Ryuk ransomware evolution requires strategies to outpace attackers

Yonatan Striem-Amit, CTO, Co-founder, Cybereason, looks at the state of ransomware. 
Yonatan Striem-Amit, CTO, Co-founder, Cybereason, looks at the state of ransomware. 

Back in 1989, ransomware made its initial debut by way of 20,000 floppy disks. Dubbed the AIDS Trojan, or the PC Cyborg, the malware was distributed by an evolutionary scientist, Dr. Joseph Popp, to thousands of AIDS researchers. Using simple symmetric cryptography, the malicious code restricted access to files and displayed a directive for a sum of $189 to be sent to a PO Box in Panama. Ransomware has since become much more sophisticated with ransom demands reaching tens of millions of dollars, covertly transferred via cryptocurrency. Among the most dangerous ransomware variants to emerge is Ryuk. 

Having evolved from the modified source code of Hermes ransomware, Ryuk emerged in 2018, reaping ransom payments to the tune of US$150mn by early 2021. Typically, the threat actors behind this variant have employed a targeted approach, identifying institutions with critical assets such as government agencies and healthcare establishments. For instance, in September 2020, they brought Universal Health Services, a chain of over 400 US and UK healthcare facilities, to its knees. 

The key behind their regrettable success, however, goes beyond their choice of victim. Rather, it is their innovation that has facilitated longevity. Indeed, they have continuously made advancements over the years with their tactics, techniques and procedures (TTPs). Since 2019, for example, TrickBot, Emotet and Ryuk have come almost hand-in-hand, posing as a triple threat. 

An advanced banking Trojan, Emotet, had frequently been leveraged as a dropper of other trojans. In other words, it enables other malware to be delivered to a victim’s device and/or systems. In most cases involving Ryuk, Emotet would deliver the TrickBot trojan. TrickBot conducts reconnaissance to determine the value of the network before moving laterally through the network. In short, it attempts to infect as many systems as possible so that when the Ryuk ransomware payload is deployed, the disruption is widespread and the ransom demand can be increased. Equally important to note, is that as it extends its grip across the network, the trojan exfiltrates highly sensitive data and credentials along the way. Therefore, opening two avenues for extortion: not only do organizations lose access to their files through encryption, but the compromised data may be leaked online or sold off to the highest bidder if the ransom is not paid. 

In time, however, security solutions and law enforcement caught on to this tactic and have been able to fine-tune their approach to spot the red flags early. Indeed, an international collaborative effort saw Emotet successfully dismantled in January 2020, prompting the threat actors to switch gears again. Within a few months, the BazarLoader Backdoor was introduced to Ryuk’s malicious operations. Unlike TrickBot, Bazar has mastered the art of evasion–utilizing anti-analysis techniques to circumvent detection by loading an encrypted backdoor directly within memory.

In all these cases, phishing emails have been the most common infection vector. While this continues to be the case, Ryuk’s administrators have recently supported similar attacks via phone calls. Otherwise known as “BazarCall,” the campaign attempts to trick victims into believing that a free trial subscription will expire soon and that they will be charged a monthly subscription fee unless they call to cancel. During the call, an operator directs the individual to a malicious web page where they are instructed to download a file that enables macros, facilitating the transfer of malware and eventually providing cybercriminals with hands-on keyboard control of the affected device.

According to Advanced Intelligence, 2021 has also seen a shift towards Remote Desktop Protocol (RDP) compromise, whereby Ryuk operators leverage brute-force or large-scale trial-and-error attempts to guess the credentials of exposed RDP hosts. This is coupled with the use of tools such as Bloodhound and AdFind, which offer an in-depth look into the organization’s Active Directory. That is an overview of the company’s environment, including what users and devices are engaged and their access privileges. 

Worse still, the current state of Ryuk appears to have intensified as it adopted worm-like capabilities. Following an analysis by the French national cybersecurity agency, it was discovered that Ryuk has evolved to become increasingly more self-reliant. Instead of depending on other malware to spread across a network, Ryuk has begun to propagate itself. 

The business of ransomware has grown exponentially in the last year, impacting thousands of businesses worldwide. Indeed, a recent survey found that 66% of organizations have reported a significant loss of revenue following a ransomware attack and 53% have indicated brand and reputation damage. In addition, an alarming 26% have been forced to shut down their business operations altogether. Considering recent developments and its history of reinvention, Ryuk ransomware shows no signs of slowing down as a prominent threat actor in the market. 

READ MORE:

However, if we have learned anything from the deluge of cyberattacks in 2021 that have made headlines–from Colonial Pipeline and JBS Foods–the public and private sectors need to invest now to ratchet up prevention and detection and improve resilience. Deploying XDR on all endpoints is a great place to start as it will immediately notify attackers that defenders see you, and we consider your unlawful attacks to be hostile acts. 

Defenders will also work tirelessly to uncover your identities, your attack methods, and the names of any organizations that fund or otherwise support your activity. Let this be your notice that your next ransomware attack will likely be your last. 

For more news from Top Business Tech, don’t forget to subscribe to our daily bulletin!

Follow us on LinkedIn and Twitter

Amber Donovan-Stevens

Amber is a Content Editor at Top Business Tech

Unlock the Power of WiFi 6: How To Leverage It...

TBT Newsroom • 01st March 2023

Are you tired of being left behind in the technological world? Well, fear not! WiFi 6 is here to save the day and bring your business into the future. With unprecedented speeds and a host of new capabilities, WiFi 6 is the must-have technology for any business looking to stay ahead of the curve.

Sustainable Phones

TBT Newsroom • 04th May 2022

Cat phones (made by UK-based company Bullitt Group) are explicitly designed to be rugged, with devices built to last and have a longer lifespan. Industry Analyst firm Canalys notes that the current average lifecycle of smartphones in the mass market is approximately 37 months for iPhones and 33 months for Android devices.

From Credit Cards To Mobile Payment  

Ripsy Plaid • 27th April 2022

Plaid, the open finance data network, and payments platform have appointed Ripsy Bandourian as its first Head of Europe as it continues to rapidly expand across the continent. Based in Amsterdam, Ripsy will lead the business strategy and operations for Plaid’s Europe arm as it moves into its next stage of growth. 

How biometric technology can be used for remote proof of...

Chris Corfield • 08th April 2022

The pandemic has accelerated the adoption of digital financial services, driving organizations to speed up their transformation programs globally. Most banks, as well as pension providers, are still in the early stages of integrating technologies such as machine learning and artificial intelligence, and as the world continues to battle the long-term effects of COVID-19, the...