Why should businesses safeguard against Ryuk ransomware?

Ransomware is a form of malware that enables attackers to use encryption techniques to infect entire networks (including files and associated devices), making them inaccessible to the target business until a ransom is paid. The ransom is usually demanded in a form of cryptocurrency, such as Bitcoin, and can be thousands, if not millions, of dollars. The average ransom payment reached $12,762 in 2019 and the average cost of incident-related downtime in just one quarter reached $64,645 per company.

Attackers routinely target large organizations or businesses with highly sensitive, critical assets, such as hospitals – a technique named “big game hunting.” Additionally, unlike with other forms of ransomware, cybercriminals using Ryuk malware target specific individuals and manually infiltrate the company’s networks. Using open-source tools available on the network, attackers harvest sensitive data and gain access to as many areas of the business as possible, gaining a detailed knowledge of internal operations.

Based on Hermes, an older ransomware, Ryuk ransomware was first identified in 2018 and is widely thought to have been adapted and developed by a cybercriminal organization in Russia. Since 2019, criminal groups have increased the number of attacks, obtaining millions of dollars in ransom payments from financial institutions, hospitals, and even local governments.

Similar to Locky ransomware, Cerber ransomware, and REvil/Sodinokibi ransomware, once the threat actor has breached your network and server security with Ryuk ransomware, it will shut down up to 180 services and 40 processes that your system needs to operate and will lead to your critical information being encrypted.

Once your files have been encrypted, Ryuk ransomware deletes the original copies and any shadow copies using a .BAT file. This means that all attempts by victims to recover their data will fail.

Ryuk uses both symmetric encryption and asymmetric encryption algorithms to encode files – a similar method to that of Petya and Mischa ransomware, which utilizes several methods to encrypt user data.

Impacting all files and applications across the network, the Ryuk ransomware, once it has fully achieved its goals, will drop into every folder a text file called “RyukReadMe.txt” that puts forth the ransom request details required. If a ransom is paid, as the cyberthieves claim, a copy of the encryption key will enable files to be retrieved.

As the number of Ryuk ransomware attacks continues to rise, governments and businesses must remain vigilant. Some of the most high-profile Ryuk attacks since 2018 include:

• Hospitals in the US, Germany, and the UK (2019-2020): Various hospitals in these countries were all victims of repeated Ryuk malware attacks. In September 2020, Universal Health Services (UHS), which operates facilities across the UK and US were hit with Ryuk malware. The incident cost the company $67 million and took a month for all operations to resume. A network of over 400 hospitals in the US and UK were also impacted by Ryuk malware in September 2020, with all 250 facilities in the US affected in one of the largest medical Ryuk attacks to date. Ryuk malware was reportedly responsible for 75% of attacks on the US healthcare sector in October 2020.
• Lake City, Florida (2019): Following an employee’s decision to open an email that housed a form of Ryuk malware, the city’s IT systems were held for a ransom of $460,000. The Mayor of Lake City confirmed that the city authority paid the ransom request to regain access to its operations.
• City of Onkaparinga, South Australia (2019): In December 2019, the IT systems of Onkaparinga Council in Adelaide were infected with Ryuk ransomware, costing a week of lost productivity.
• EMCOR (2020): In February, Fortune 500 company EMCOR confirmed that several of its IT systems were affected by a Ryuk malware attack. The company has not confirmed whether a ransom payment was made.