What is Ryuk Ransomware?
Ryuk has not grabbed the mainstream headlines in the same way as wannabe or Petya but arguably it is much more significant.
First reported in August 2018, Ryuk is not as prolific as some of the more “famous” ransomware. We have not seen one massive global hit, but it has slowly been impacting businesses across the globe. The spread is slow by design because Ryuk has been created to be more “discerning in” in the organisations it targets.
Initial speculation that North Korean state actors were responsible for this new malware proved to be wrong with the blame now being laid at a Russian group called Grim Spider. The confusion came because both groups acquired the same Hermes Ransomware kit as a starting point
While the North Korea speculation added “spice” to the story; it is not the significant thing about Ryuk, much more significant is the fact that with Ryuk Grim Spider have upped the ante on just how complex Malware attacks are becoming.
There are three significant aspects of Ryuk.
Ryuk uses a different more prolific Malware (Trickbot) to pre-seed its attack. Using massive scale, email spam, campaigns actors infect many thousands of machines with Trickbot. The Trickbot infection allows the attackers to gain a foothold inside their targets, eventually downloading Ryuk into targeted accounts. Trickbot is also used to profile and select attack victims based on company size and finances.
Ryuk seems to be a collaborative effort. It is built from components from different groups, suggesting that the days of individual ransomware operators look to be numbered. As groups collaborate, we can expect attack sophistication to increase.
Ryuk doesn’t have a standard ransom. The attackers assess the financial strength of each victim and the perceived cost of downtime and data and set large ransoms accordingly. Business seems to be booming with Bitcoin transactions related to this malware, at the time of writing there have been 52 transactions, across 37 Bitcoin accounts with a total value of USD 3.7million. It seems ransoms range anywhere between 2BTC to 99 BTC.
The bad news here is that ransomware is continuing to become a preferred tool of highly capable organised crime. The “good” news is that the initial infection with Trickbot is still using fairly standard means to breach. This Malware can only get through where users are not trained to identify spam, and endpoints do not have security software, are not patched, and user credentials are weak. In short, having a modern endpoint threat protection and a standard security policy will ensure you are not a victim of Ryuk.
