Ryuk: Defending Against This Increasingly Busy Ransomware Family

On December 16, 2019, the U.S. Coast Guard disclosed a security incident at a facility regulated by the Maritime Transportation Security Act (MTSA). Forensic analysis suggests that the incident might have begun when an employee clicked on a link embedded in a phishing email.

This action enabled a threat actor to set Ryuk ransomware loose on the facility’s network. Ultimately, the infection spread to all IT network files, leading Ryuk to disrupt the corporate IT network and prevent critical process control monitoring systems from functioning properly.

Phishing is one of the primary infection vectors for most ransomware families, but there’s an interesting twist with this particular family. As noted by Malwarebytes, a typical Ryuk attack begins when a user opens a weaponized Microsoft Office document attached to a phishing email. Opening the document causes a malicious macro to execute a PowerShell command that attempts to download the banking trojan Emotet. This has the ability to download additional malware onto an infected machine that retrieves and executes Trickbot.

This secondary payload, in turn, collects admin credentials, allowing digital attackers to move laterally to critical assets connected to the network. The attack chain concludes when the attackers execute Ryuk on each of these assets.

It’s never good for ransomware victims to not have a data backup that they can use to recover their data. In the case of Ryuk, it’s especially bad. McAfee reported in February 2019 that the typical Ryuk ransom demands amounted to $145,000—more than 10 times the average ransomware amount. Ryuk’s handlers were sometimes willing to negotiate; even then, the average ransom amount post-negotiation was still as high as $71,000.

Recent Attacks Involving Ryuk Ransomware
The security community documented numerous Ryuk attacks in 2019. Even so, the ransomware had a particularly busy final quarter. Here are just some of the infections that made headlines during this three-month period.

  • National Veterinary Associates: In mid-November, KrebsOnSecurity revealed that National Veterinary Associates had suffered a Ryuk ransomware infection. The attack limited the availability of patient records, payment systems and practice management software at 400 veterinaries operated by the California company. In response to the infection, NVA hired two outside security firms to assist in its recovery effort.
  • Virtual Care Provider Inc.: Less than a week later, KrebsOnSecurity reported another Ryuk attack. This incident involved Virtual Care Provider Inc. (VCPI), a Wisconsin-based IT company that provides data hosting and other IT services to over 100 nursing homes located in the United States. As a result of the attack, these medical facilities were temporarily unable to access their patients’ medical records.
  • Louisiana State Government: Around that same time, ArsTechnica covered a Ryuk attack that forced Louisiana’s Office of Technology Services to shut down parts of the state government’s network. It took this measure to prevent the ransomware from spreading to other state agencies. The governor’s office and the Department of Health were among the departments affected by the shutdown and ransomware attack.
  • Prosegur: Near the end of November, news emerged of how Spanish multinational cash logistics company had temporarily shut down its IT network following a Ryuk attack. The company confirmed on Twitter that it had experienced a “security information incident in its telecommunications platforms.” Not long afterward, Prosegur revealed that it had taken “maximum security measures” to prevent Ryuk from spreading.
  • The City of New Orleans: On December 13, 2019, the City of New Orleans declared a state of emergency after suffering a ransomware attack. One day later, Bleeping Computer learned of a memory dump that contained numerous references to both Ryuk and New Orleans, including domain names and file shares. These resources suggest there was at least some connection between Ryuk and the New Orleans ransomware attack. 
  • DCH Health System: Near the end of December, Advance Local revealed that four patients had filed a class action lawsuit against DCH Health System. Their lawsuit alleged that the hospital had violated HIPAA and endangered their medical care in relation to a Ryuk ransomware attack that occurred three months earlier. That infection disrupted DCH’s operations for 10 days, according to Advance Local.

How to Defend Against Ryuk Ransomware
Organizations can’t rely on simply paying the ransom following a Ryuk ransomware infection. First, many organizations can’t afford to pay these ransoms without closing their doors, as demands oftentimes amount to hundreds of thousands if not millions of dollars.

Second, there’s no guarantee that victims will recover their files even if they do pay. As reported by Emsisoft, for instance, one decryptor provided by Ryuk’s handlers contained a bug that could have prevented victims from restoring large files affected by the ransomware.

These facts, when coupled with the growing rate of ransomware evasion, highlights the need for organizations to invest in a solution like our Lastline Defender. This security solution is capable of detecting ransomware and malware across all platforms because it doesn’t just look at a suspicious program.

Since Lastline Defender relies on behavior-based detection, it doesn’t matter if it’s never seen a sample of Ryuk. It also doesn’t matter if a malware family is polymorphic and thus constantly creating slightly different variants.

What’s Hot on Infosecurity Magazine?