Ryuk Ransomware Facts and Protections

Ransomware is a type of malicious software that either prevents access to existing files or to the computer entirely until a ransom is paid. It is so widespread that individuals are hit with ransomware every 10 seconds, and businesses are infected every 40 seconds. Technology professionals dread getting hit once with a ransomware attack, but repeat attacks are becoming more common.

Drawing comparisons to 2017’s WannaCry cyberattack, the FBI says that as many as 100 U.S. and international businesses have been infected over the past 14 months after being methodically targeted by cybercriminals with a specific ransomware variant called Ryuk. The UK National Cyber Security Center sums up the threat by advising that “the Ryuk ransomware is often not observed until a period of time after the initial infection, ranging from days to months, which allows the actor time to carry out reconnaissance inside an infected network, identifying and targeting critical network systems and therefore maximizing the impact of the attack.”

Like other ransomware variants, Ryuk often starts with initial delivery through a phishing email. However, this attack is typically not the ransomware itself, but usually delivery of a dropper or Trojan that can be used to obtain initial access to the environment (e.g., Trickbot or Emotet). The attackers use this access to determine how best to ultimately execute the attack and even turn off protections meant to defend against a strike. The goal is to ensure the success of the ransomware infection, thereby creating an opportunity for a high ransom payment.

What makes Ryuk infections different is that the malware is typically propagated throughout the environment by the threat actor using interactive remote access to target networks and resources. In essence, the attackers use the Trojans to access your environment and gain a foothold, rummage around and shut off your protections, then eventually drop and execute the ransomware when they believe they’ll have the most success.

Even when detected, Ryuk can be difficult to remove. The victim must remove not only the malware from all systems but also the Trojan that first provided access. Attackers can continue to encrypt machines if only the ransomware has been removed and not the Trojan, which sets up victims for a relentless cycle of reinfection.

The Schneider Downs Cybersecurity team has experience dealing with Ryuk through our Digital Forensics and Incident Response (DFIR) services, and have determined that the threat actors behind the ransomware are specifically targeting enterprise environments in their attacks. Our forensics analyses have shown that the malicious actors often focus on specific types of organizations and perform reconnaissance on the targets for a period of time before finally executing the ransomware. From what we’ve experienced, the threat actors then use this reconnaissance to determine the ability of the organization to pay the ransomware, often in the hundreds of thousands and, in some cases, millions of dollars.

So what are some good ways to protect against Ryuk and other types of ransomware? Employee training is a key first step, as your own people can often be a strong line of defense in spotting a phishing email that’s meant to deliver the initial blow. Advanced email protection tools like Mimecast® should also be reviewed to prevent initial delivery of the Trojan.

To detect if an infection has occurred, advanced anti-malware tools Carbon Black should be considered. Most antivirus products block malware based on certain signatures that appear to be associated with malware recognized in the past. But Ryuk is different; it continuously adapts and disguises itself, so signature-based methods can’t deal with viruses like Ryuk because of its often unique and never-before seen signature. That’s why advanced antivirus tools look at the behavior of files and programs, to identify if they’re trying to execute potentially malicious activities like encryption. Next-generation antivirus tools are also effective at spotting techniques used to deliver and propagate the malware and the commands that are executed to turn off protections. In essence, these tools should work and neutralize the threat long before the ransomware even has a chance to execute.

Additionally, ensuring that your organization has a sound and secure policy for backing up key systems and data is paramount. Just to name a few strong controls, we recommend securing backups through strong encryption, multi-factor authentication to backup servers/mounted drives/etc., along with full segmentation of backup devices and servers.

How Can Schneider Downs Help?

The Schneider Downs cybersecurity practice consists of experts in multiple technical domains. We’re an authorized reseller of both Mimecast® and Carbon Black and offer comprehensive Digital Forensics and Incident Response services. For more information, visit www.schneiderdowns.com/cybersecurity or contact us at [email protected].