The hackers behind the Ryuk ransomware are targeting victims around the world.
And they are locking up so many computer networks and making so much money, the UK's National Cyber Security Centre (NCSC) recently put out a detailed security advisory on the threat.
All you have to do is look at Florida to understand the need for this.
In June 2019 alone, the Ryuk ransomware crew collected more than $1.1 million dollars from Florida municipalities.
[RELATED: Florida, the Ransomware State?]
Lake City, Florida, authorized its insurer to send the Ryuk hackers 42 Bitcoin, worth about $500,000. And earlier in the month, the Riviera Beach City Council voted unanimously to let its insurer pay a 65 Bitcoin ransom, which was worth about $600,000.
City Manager Deirdre Jacobs put it like this:
"Payment of the ransom would provide a mechanism to the city to retrieve all of the city's files and data which have been encrypted. And hopefully return the city's computer network to being fully operational."
In the case of Riviera Beach, the attack encrypted city data and took most of the city systems offline. Cops started writing paper tickets, 9-1-1 was impacted, the city's email, check payment, direct deposit services, and even SCADA (industrial control) systems related to the city's water pump systems were impacted.
This backdrop gives you an idea of why the UK is issuing the Ryuk ransomware alert. Targets in the UK and other countries are suffering like Florida has.
The Ryuk ransomware security advisory has both good news and bad news for organizations.
The bad news first: Ryuk ransomware can hide.
"The Ryuk ransomware is often not observed until a period of time after the initial infection—ranging from days to months—which allows the actor time to carry out reconnaissance inside an infected network, identifying and targeting critical network systems and therefore maximising the impact of the attack."
The good news: you can short circuit it.
"It may also offer the potential to mitigate against a ransomware attack before it occurs, if the initial infection is detected and remedied."
The report says there are many potential ways for Ryuk ransomware to get into your network, however, a common chain of infection looks like this:
"... when a Ryuk infection occurs, Emotet (malware) is commonly observed distributing Trickbot (a trojan) as part of the infection chain.
Trickbot subsequently deploys additional post-exploitation tooling to enable their operations, including Mimikatz and PowerShell Empire modules. These facilitate credential harvesting, remotely monitoring of the victim’s workstation, and performing lateral movement to other machines within a network.
This initial infection enables the attacker to assess whether the machine presents a ransomware opportunity, and if so, to deploy Ryuk."
For one thing, the NCSC alert says Ryuk generally attempts to try to stop anti-malware software. And it can adjust, installing different versions of the ransomware based on a system's architecture.
Once it is in place, here's what Ryuk ransomware can do:
The Ryuk ransomware itself does not contain the ability to move laterally within a network, hence the reliance on access via a primary infection, but it does however have the ability to enumerate network shares and encrypt those it can access.
This, coupled with the ransomware’s use of anti-forensic recovery techniques (such as manipulating the virtual shadow copy), is a technique to make recovering from backups difficult.
All non-executable files across the system will be encrypted and will be renamed with the .ryk file extension. A ransom note will be dropped in each processed folder with the name RyukReadMe (.html or .txt).
That's an overview of how Ryuk ransomware infects computers and networks, and how it operates.
If you are looking for technical details and Indicators of Compromise (IOCs), you can read and download the NCSC Advisory, Ryuk ransomware targeting organisations globally, for more.
And for ransomware discussions with your InfoSec peers in North America, check out our cybersecurity conference calendar.