Ryuk (ransomware)

Last updated

Ryuk is a type of ransomware known for targeting large, public-entity Microsoft Windows cybersystems. It typically encrypts data on an infected system, rendering the data inaccessible until a ransom is paid in untraceable bitcoin. [1] Ryuk is believed to be used by two or more criminal groups, most likely Russian, who target organizations rather than individual consumers. [2]

Contents

Origin

The Ryuk ransomware first appeared in 2018. [1] Ryuk was initially suspected to be of North Korean origin, then later thought to have been created by only one group or actor. It is now suspected that Ryuk has been created by multiple Russian criminal cartels. [1] [2] The criminal group known as Ryuk seeks primarily to extort ransom payments to decrypt the data that its malware has encrypted and as a result rendered useless. Following an attack on the Baltimore County (Maryland) school system in November 2020, a cybersecurity threat analyst said to the Baltimore Sun , the Ryuk criminal group "tends to be all business ... they just like to get the job done": to extort a large ransom payoff. [3]

How it works

In the UK, the National Cyber Security Centre notes that Ryuk uses Trickbot computer malware to install itself, once access is gained to a network's servers. It has the capability to defeat many anti-malware countermeasures that may be present and can completely disable a computer network. It can even seek out and disable backup files if kept on shared servers. [4] Emotet is also used by Ryuk hackers to gain access to computers as the initial loader or "Trojan horse". [5] [6]

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) website provides detailed information on how Ryuk infects and takes control of a computer network, saying that access may be initially gained by: "... phishing campaigns that contain either links to malicious websites that host the malware or attachments with the malware. Loaders start the infection chain by distributing the payload; they deploy and execute the backdoor from the command and control server and install it on the victim’s machine". [7] The phishing efforts generally contain malicious documents (or hyperlinks to them). [8] When the victim enables it, a malicious macro or loader starts the infection sequence. [7] Like many other ransomware families, Ryuk deletes shadow copy files and stops processes from the hardcoded list.

Once Ryuk takes control of a system, it encrypts the stored data, making it impossible for users to access unless a ransom is paid by the victim in untraceable bitcoin. In many cases, days or weeks may elapse between the time hackers initially gain access to a system before the massive encryption occurs, as the criminals penetrate deeper into the network to inflict maximum damage. [9] Ryuk is an especially pernicious type of malware because it also finds and encrypts network drives and resources. It also disables the System Restore feature of Microsoft Windows that would otherwise allow restoring the computer's system files, applications, and Windows Registry to their previous, unencrypted state. [6] [8]

To combat these ransomware attacks, the U.S. Cyber Command initiated a counter-attack in September, 2020, to disconnect Trickbot from internet servers. Shortly thereafter, Microsoft invoked trademark law to disrupt a Ryuk botnet. [10]

Ransomware victims

Ryuk targets large organizations with the ability to pay significant sums of money to regain access to their valuable data. All told, more than $61 million in ransom was paid due to Ryuk malware attacks in 2018–2019, according to the FBI. [11] In December, 2018, a Ryuk-based attack affected publication of the Los Angeles Times and newspapers across the country using Tribune Publishing software. [12] Printing of the Fort Lauderdale Sun Sentinel in Florida was halted and even the newspaper's telephones did not work. [13] On 20 October, 2020, an information technology consulting company based in Paris, Sopra Steria, itself suffered a Ryuk ransomware attack. [14] The cybercriminals encrypted the company's data using a variant of Ryuk, making it inaccessible unless a ransom is paid. The attack will cost the company $47–59 million, it estimated. [15] In the wake of the attack, Ryuk was described as "one of the most dangerous ransomware groups that operate through phishing campaigns". [14]

Between 2019 and 2020, U.S. hospitals in California, New York, and Oregon, as well as in the UK and Germany, have been affected by Ryuk malware, resulting in difficulties with accessing patient records and even impairing critical care. Doctors at affected hospitals have resorted to writing paper instructions, instead of using their inoperable computers. [16] [17] In the U.S., a joint statement was issued on October 29, 2020, by three Federal government agencies, the FBI, CISA, and the Department of Health and Human Services, warning that hospitals should anticipate an " 'increased and imminent' wave of ransomware cyberattacks that could compromise patient care and expose personal information", likely from Ryuk attacks. [16] More than a dozen U.S. hospitals were hit by Ryuk attacks in late 2020, shutting down access to patient records and even disrupting chemotherapy treatments for cancer sufferers. [11]

Also targeted are vulnerable public-sector entities often using older software and not following best protocols for computer security. Lake City, Florida, for example, paid $460,000 in ransom after one of its employees opened an email containing a variant of Ryuk malware in June, 2019. [18]

The ransomware has been used to attack dozens of U.S. school systems, which are often deficient in cybersecurity. [19] Since 2019, more than a thousand schools have been victimized. Sometimes the resulting impairment takes weeks to repair. [9] In 2020, schools from Havre, Montana, to Baltimore County, Maryland, have experienced Ryuk ransomware attacks. Ransom demanded by the perpetrators has ranged from $100,000 to $377,000 or more. [20] Online education provider Stride, Inc. was attacked by Ryuk ransomware criminals in November 2020, rendering some of K12's records inaccessible and leading to the threatened release of students' personal information. The Virginia-based firm paid an undisclosed ransom amount, saying, "Based on the specific characteristics of the case, and the guidance we have received about the attack and the threat actor, we believe the payment was a reasonable measure to take in order to prevent misuse of any information the attacker obtained". [21]

The large Baltimore County Public Schools system in Maryland, serving 115,000 students and having a budget of $1.5 billion, had to suspend all classes after problems were experienced with its computer network beginning on November 24, 2020, reportedly due to Ryuk. The system's crash first manifested itself when teachers attempting to enter students' grades found themselves locked out and noticed Ryuk file extensions. County school officials characterized it as "a catastrophic attack on our technology system" and said it could be weeks before recovery is complete. [22] The school system's director of information technology said, “This is a ransomware attack which encrypts data as it sits and does not access or remove it from our system". [19] Prior to the crippling malware attack, state auditors from the Maryland Office of Legislative Audits performed a periodic audit of the Baltimore County School System's computer network in 2019. They found several vulnerabilities in the system, such as insufficient monitoring of security activities, publicly accessible servers not isolated from the school system's internal network, and a lack of "intrusion detection ... for untrusted traffic". [23] [24] Avi Rubin, Technical Director of the Information Security Institute at Johns Hopkins University, said the auditors' discovery of "computers that were running on the internal network with no intrusion detection capabilities" was of particular concern. [25] Although the final report by the Maryland Office of Legislative Audits was released on November 19, 2020, the auditors initially warned the school system of its findings in October, 2019. [23]

Ryuk's reach is global, hitting councils and government agencies across the globe. One such attack landed on the City of Onkaparinga, South Australia. In December 2019, the Ryuk virus took hold of the city's IT infrastructure. The attack left hundreds of employees in limbo as the cities IT department worked on reinstating operations. Each time backups were reinstated the Ryuk virus would start the process of attacking the system all over again. The attack continued for four days before the IT team were able to contain the virus and reinstate the necessary backups. [26] [27]

In early 2021, a new strain of the Ryuk ransomware was discovered that features worm-like capabilities that can lead to it self-propagating and being distributed to other devices on the local database it is infiltrating. [28] [29]

See also

Related Research Articles

Ransomware is a type of cryptovirological malware that permanently block access to the victim's personal data unless a ransom is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

<span class="mw-page-title-main">Timeline of Internet conflicts</span>

The Internet has a long history of turbulent relations, major maliciously designed disruptions, and other conflicts. This is a list of known and documented Internet, Usenet, virtual community and World Wide Web related conflicts, and of conflicts that touch on both offline and online worlds with possibly wider reaching implications.

Baltimore County Public Schools is the school district in charge of all public schools in Baltimore County, Maryland, United States. It is the 25th largest school system in the US as of 2013. The school system is managed by the board of education, headquartered in Towson. Since July 1, 2023, the superintendent is Myriam Rogers.

Bleeping Computer is a website covering technology news and offering free computer help via its forums that was created by Lawrence Abrams in 2004. It publishes news focusing heavily on cybersecurity, but also covers other topics including computer software, computer hardware, operating system and general technology.

In computer security, a wiper is a class of malware intended to erase the hard drive or other static memory of the computer it infects, maliciously deleting data and programs.

A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, personal computer devices, or smartphones. An attacker is a person or process that attempts to access data, functions, or other restricted areas of the system without authorization, potentially with malicious intent. Depending on the context, cyberattacks can be part of cyber warfare or cyberterrorism. A cyberattack can be employed by sovereign states, individuals, groups, societies or organizations and it may originate from an anonymous source. A product that facilitates a cyberattack is sometimes called a cyber weapon. Cyberattacks have increased over the last few years. A well-known example of a cyberattack is a distributed denial of service attack (DDoS).

CrowdStrike Holdings, Inc. is an American cybersecurity technology company based in Austin, Texas. It provides cloud workload and endpoint security, threat intelligence, and cyberattack response services. The company has been involved in investigations of several high-profile cyberattacks, including the 2014 Sony Pictures hack, the 2015–16 cyber attacks on the Democratic National Committee (DNC), and the 2016 email leak involving the DNC.

A medical device hijack is a type of cyber attack. The weakness they target are the medical devices of a hospital. This was covered extensively in the press in 2015 and in 2016.

<span class="mw-page-title-main">WannaCry ransomware attack</span> 2017 worldwide ransomware cyberattack

The WannaCry ransomware attack was a worldwide cyberattack in May 2017 by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. It propagated by using EternalBlue, an exploit developed by the United States National Security Agency (NSA) for Windows systems. EternalBlue was stolen and leaked by a group called The Shadow Brokers a month prior to the attack. While Microsoft had released patches previously to close the exploit, much of WannaCry's spread was from organizations that had not applied these, or were using older Windows systems that were past their end-of-life. These patches were imperative to cyber security, but many organizations did not apply them, citing a need for 24/7 operation, the risk of formerly working applications breaking because of the changes, lack of personnel or time to install them, or other reasons.

<span class="mw-page-title-main">Petya (malware family)</span> Family of encrypting ransomware discovered in 2016

Petya is a family of encrypting malware that was first discovered in 2016. The malware targets Microsoft Windows–based systems, infecting the master boot record to execute a payload that encrypts a hard drive's file system table and prevents Windows from booting. It subsequently demands that the user make a payment in Bitcoin in order to regain access to the system.

REvil was a Russia-based or Russian-speaking private ransomware-as-a-service (RaaS) operation. After an attack, REvil would threaten to publish the information on their page Happy Blog unless the ransom was received. In a high profile case, REvil attacked a supplier of the tech giant Apple and stole confidential schematics of their upcoming products. In January 2022, the Russian Federal Security Service said they had dismantled REvil and charged several of its members.

Trickbot is a trojan for Microsoft Windows and other operating systems. Its major function was originally the theft of banking details and other credentials, but its operators have extended its capabilities to create a complete modular malware ecosystem.

DarkSide is a cybercriminal hacking group, believed to be based in Russia, that targets victims using ransomware and extortion; it is believed to be behind the Colonial Pipeline cyberattack. It is thought that they have been able to hack and extort money from around 90 companies in the USA alone. The group provides ransomware as a service.

Conti is a ransomware hacker group that has been observed since 2020, believed to be distributed by a Russia-based group. It operates as a ransomware-as-a-service (RaaS), enabling other cybercriminals to deploy this malware for their own purposes. Conti is particularly known for its utilization of double extortion techniques, where it not only encrypts victim's files but also steals and threatens to publish sensitive data if the ransom is not paid.

Wizard Spider, also known as Trickbot, DEV-0193, UNC2053, or Periwinkle Tempest, is a cybercrime group based in and around Saint Petersburg in Russia. Some members may be based in Ukraine. They are estimated to number about 80, some of them may not know they are employed by a criminal organisation.

Hive was a ransomware as a service (RaaS) operation carried out by the eponymous cybercrime organization between June 2021 and January 2023. The group's purpose was to attack mainly public institutions to subsequently demand ransom for release of hijacked data.

Clop is a cybercriminal organization known for its multilevel extortion techniques and global malware distribution. It has extorted more than $500 million in ransom payments, targeting major organizations worldwide. Clop gained notoriety in 2019 and has since conducted high-profile attacks, using large-scale phishing campaigns and sophisticated malware to infiltrate networks and demand ransom, threatening to expose data if demands are not met.

<span class="mw-page-title-main">Lockbit</span> Criminal hacking organization

LockBit is a cybercriminal group proposing ransomware as a service (RaaS). Software developed by the group enables malicious actors who are willing to pay for using it to carry out attacks in two tactics where they not only encrypt the victim's data and demand a ransom but also threaten to leak it if their demands are not met.

References

  1. 1 2 3 Constantin, Lucian (May 12, 2020). "Ryuk ransomware explained: A targeted, devastatingly effective attack". CSO Online. International Data Group . Retrieved November 27, 2020.
  2. 1 2 Brewster, Thomas (February 20, 2019). "Mistaken For North Koreans, The 'Ryuk' Ransomware Hackers Are Making Millions". Forbes . Retrieved November 30, 2020.
  3. Bowie, Liz; Knezevich, Alison (November 27, 2020). "Ransomware attack cripples Baltimore County Public Schools". The Baltimore Sun . Retrieved November 27, 2020.
  4. "Ryuk ransomware targeting organisations globally". National Cyber Security Centre. June 21, 2019.
  5. "North Korean APT(?) and recent Ryuk Ransomware attacks". Kryptos Logic. January 10, 2019. Retrieved December 1, 2020.
  6. 1 2 Kujawa, Adam (January 8, 2019). "Ryuk ransomware attacks businesses over the holidays". Malwarebytes.com. Retrieved December 10, 2020.
  7. 1 2 "Ransomware Activity Targeting the Healthcare and Public Health Sector". Cybersecurity and Infrastructure Security Agency. November 2, 2020. Retrieved November 27, 2020.
  8. 1 2 "Ryuk evolves into one of the most devastating ransomware threats". Rangeforce.com. Retrieved December 10, 2020.
  9. 1 2 Collins, David (November 26, 2020). "BCPS IT officials trying to undo damage caused by ransomware cyberattack". Baltimore, Md.: WBAL-TV . Retrieved November 28, 2020.
  10. "Microsoft Uses Trademark Law to Disrupt Trickbot Botnet". Krebs on Security. 12 October 2020. Retrieved December 1, 2020.
  11. 1 2 Barry, Ellen; Perlroth, Nicole (November 27, 2020). "Patients of a Vermont Hospital Are Left 'in the Dark' After a Cyberattack". New York Times . Retrieved November 28, 2020.(subscription required)
  12. Sanger, David E.; Perlroth, Nicole (December 30, 2018). "Cyberattack Disrupts Printing of Major Newspapers". New York Times . Retrieved November 28, 2020.(subscription required)
  13. Olmeda, Rafael (December 29, 2018). "Computer virus freezes South Florida Sun Sentinel" . Retrieved November 28, 2020.
  14. 1 2 "Sopra Steria falls victim to Ryuk Ransomware". SecureReading. 23 October 2020. Retrieved 4 December 2020.
  15. "Ransomware Attack Will Costs French IT Services $60 Million". TechStreetnow. November 26, 2020. Retrieved December 4, 2020.
  16. 1 2 Joy, Kevin (October 29, 2020). "What Hospitals Should Know About the Ryuk Ransomware Threat". HealthTech. Retrieved November 27, 2020.
  17. "US hospitals brace for flood of Ryuk". Techhq. October 30, 2020. Retrieved November 27, 2020.
  18. Mazzei, Patricia (June 27, 2019). "Another Hacked Florida City Pays a Ransom, This Time for $460,000". New York Times . Retrieved November 28, 2020.(subscription required)
  19. 1 2 Paybarah, Azi (November 29, 2020). "Ransomware Attack Closes Baltimore County Public Schools". New York Times . Retrieved December 2, 2020.
  20. Dragu, Paul (February 10, 2020). "Ransomware cripples Havre Public Schools computer system". Havre Herald. Retrieved November 29, 2020.
  21. Abrams, Lawrence (December 2, 2020). "K12 online schooling giant pays Ryuk ransomware to stop data leak". BleepingComputer. Retrieved December 4, 2020.
  22. Bowie, Liz; Knezevich, Alison (November 27, 2020). "Experts say restoring Baltimore County school network may take weeks, with classes potentially back in days". The Baltimore Sun . Retrieved November 27, 2020.
  23. 1 2 Simpson, Amy (November 30, 2020). "State auditor: BCPS informed of network concerns in October 2019". WBFF . Retrieved December 3, 2020.
  24. Knezevich, Alison (November 26, 2020). "Audit found 'significant risks' in Baltimore County schools' computer network". The Baltimore Sun . Retrieved November 28, 2020.(subscription required)
  25. Collins, David (November 27, 2020). "Auditors found significant risks in BCPS network before ransomware cyberattack". Baltimore, Md.: WBAL-TV . Retrieved December 2, 2020.
  26. "Surviving a shocking ransomware attack Lessons from the City of Onkaparinga". www.compnow.com.au/. www.compnow.com.au. Retrieved 19 April 2021.
  27. "Suspected Ryuk ransomware attack locks down Adelaide's City of Onkaparinga council". www.abc.net.au. Australian Broadcasting Commission. 6 January 2020. Retrieved 19 April 2021.
  28. ArcTitan (2021-03-09). "Caution Advised as all Devices on the Network Can be Automatically Infected by Ryuk Ransomware". ArcTitan. Retrieved 2021-03-09.
  29. "The negotiators taking on the ransomware hackers". Financial Times. 17 February 2021. Archived from the original on 2021-02-17. Retrieved 2021-03-09.