion in damages worldwide last year (Emisoft, Dec 12, 2019)
  • Ryuk has always left a signature calling card: a copy of its ransom note, titled, “RyukReadMe.txt” in every folder, so when Ryuk is deployed there is no question what code was used. Opening the ReadMe file reveals a note like this one:

Here’s what you need to know.

Ryuk starts when an employee clicks on an executable file containing the malware. This is called phishing and is nothing new. However, Ryuk avoids detection by most anti-virus scans, making it all too easy to inundate an organization’s personnel with opportunities to unknowingly execute the virus, until one makes it through. This is why authorities like the UK National Cyber Security Centre suggest comprehensive security measures to not only prevent infection but also to mitigate infection once it occurs (aka Zero-Trust). It is also why we believe Ryuk was designed to infect larger companies, though it has been used successfully against municipalities and even libraries.

We have also seen a trend toward increasingly sophisticated targets. The latest on record was a US Defense Contractor Research Organization, Electronic Warfare Associates (EWA). EWA works regularly with DoD, DoJ and the Department of Homeland Security. Ryuk infected EWA in January 2020. It is possible that in addition to ransoming their operations, Ryuk was able to steal sensitive data.

Two years ago, the idea of ransomware and data theft together would have been ridiculous. In 2020 it is becoming increasingly commonplace to see these two types of extortion together.

Ryuk has always provided an opportunity to steal data before encrypting the victim, which suggests its creators planned for this new phase of development. There has always been a critical delay between the initial spread of bots throughout the victim’s IT infrastructure and deployment. But it was never filled with anything but waiting.

If you read the ReadMe, then you will find their position on data quite clear:

You should thank the lord for being hacked by serious professionals and not some stupid schoolboys or dangerous punks. They can damage all your important data just for fun.”

Then later they assure that data is not their target: “We don’t need your files and your information. But after 2 weeks all your files and keys will be deleted automatically.”

Their intent might easily change, if it has not already. Late last year security professionals began to report a new protocol for data theft in the virus packages, called “Ryuk Stealer.” While data extortion has not been reported so far, the sensitive nature of their most recent target, EWA, certainly raises that suspicion.

Ryuk, REvil and Maze: Combination of ransomware and data piracy/extortion beginning to trend

Thus far we have not seen any instances where Ryuk perpetrators used sensitive information as a point of leverage to extract payment, like we have with the cyberfelons behind Sodinokibi/REvil and Maze. However, we have three ransomware strains with data extortion capability, all of which have been highly “successful.” More than likely we will see other organizations deploy similar tactics soon.

How to defend your business

Smaller organizations probably do not need to worry about Ryuk; however, other malware like Maze and REvil have already practiced data extortion as a side gig to business IT ransom. Against these emerging threats endpoint protection and Anti-virus are ineffective. Consider using holistic cybersecurity solutions including:

  • Business continuity/backups
  • Strong endpoint protection
  • Zero-Trust
  • Single Sign-on + Multi-factor Authentication
  • DNS Internet & Web Application Monitoring, Filtering & Protection
  • Security Awareness-Risk Management End User Training
  • Enhanced Network, Services & Device Performance Monitoring & Management
  • Corporate & User Policy Templates & Management

Platte River Networks Intuition+ Security adopts all of these practices to defend against Ryuk and similar threats. Our security grid has a 100% win rate after almost 20 years of service.

Please email david@platteriver.com for more information on cybersecurity.