Have your systems been tagged with a death note of ransomware? Ryuk has been making its rounds this December and causing holiday misery for organizations left and right this year. Typically, attacks increase near the holiday season and end of the year due to holiday sales and important end of year documents that are often spoofed. Don’t let Ryuk steal your holiday joy or start your year off dealing with an IT emergency.
What is Ryuk?
Ryuk is ransomware that mainly gained notoriety when it affected several U.S. newspapers last December. This ransomware has been targeting “high-value” targets which include many larger corporations. Ryuk can be delivered in multiple ways and it often deletes the infection method as part of its routine. This makes uncovering how it got into your network difficult to track down. Usually, Ryuk is delivered by other Malware such as Emotet or Trickbot in a malicious file attachment. These are common attack vectors which take advantage of phishing emails and the lack of email security at an organization. Once Ryuk is on your systems, it bypasses antivirus and attempts to maintain its stranglehold on the infected machine. It will then inject itself into the Windows process and from there, it will do its damage of stealing information, disabling access and encrypting files. The impact on businesses can be felt from the financial loss of paying the ransom to the data loss of not being able to recover from the attack.
Ryuk has had a revival of the sort this holiday season. From the City of New Orleans to the US Coast Guard, this ransomware has been creating havoc across IT systems. Recently the US Coast Guard said they believed that the point of entry was a malicious email sent by one of the maritime facility’s employees. Once through the door, Ryuk caused “a disruption of the entire corporate IT network (beyond the footprint of the facility), disruption of camera and physical access control systems, and loss of critical process control monitoring systems.”
How can RYUK be stopped?
Luckily, many anti-malware vendors have started building patterns for this ransomware variant. Security technologies using heuristic-based approaches are also catching on. Using these systems, attacks in the kill chain can be stopped before the intended user can even get the chance to execute this piece of code. The best way to prevent Ryuk from spreading is to first educate the population of the organization on how to handle suspicious emails. Limit the use of remote connections and administrator privileges were possible as well. Make sure your anti-malware technology is up-to-date and has a separate unique password for uninstalling the agent too. Ryuk typically tries to disable system protections as its first order of business so this could give you the extra needed time to prevent data or financial loss.
Written by Grant Codak
Grant has over a decade of IT experience spanning a variety of domains with a focus on defensive security. Grant is currently a Cybersecurity Expert at TechGuard Security where he performs a wide variety of proactive security services, including penetration testing. He also holds the following certifications: CISSP, CEH, Security+, Network+, A+, and Metasploit Pro Certified Specialist. Recent responsibilities include, a Senior Web Security Engineer at a Fortune 50 organization along with a variety of application administration roles in security operations. His past project work includes, web tool development as well as firewall and web proxy migrations. Currently at TechGuard Security, Grant conducts audit control assessments, penetration tests, vulnerability assessments and social engineering exercises. Grant ties his knowledge together with his deep understanding of network operations and security architecture to deliver approachable report analysis to clients. Grant is also a nature enthusiast and enjoys mountain biking, hiking and kayaking.