What is Ryuk Ransomware?

Throughout the summer and now into the fall, there have been many stories in the news about Ryuk, a targeted and powerful piece of ransomware that has been attacking countless organizations, including municipal governments, state courts, hospitals, enterprises, and large universities. Many of these organizations have paid hefty fees to recover their files following a Ryuk attack, only to find that countless files are still missing, or beyond repair.

How Does Ryuk Work?

What many people don’t understand about Ryuk is that Ryuk is not the beginning of the attack, but is instead the end product. Once Ryuk is triggered to encrypt and ransom files, the real damage has already been done.

The attack begins as a phishing email or a drive-by download triggered by visiting a website or clicking on a popup. The threat actors use a dropper and a Trojan or bot to establish persistent access to the network. They use the tools of the typical Advanced Persistent Threat (APT) operators, from exploiting vulnerable machines to installing keyloggers and stealing credentials, to move around the infiltrated network. They look for information to steal, then gather and exfiltrate it, expanding their footprint as they go. They also install Ryuk on each system they gain access. Once they have accessed and exfiltrated everything they can, they trigger Ryuk to encrypt what’s left and ransom their victims.

Victims of this Ryuk attack have paid hundreds of thousands of dollars to regain access to their information. Unfortunately, it is the the attack that comes before Ryuk is even deployed that wipes out most of their data.

What to do After a Ryuk Attack

Unfortunately, as stated earlier, once you have been infected with Ryuk, there is very little to be done. However, it is still strongly recommended that you contact authorities. For example, US companies can contact the FBI, either through their local office, or with an IC3 complaint form. With so many different strains of Ryuk out in the wild, it is vital that as much knowledge as possible be collected in order to find a way to put a stop to such attacks. Additionally, such agencies are often the most capable of widely disseminating information, putting other organizations on high alert. From there, the focus should be on rebuilding with stronger safeguards in place.

How to Prevent Ryuk Attacks

Many organizations, both public and private, already have the precursors of Ryuk in their network. It is the detection of this persistent access that can save an organization that already has an active attack underway. Early detection and remediation can minimize exfiltration and prevent Ryuk from being placed and deployed, thwarting the ransomware element completely. The answer to detecting this persistence is to know what to look for.

Core Security has been tracking this attack since early 2016. The presence of any of these threats is a good indicator that you are under an attack that will likely end up as a Ryuk ransom of your network. The good news is that Core Network Insight detects the Emotet dropper, the Trojan Trickbot, and other precursors of a Ryuk attack early in the infection so that you can get them clean up your IT environment, eliminating the persistent access to your network that gives the threat actors the opportunity to pillage your network and place Ryuk.

Core Network Insight is the only mature, purpose built, active threat detection solution on the market. It is agentless, as well as OS and platform agnostic. This means that it can detect Emotet, Trickbot, and other infections on such diverse network endpoints as workstations and servers, printers and multifunction devices, IP telephone and IP cameras, video conference units, HVAC and SCADA systems, point of sale terminals and ATMs, MRI, CT, and other DI systems and mobile medical devices, the Internet of Things, and even refrigerators with web panels and network connected coffee makers. If it has an IP address, is plugged into your network, and becomes infected, Core Network Insight will detect it fast and let you know early so you can get ahead of the attack before the damage occurs.

Is your environment infected? Download a guide on how to identify compromised devices with certainty and get ahead of threats before it’s too late.