The last few years have seen a rise in stories about Ryuk, a powerful piece of ransomware that is best known for targeting healthcare institutions, but has also been attacking municipal governments, state courts, enterprises, and large universities, among others. Many of these organizations have paid hefty fees – between $100,00 and $500,000, payable in Bitcoin – to recover their files following a Ryuk attack, only to find that any number of files have been stolen, and some of the data left behind is beyond repair, putting their everyday consumers – patients, students, and citizens – and their data at risk.
What many people don’t understand about Ryuk is that it is not the beginning of the attack, it is the finale. Once Ryuk is triggered to encrypt and ransom the files, the real damage has already been done and Ryuk is just rubbing salt in the wound.
How Does Ryuk Work?
Part One: The Hook
The attack begins as a phishing email or a drive-by download triggered by visiting a website or clicking on a popup.
Part Two: Establishing a Persistent Threat
The threat actors use a dropper and a Trojan or bot to establish persistent access to the network. They use the tools of the typical Advanced Persistent Threat (APT) operators to move around the infiltrated network, including:
- Exploiting vulnerable machines
- Installing keyloggers
- Stealing credentials
They look for information to steal, then gather and exfiltrate it, expanding their footprint as they go. They also install Ryuk on each system to which they gain access.
Part Three: Ransoming (and Stealing) Data
Once they have accessed and exfiltrated everything they can, they trigger Ryuk to encrypt the affected machines and demand ransom from their victims.
Victims of this Ryuk attack have paid hundreds of thousands of dollars to regain access to their information. Unfortunately, it is the attack that comes before Ryuk is triggered that does the real damage. If organizations knew how much information had already been stolen, they would probably be less likely to pay the ransom.
Related Reading: What is Ransomware-as-a-Service (RaaS)?
What to Do After a Ryuk Attack
Unfortunately, as stated earlier, once you have been infected with Ryuk, there are only two options: pay the ransom or rebuild from backups/scratch. However, it is still strongly recommended that you contact authorities. For example, U.S. companies can contact the FBI, either through their local office, or with an IC3 complaint form. With so many different strains of Ryuk out in the wild, it is vital that as much knowledge as possible be collected in order to find a way to put a stop to such attacks. Additionally, such agencies are often the most capable of widely disseminating information, putting other organizations on high alert. From there, the focus should be on rebuilding with stronger safeguards in place with a strong emphasis on early detection.
How to Prevent Ryuk Attacks
There’s no silver bullet to prevent any ransomware attack, including Ryuk attacks, but there are safeguards organizations can put in place to mitigate the risk and reduce the likelihood of attack, infection, and eventual breach.
1. Educate Employees
Prevention and knowledge are the keys to avoiding a ransomware attack. With many ransomware attacks beginning as phishing, it’s important to arm employees at every level against these common cyberattack techniques. Establishing a cyber-aware culture via regular security awareness training and simulations that educate employees are the first line of defense.
Solutions like Terranova Security provide phishing simulation and security awareness training that help employees spot real-life phishing attempts and keep cyber-attacks outside the organization’s walls.
Related Reading: Are Employees Undermining Your Data Breach Defenses from the Inside?
2. Protect Email Inboxes
Make it even easier for employees to avoid phishing attacks with email security. Phishing shows no signs of diminishing—threat actors have instead diversified the types of phishing attacks used today—and email continues to be a direct highway into an organization’s internal network. Beyond phishing, threats to email security include accidental data loss, business email compromise (BEC), social engineering, and everyday spam.
3. Safeguard Data
Data is the lifeblood of today’s organizations, but even the simplest file sharing can introduce data security risks. Unsecured connections, incorrect recipients, or even file metadata can expose an organization to data breach. Additionally, data security is mandated by regulations like HIPAA, SOX, and GDPR to ensure organizations handle information with the
In theory, the principle behind data security sounds relatively simple. In practice, data security presents a major challenge for organizations, especially when considering large volumes and different types of data generated, stored, sent, and received daily, and the complexity of today’s hybrid IT environments.
Data security starts at intake and classification, continues to access rights, and extends to sharing and transfer. At all stages in this lifecycle, security should be paramount.
Related Reading: 3 Data Centric Security Strategies for 2022
4. Monitor and Detect Existing Threats
Many organizations, both public and private, already have the precursors of Ryuk in their network. It is the detection of this persistent access that can save an organization that already has an active attack underway. Early detection and remediation can minimize exfiltration and prevent Ryuk from being placed and triggered, thwarting the ransomware element completely. The key to detecting this persistence is to know what to look for.
Related Reading: Ransomware Attacks on Small Businesses: How to Mitigate
Core Security, a Fortra Company, has been tracking this attack since early 2016 in the form of the often-associated Emotet banking Trojan and TrickBot bot network, among others. The presence of any of these threats is a strong indicator that you are under an attack that will likely end up as a Ryuk ransom of your network. The good news is that Core Network Insight detects Emotet, Trickbot, and other precursors of a Ryuk attack early in the infection so that you can clean up your endpoints, eliminating the persistent access to your network that gives the threat actors the opportunity to pillage your information and place Ryuk.
Core Network Insight is the only mature, purpose built, active threat detection solution on the market. It is agentless, as well as OS and platform agnostic. This means that it can detect Emotet, Trickbot, and other infections on any device with IP address. If it is plugged into your network and becomes infected, Core Network Insight will detect it fast and let you know early so you can get ahead of the attack before the damage occurs.
Fight Today’s Current Cyber Threats
Look at cybersecurity from a different point of view with the guide Think Like a Hacker and Secure Your Data. Discover seven best practices to keep your data secure.