Ryuk Evolves into One of the Most Devastating Ransomware Threats

by Kurt Werner

Ransomware attacks are wreaking havoc around the world. From businesses and hospitals to municipalities and newspapers, a broad range of victims has seen their data taken hostage. 

Despite being only two years old, Ryuk has evolved into a major ransomware threat. Most often attributed to a Russian crime group known as Wizard Spider, the malware encrypts drives, deletes shadow copies, and disables Windows System Restore. Without external backups or rollback tech, data recovery is near impossible.

Wizard Spider primarily targets enterprises, demanding large ransom amounts. The group is scaling its operations rapidly. According to cybersecurity firm SonicWall, 67.3 million Ryuk attacks were detected in Q3 2020, up from only 5,123 attacks in the same period the year before. Organizations are well advised not to ignore this threat actor.

How Ryuk ransomware is loaded and distributed

A typical Ryuk attack begins with a malicious email. A message is sent from a spoofed address containing a weaponized Microsoft Office document. Once opened, the document leads to a cascade of events that results in the download of the banking Trojan Emotet. Then, Emotet downloads malware that loads TrickBot onto the system. The attack allows intruders to collect admin credentials and move laterally through the network. Once they conduct reconnaissance and identify the target’s value, intruders compromise domain controllers and deploy Ryuk.

Once data is encrypted, the malware creates a ransom note named RyukReadMe.txt. The note notifies victims that files have been encrypted and that backups and shadow copies have been removed. Users are warned not to shut down the system or to move any files. If they decide to pay, victims can contact the attackers through email addresses listed in the ransom note.

Attackers target large organizations and critical infrastructure

Wizard Spider has preyed on a range of victims, earning $61 million between February 2018 and October 2019 alone. By focusing on critical assets, these attacks can bring targeted organizations to a halt.

Tribune Publishing was one of several high-profile victims. The media conglomerate had its printing systems disrupted by Ryuk, delaying the distribution of the Los Angeles Times, San Diego Union Tribune, and several other newspapers.

The Tampa Bay Times was also under attack. Fortunately, the Florida newspaper confirmed that subscriber data, such as addresses and credit card details, weren’t stolen in this breach. The company refused to pay a ransom.

DCH Health System, however, was less fortunate. Ryuk attacks forced the Alabama-based healthcare provider to partially close its hospitals. Unable to find a way out, the organization paid a ransom to restore data so that it could continue delivering patient care.

Universal Health Services (UHS), a major US hospital and healthcare services provider, was hit by Ryuk attacks as well. To stop the spread of this malware, the organization had to shut down systems across its facilities in California, Florida, Texas, Arizona, and Washington, D.C. Ambulances were redirected and patients were relocated to nearby hospitals. In this instance, Ryuk also disabled antivirus programs and encrypted hard drives. Fortunately, UHS eventually managed to restore data and re-establish connectivity across all of its facilities.

In addition to hospitals, attackers target other critical infrastructure organizations. Jacksonville-based Onslow Water and Sewer Authority, for instance, had its data encrypted in a Ryuk intrusion. Fortunately, water and sewage services were not affected, but the organization lost a number of databases that had to be rebuilt from scratch.

How to protect against Ryuk attacks?

Protecting against Ryuk is an urgent task that requires a multi-front approach. The first step is investing in anti-malware protection with an anti-ransomware component that prevents malware from holding data hostage. Rollback technology is also useful in tackling these attacks. Creating secure backups is important, but it’s critical that no account or system being protected on the network has the ability to delete backups or even administer the cloud account where they are hosted.

IT administrators play an especially important role in these efforts. Some of the most devastating ransomware attacks were deployed against servers where antivirus features had been turned off in an effort to improve performance. In some instances servers also lacked important security measures like MFA, firewall protection, and randomized passwords. To protect assets, IT admins should ensure that the balance between performance and security is done in a way that won’t leave an organization open to Ryuk and similar threats.

Defending against threats from Wizard Spider and similar criminal groups is a never-ending process. RangeForce offers hands-on training modules and practice environments where your team can learn how to defend against ransomware, including training specific to Ryuk.

You can explore our solution and learn about defending against ransomware attacks by signing up for a demo here.

Related posts

(AR)² Readiness Program™

Learn More about (AR)2

Get a custom demo

Take your team's cyber readiness to the next level

Request Demo