One of the most prolific ransomware gangs has updated its ransomware giving it worm-like capabilities, allowing it to self-propagate and spread to other devices on the local network.
Ryuk ransomware first emerged in the summer of 2018 and has grown to become one of the biggest ransomware threats. The ransomware operation is believed to be run by an Eastern European threat group known as Wizard Spider, aka UNC1878.
In 2020, Ryuk ransomware was extensively used in attacks on large organizations. While some ransomware gangs took the decision not to attack healthcare organizations that were on the front line in the fight against COVID-19, that was not the case with Ryuk. In fact, the threat group embarked upon a major campaign specifically targeting the healthcare industry in the United States. In October 2020, the gang attacked 6 U.S. hospitals in a single day. If security researchers had not uncovered a plan by the gang to attack around 400 hospitals, the campaign would have claimed many more victims.
According to the ransomware remediation firm Coveware, Ryuk ransomware was the third most prolific ransomware variant in 2020 and was used in 9% of all ransomware attacks. An analysis of the Bitcoin wallets associated with the gang suggest more than $150 million in ransoms have been paid to the gang.
Ryuk ransomware is under active development and new capabilities are frequently added. The Ryuk gang was one of the first ransomware operators to adopt the double-extortion tactics first used by the operators of Sodinokibi and Maze ransomware, which involve stealing data prior to the use of encryption and threatening to publish or sell the stolen data if the ransom is not paid.
Ryuk ransomware also had a feature added that allowed it to mount and encrypt the drives of remote computers. The ransomware accesses the ARP table on a compromised device to obtain a list of IP addresses and mac addresses, and a wake-on-LAN packet is sent to the devices to power them up to allow them to be encrypted.
The latest update was discovered by the French national cybersecurity agency ANSSI during an incident response it handled in January. ANSSI discovered the latest variant had worm-like capabilities that allow it to propagate automatically and infect all machines within the Windows domain. Every reachable machine on which Windows RPC accesses are possible can be infected and encrypted.
Ryuk is a human-operated ransomware variant, but the new update will greatly reduce the manual tasks that need to be performed. This will allow the gang to conduct more attacks and will decrease the time from infection to encryption, which gives security teams even less time to identify and remediate an attack in progress.
While different methods are used for initial access, Ryuk ransomware is usually delivered by a malware dropper such as Emotet, TrickBot, Zloader, Qakbot, Buer Loader, or Bazar Loader. These malware droppers are delivered via phishing and spear phishing emails. Around 80% of Ryuk ransomware attacks use phishing emails as the initial attack vector.
Once a device has been compromised it is often too late to identify and block the attack before data theft and file encryption, especially since the attacks typically occur overnight and during the weekend when IT teams are depleted. The best defense is to block the initial attack vector: The phishing emails that deliver the malware droppers.
Having an advanced spam filtering solution in place is essential for blocking Ryuk ransomware attacks. By identifying and quarantining the phishing emails and preventing them from reaching inboxes, the malware droppers that deliver Ryuk will not be downloaded.
To block these attacks, consider augmenting your email security defenses with SpamTitan. SpamTitan is an award-winning email security gateway that is proven to block phishing emails that deliver malware downloaders. To find out more, contact the SpamTitan team or start a free trial of the solution today.