Ryuk ransomware has been targeting big organizations with critical assets to obtain a larger ransom. Read on to know more about it…
According to Sophos global survey, organisations are never the same after being hit by ransomware. In fact, the confidence of IT managers and approach to battling cyber attacks is very different between those who’ve been impacted by ransomware and those who have not, the study shows.
Ryuk ransomware has been in the business since 2018 and is known for targeting big organizations. The ransomware is operated by a Russia-based criminal group known as Wizard Spider. Recently, Ryuk has been observed deploying BazarLoader, a trojan operated by the cybercriminal group behind Trickbot.
About Ryuk Ransomware
Operators of this ransomware focus only on large organizations with critical assets, in an attempt to obtain a larger ransom. According to a recent report of DFIR, Ryuk ransomware only takes 29 hours to complete its attack on the target network, from initial spam email to fully compromising the targeted network, along with encryption.
In August, Ryuk joined the list of ransomware gangs operating their own data leak sites, where they leak data of targeted organizations who refuse to pay. The same month, researchers traced millions of dollars worth of bitcoins being sent to Ryuk ransomware operators using the Binance exchange platform. This indicates the fact that the group is planning to use the money in some way.
BazarLoader and Trickbot are operated by the same threat actors. BazarLoader trojan comes with improved detection evasion and long term infection capabilities, which suggests some tactical change in Ryuk’s strategy. This lays the groundwork for Ryuk to be deployed silently.
Observations
Sophos incident responders found that the Ryuk attackers used updated versions of widely available and legitimate tools to compromise a targeted network and deploy ransomware. The attack progressed at great speed within three and a half hours of an employee opening a malicious phishing email attachment, the attackers were already actively conducting network reconnaissance.
Within 24 hours, the attackers had access to a domain controller and were preparing to launch Ryuk.
Recent Attacks
The Ryuk ransomware is very active and has been targeting various organizations, mostly focusing on the healthcare sector. The attacks are spanning from North America to South Asia, along with Western Europe. According to a report from Check Point and IBM, Ryuk ransomware attacks approximately twenty companies per week. The attacks are mostly observed in the U.S., India, Sri Lanka, Russia, and Turkey.
Last month, the Ryuk ransomware operators had hit Universal Health Services, an American company that provides hospitals and healthcare services. They used phishing as an attack vector.
A Brief Conclusion
Ryuk is one of the most prominent ransomware and is looking to go even bigger. Therefore, experts suggest that organizations need to be proactive and deploy an anti-ransomware solution, along with providing training to their employees for spotting and dodging malware-laced phishing emails.