Ryuk ransomware evolution requires strategies to outpace attackers

Yonatan Striem-Amit, CTO, Co-founder, Cybereason, looks at the state of ransomware. 
Yonatan Striem-Amit, CTO, Co-founder, Cybereason, looks at the state of ransomware. 

Back in 1989, ransomware made its initial debut by way of 20,000 floppy disks. Dubbed the AIDS Trojan, or the PC Cyborg, the malware was distributed by an evolutionary scientist, Dr. Joseph Popp, to thousands of AIDS researchers. Using simple symmetric cryptography, the malicious code restricted access to files and displayed a directive for a sum of $189 to be sent to a PO Box in Panama. Ransomware has since become much more sophisticated with ransom demands reaching tens of millions of dollars, covertly transferred via cryptocurrency. Among the most dangerous ransomware variants to emerge is Ryuk. 

Having evolved from the modified source code of Hermes ransomware, Ryuk emerged in 2018, reaping ransom payments to the tune of US$150mn by early 2021. Typically, the threat actors behind this variant have employed a targeted approach, identifying institutions with critical assets such as government agencies and healthcare establishments. For instance, in September 2020, they brought Universal Health Services, a chain of over 400 US and UK healthcare facilities, to its knees. 

The key behind their regrettable success, however, goes beyond their choice of victim. Rather, it is their innovation that has facilitated longevity. Indeed, they have continuously made advancements over the years with their tactics, techniques and procedures (TTPs). Since 2019, for example, TrickBot, Emotet and Ryuk have come almost hand-in-hand, posing as a triple threat. 

An advanced banking Trojan, Emotet, had frequently been leveraged as a dropper of other trojans. In other words, it enables other malware to be delivered to a victim’s device and/or systems. In most cases involving Ryuk, Emotet would deliver the TrickBot trojan. TrickBot conducts reconnaissance to determine the value of the network before moving laterally through the network. In short, it attempts to infect as many systems as possible so that when the Ryuk ransomware payload is deployed, the disruption is widespread and the ransom demand can be increased. Equally important to note, is that as it extends its grip across the network, the trojan exfiltrates highly sensitive data and credentials along the way. Therefore, opening two avenues for extortion: not only do organizations lose access to their files through encryption, but the compromised data may be leaked online or sold off to the highest bidder if the ransom is not paid. 

In time, however, security solutions and law enforcement caught on to this tactic and have been able to fine-tune their approach to spot the red flags early. Indeed, an international collaborative effort saw Emotet successfully dismantled in January 2020, prompting the threat actors to switch gears again. Within a few months, the BazarLoader Backdoor was introduced to Ryuk’s malicious operations. Unlike TrickBot, Bazar has mastered the art of evasion–utilizing anti-analysis techniques to circumvent detection by loading an encrypted backdoor directly within memory.

In all these cases, phishing emails have been the most common infection vector. While this continues to be the case, Ryuk’s administrators have recently supported similar attacks via phone calls. Otherwise known as “BazarCall,” the campaign attempts to trick victims into believing that a free trial subscription will expire soon and that they will be charged a monthly subscription fee unless they call to cancel. During the call, an operator directs the individual to a malicious web page where they are instructed to download a file that enables macros, facilitating the transfer of malware and eventually providing cybercriminals with hands-on keyboard control of the affected device.

According to Advanced Intelligence, 2021 has also seen a shift towards Remote Desktop Protocol (RDP) compromise, whereby Ryuk operators leverage brute-force or large-scale trial-and-error attempts to guess the credentials of exposed RDP hosts. This is coupled with the use of tools such as Bloodhound and AdFind, which offer an in-depth look into the organization’s Active Directory. That is an overview of the company’s environment, including what users and devices are engaged and their access privileges. 

Worse still, the current state of Ryuk appears to have intensified as it adopted worm-like capabilities. Following an analysis by the French national cybersecurity agency, it was discovered that Ryuk has evolved to become increasingly more self-reliant. Instead of depending on other malware to spread across a network, Ryuk has begun to propagate itself. 

The business of ransomware has grown exponentially in the last year, impacting thousands of businesses worldwide. Indeed, a recent survey found that 66% of organizations have reported a significant loss of revenue following a ransomware attack and 53% have indicated brand and reputation damage. In addition, an alarming 26% have been forced to shut down their business operations altogether. Considering recent developments and its history of reinvention, Ryuk ransomware shows no signs of slowing down as a prominent threat actor in the market. 

READ MORE:

However, if we have learned anything from the deluge of cyberattacks in 2021 that have made headlines–from Colonial Pipeline and JBS Foods–the public and private sectors need to invest now to ratchet up prevention and detection and improve resilience. Deploying XDR on all endpoints is a great place to start as it will immediately notify attackers that defenders see you, and we consider your unlawful attacks to be hostile acts. 

Defenders will also work tirelessly to uncover your identities, your attack methods, and the names of any organizations that fund or otherwise support your activity. Let this be your notice that your next ransomware attack will likely be your last. 

For more news from Top Business Tech, don’t forget to subscribe to our daily bulletin!

Follow us on LinkedIn and Twitter

Amber Donovan-Stevens

Amber is a Content Editor at Top Business Tech

Why microgrids are big news

Craig Tropea • 31st October 2024

As the world continues its march towards a greener future, businesses, communities, and individuals alike are all increasingly turning towards renewable energy sources to power their operations. What is most interesting, though, is how many of them are taking the pro-active position of researching, selecting, and implementing their preferred solutions without the assistance of traditional...

Is automation the silver bullet for customer retention?

Carter Busse • 22nd October 2024

CX innovation has accelerated rapidly since 2020, as business and consumer expectations evolved dramatically during the Covid-19 pandemic. Now, finding the best way to engage and respond to customers has become a top business priority and a key business challenge. Not only do customers expect the highest standard, but companies are prioritising superb CX to...

Automated Testing Tools and Their Impact on Software Quality

Natalia Yanchii • 09th October 2024

Test automation refers to using specialized software tools and frameworks to automate the execution of test cases, thereby reducing the time and effort required for manual testing. This approach ensures that automation tests run quickly and consistently, allowing development teams to identify and resolve defects more effectively. Test automation provides greater accuracy by eliminating human...

Custom Software Development

Natalia Yanchii • 04th October 2024

There is a wide performance gap between industry-leading companies and other market players. What helps these top businesses outperform their competitors? McKinsey & Company researchers are confident that these are digital technologies and custom software solutions. Nearly 70% of the top performers develop their proprietary products to differentiate themselves from competitors and drive growth. As...

The Impact of Test Automation on Software Quality

Natalia Yanchii • 04th October 2024

Software systems have become highly complex now, with multiple interconnected components, diverse user interfaces, and business logic. To ensure quality, QA engineers thoroughly test these systems through either automated or manual testing. At Testlum, we met many software development teams who were pressured to deliver new features and updates at a faster pace. The manual...

Custom Software Development

Natalia Yanchii • 03rd October 2024

There is a wide performance gap between industry-leading companies and other market players. What helps these top businesses outperform their competitors? McKinsey & Company researchers are confident that these are digital technologies and custom software solutions. Nearly 70% of the top performers develop their proprietary products to differentiate themselves from competitors and drive growth. As...

The Impact of Test Automation on Software Quality

Natalia Yanchii • 03rd October 2024

Software systems have become highly complex now, with multiple interconnected components, diverse user interfaces, and business logic. To ensure quality, QA engineers thoroughly test these systems through either automated or manual testing.