Among the many modern conveniences of twenty-first-century life are all the organizations and services that supply the things we need. Unfortunately, attackers and criminals like to seize any opportunity they can to disrupt things. Sometimes they do it for the thrills, but most often they’re doing it for monetary gain. The rise of ransomware—a type of malware that encrypts files and only releases a decryption code after an organization pays a ransom—has made it easier for an organization to be compromised. One of the most sinister and pervasive types of ransomware out there today is RYUK. In this article, we’ll break down the threat, provide some background, and suggest some mitigation methods to help you protect yourself from this dangerous evolution of ransomware.
Let’s start at the beginning by defining what RYUK actually is and how it can affect its unwitting victims. RYUK appeared circa 2018. It targets large, typically public Windows-based operating systems. RYUK’s endgame is to extort companies that want to resume normal business operations after an attack quickly, for as much Bitcoin as they can get. RYUK attackers are more interested in cryptocurrency than standard cash, and their attack methods reflect this goal. RYUK is a variant of the older Hermes malware and contains similar code. It is constantly evolving and continues to present a grave threat to any affected industries. A hacking group called Wizard Spider is largely responsible for propagating RYUK and upgrading it to be more devastating/effective.
In 2019, one RYUK attack demanded one of the highest ransoms recorded: $12.5 million. RYUK was responsible for about one-third of all ransomware attacks in 2020, and it’s only increased the intensity of its onslaught in the time since. Successful attacks end up costing companies an average of around $65,000 and can create excessive downtime (almost a week or more) for the company. 98% of ransomware attacks also prefer Bitcoin over any other currency. While there are several unique attack vectors through which an attack might occur, one of the most commonly successful ones is via remote desktop protocols, with email phishing (shockingly, even in 2021) a close second.
How It Operates
RYUK is a type of insidious ransomware that installs itself in a unique way. Many successful ransomware attacks usually occur through phishing attempts. RYUK is similar, but often finds its way onto a network via an infected Microsoft Word document. The document will install a program (not RYUK itself, but an attack vector known as Trickbot) that scours a network for credentials and other valuable data. Another sub-program starts to steal credentials, move laterally through the network and send that info back to the attackers. Then, they will deploy RYUK to finish the job, encrypting and ransoming the victim organization. RYUK Ransomware kicks off the proceedings by shutting down the 180 services and 40 processes that could stop it from wreaking havoc on a system. Then, it’ll leave ransom notes in the form of text files demanding payment.
Spotting An Infection
So, how will you know if you become infected by RYUK? There will definitely be some tell tale signs. To begin with, users will see text documents demanding a ransom on the system. There will also be encrypted files ending in .ryk. RYUK will encrypt documents, PDFs, audio, video. On the other hand, it will try to avoid encrypting executable files and DLL files in certain folders.
Protecting yourself from any ransomware can largely be accomplished by taking some precautions and preventive measures. measures. Start by keeping things updated and in the most recent versions. Regular security patches and updates are developed expressly to aid in preventing malware. It’s also prudent to monitor all your accounts for any signs of fraud, check the logs, and implement training initiatives to educate employees on the dangers of phishing emails and poor cybersecurity practices. Use multi-factor authentication and robust passwords. Finally, make regular backups of valuable data and store at least one copy off-site. That way when a ransomware attack occurs, you can at least salvage some of your data after everything’s said and done.