In Mid November 2020, K12, an online education giant, paid Ryuk ransom to the ransomware gang. The Ryuk gang made a cyberattack against the online platform that prompted K12 to lock down IT systems. They paid the ransom to stop the spread of the attack. It is still unknown how much ransom K12 has paid.
K12 says that they detected an unapproved activity on their network in the middle of November. In a short time, they realized and confirmed the suspicious activity as a criminal onslaught in the form of ransomware.
Improve the effectiveness of your SOC with our experts at Lifars
According to BleepingComputer, K12 employed the response, taking all counter-measures to contain the spread of the attack. They locked down impacted systems and notified the federal enforcement authorities about it. They also started working with third-party forensics to look into the incident.
The degree of impact
The cyber threat actors have acquired access to some back-office systems that incorporated student data and other information. It would prove ruinous for any company supposing the leak of student data occurs.
Thankfully, they were not able to impact their online Learning Management System (LMS). The other significant systems also remained unaffected, including accounting, payroll, and enrollment systems.
Ryuk ransomware
One of the types of ransomware is Ryuk, employed particularly in targeted attacks. The cyber threat actors ensure that critical files are encrypted to demand a large ransom. It encrypts network drives and resources. Besides, it erases shadow copies on the endpoint.
Stealing unencrypted data before encrypting devices is the cause of notoriety for the Ryuk ransomware gang. Later on, the group attempts double-extortion using this data, where it intimidates to leak stolen data unless a ransom is paid.
In the third quarter of 2020, as per a report from Check Point, Ryuk attacked 20 companies every week on average.
Was it the right decision to pay the ransom?
The threat actors assured K12 that they would not leak stolen data in return for the ransom. In response, K12 paid the ransom by utilizing their cyber insurance.
Conversely, according to some security experts, it makes no sense to pay a ransom. This is because there is no guarantee for data misuse in the future.
Ransomware negotiators harbor suspicions over the assurances of ransomware gangs sticking with their promises. After all, there are instances where certain groups leaked stolen data even after payment of ransom. They did it, despite using fake data as proof of deletion.
Indicators of Compromise (IoCs)
URLs:
http://23.82.189.1:428
boys86.com
dacyclin.com
fepami.com
xnxxfullhd.com/wp-admin/NAK/
www.business-management-degree.net/wp-snapshots/W/
homestay.design/wordpress/M/
csc-comunity.com/wp-admin/6DW/
IP Addresses:
23.82.189.1
23.82.185.95
173.234.155.220
103.109.78.174
23.82.185.98
167.114.153.111
177.190.69.162
195.123.240.113
213.32.84.27
185.99.2.243
85.204.116.173
5.182.211.223
45.89.125.148
75.188.96.231
173.68.199.157
59.148.253.194
72.10.36.104
MD5:
17a651a033561a9bdc52d87d23af9ca8
dbb0348f6b13b3f1713350489c35afce8e96426c
c75cd58fcc16fc53df4cd83991f9a852ae683699b585737214e6c5e9df76eb18
Phishing sender email:
stome@costasul.net.br
We published a case study of a recent engagement where RYUK ransomware coupled with the Zbot/Zloader embedded in an Excel macro made up for a deadly combo. Download the case study do see findings from our digital forensics analysis and additional IoCs.
Conclusion
It is concerning coming across such news when online education platforms are taking over brick-and-mortar educational institutes due to the pandemic situation. COVID-19 has affected education enormously along with other spheres of life.
Instead of traditional public schools, students in large numbers are moving towards online education. For example, over one million students have chosen the K12 platform to learn from home. Therefore, containing a threat to online platforms is a must nowadays.