Ryuk, the latest ransomware variant that has taken the world by storm, has been targeting victims that promise big paydays. This is the same ransomware strain that hit Tribune Publishing in December of 2018, leaving the distribution of multiple major newspapers, like the L.A. Times and Chicago Tribune, at a standstill. This is just one example of the 52 different confirmed Ryuk ransomware attacks that have occurred since August 2018. Since the malicious variant has been in the wild, sources have tied $3.7 million in payouts to the Ryuk hackers.
How is Ryuk Different?
First, it uses a highly targeted attack. It doesn’t send out a blanket email or exploit to the masses. Instead, it uses the banking Trojan, Trickbot to initiate its installation. Once Trickbot is installed, hackers will determine if the business is a good target for Ryuk. If so, the malware may lay dormant for up to a year before it initiates the malicious infection. To be clear, Ryuk only does a follow-up attack on larger targets, with a high likelihood of paying out the ransom demands. They consider optimal targets those with significant cash funds, that will not tolerate significant downtimes.
Avoiding Trickbot Infection
Theoretically, if you can avoid Trickbot infection, you can avoid infection from Ryuk.
Trickbot is an executable file. The most effective way to block malicious executable files is through the use of application whitelisting. By deploying a security solution that uses a whitelist as its primary method of malware detection, all unknown executable files will be blocked until proven secure. Meaning, even if the Trickbot coding is altered to change the executable itself, the file would still not run. The whitelist would block the new code from executing regardless of how it’s altered because the file will never be secure.
The Ryuk Process
Just because Ryuk has previously used Trickbot as it’s initial means of integration into a PC and/or server, doesn’t mean it always will. Therefore, users should be aware of how Ryuk initiates on its own.
First, it involves the scripting engine PowerShell, followed by movement throughout the network through remote desktop protocol (RDP) ports. PowerShell is not an executable file, meaning the security solution must include behavioral heuristics like malicious script blocking, in order to prevent the malicious use of PowerShell.
Then, once a hacker exploits an RDP, they essentially have full access to the network to disable anything they’d like, as well as install whatever programs they so wish. To thwart RDP attacks, users should first disable any unused ports. By disabling the port from the network, hackers cannot execute brute force to gain access. For ports that must be connected, proper controls must be put in place to mitigate the risk of being exploited. For example, automatically locking the port for a predetermined amount of time if the incorrect credentials are not entered within a certain number of attempts. This control itself deters hackers from exploiting the system, because they will not take the time to wait for the time-out to be lifted, to make another handful of guesses.
Recap
Ryuk ransomware has been infecting major businesses in the U.S., U.K., and Australia. This new variant has been known to target large profile targets with significant cash flow, and a limited ability and willingness to suffer significant downtime. By exploiting these two factors, Ryuk hackers experience an increased likelihood of getting paid to restore the infected files. This theory has been proven, as there have been 52 confirmed Ryuk attacks since August, with a total payout exceeding $3.7 million.
The best way businesses can stay protected is to deploy a security solution that has the following features:
- Application whitelisting as its primary method of malware detection
- Malicious script blocking for various scripting engines like PowerShell, CScript and WScript
- RDP access controls
