Ryuk has been one of the most active, damaging, and feared ransomware in circulation since August 2018. Now, a new self-replicating Ryuk ransomware strain is putting the security industry on edge.
Ryuk is mostly targeted towards medium-to-large as well as enterprise corporations to extort millions in ransoms. Operated by the Russian ransomware gang, GRIM SPIDER (apparently a cell of the larger Wizard Spider gang), it once more shot up in notoriety in 2020 where it targeted healthcare facilities during the COVID-19 pandemic. In fact, Ryuk was so prolific that some estimates put it behind 33% of ransomware attacks in 2020.
The continued prevalence of ransomware attacks and the evidence of their ability to develop new and frightening capabilities underscores the need for organizations to come up with an equal response by investing in preventative measures.
How Does the Ryuk Ransomware Work?
A typical Ryuk attack follows a similar pattern:
- Gain initial access to the system or machine through phishing or an unsecured RDP (Remote Desktop Protocol) port.
- Obtain user credentials for elevated privileges using software like Trickbot.
- The attackers are now able to browse the network at will for sensitive information.
- Attackers then use PsExec to add a batch script to all targeted machines that copy Ryuk onto the root directory.
- This creates a new service to launch Ryuk which will encrypt files and display the ransom note.
As you can see, Ryuk used to rely on manual attack vectors, human interaction and working with other malware that acts as a primer to carry out attacks.
On the other hand, Worms are virus-like malicious software with the ability to self-replicate. It often carries out many of the same attacks as other viruses, such as exploiting security vulnerabilities, corrupting or stealing data, and installing a backdoor for remote access.
Worms can also overwhelm servers or infrastructure by replicating and executing at an unmanageable scale.
After analyzing a sample of the new version of Ryuk, the National Agency for the Security of Information Systems (ANSSI), found that it was now able to spread from machine to machine by itself. The sample of Ryuk with this capability used scheduled tasks to copy itself from machine to machine in a Windows domain.
The fear is that this gives Ryuk, already one of the most prolific ransomware around, a degree of autonomy and scale-of-deployment that was not previously present.
How Big is the Self-replicating Ryuk Threat?
The threat posed by this new evolution in the Ryuk ransomware cannot yet be properly assessed. Researchers discovered this new strain early in 2021 but other strains inspected just before this time still did not display these new self-replicating abilities.
Because it’s suspected that Ryuk ransomware is also sold as a RaaS or ransomware toolkit, it might have been modified either by its original creators or unknown third parties.
That being said, Ryuk was damaging enough without any significant enhancement of its capabilities. With the ability to self-replicate and spread laterally through a network, it has the potential to much more thoroughly infect an organization or network of peers in a much shorter span of time.
This can lead to more sensitive information being encrypted before its discovered and acted on, leading to larger ransom demands. Those in the healthcare sector should be on particularly high alert as this ransomware’s preferred target.
How to Protect Yourself from the Ryuk Ransomware
There are a number of proactive steps you can take to help shield your organization from a Ryuk attack or mitigate the potential damages:
- Use endpoint security software: All organizations today must have appropriate endpoint security solutions in place to help them shield and manage the security of their growing array of endpoints.
- Use redundant data backup models: Models such as the 3-2-1 technique help you retain multiple backup copies on various systems to reduce the risk of losing all copies of sensitive information.
- Keep your systems updated: Ryuk frequently infects machines by exploiting known vulnerabilities and quickly adapts to take advantage of new opportunities. Keeping your systems updated, particularly Windows, will help you close off holes before they can be used against you.
- Disable or limit macro usage: Ryuk often abuses automated tasks such as macros and this can be particularly dangerous in combination with self-replicating strains.
- Educate and train staff: Phishing and other forms of social engineering is still a staple attack initiation vector for Ryuk and much other ransomware. Educating employees to spot, avoid, and take the right action against suspicious documents, emails, websites, etc. may help you avoid falling victim.
This new self-replicating Ryuk ransomware strain shows the lengths attackers will go to stay ahead of security measures as well as the speed of adaptation. If you’re not proactively adopting measures to counter these threats, you are already falling behind and making yourself susceptible to exploitation.