Ransomware: A Short History of Ryuk?

BY OnSecurity Team / ON Nov 16, 2020

First spotted in August 2018, Ryuk – a nasty form of targeted ransomware – has quickly gained notoriety in the world of cybercrime. Within weeks of the first hit, Ryuk landed over $640,000 (roughly 41 bitcoins) in ransom payments from their victims.

Now a household name in cyber security, the hackers behind Ryuk ransomware have amassed over $150 million: their biggest ever pay-out from a single organisation isreported to be a staggering $34 million (2,200 bitcoins).

While the 'who'behind Ryuk ransomware has not been confirmed, cyber security experts have made a connection between Ryuk and Hermes, a strain of ransomware discovered in October 2017 that uses the same code as Ryuk.

What is different about Ryuk?

With so many forms of ransomware out there, what makes Ryuk so dangerous? The answer lies in the hacker's method: 'big game hunting'. Big game hunting is a method used by cybercriminals looking for a bigger pay-out. Hackers exclusively target large, high-profile organisations – after all, these organisations are more likely to hold critical assets – and threaten to damage or even destroy their files.

Only targeting large, high-profile companies means that each attack of Ryuk ransomware is calculated: cybercriminals spend a lot of time and effort scoping out each victim, making sure that they fit their desired target profile.

How do they do it?

The team of cybercriminals driving Ryuk ransomware have developed a multi-stage attack that is tailored specifically to each of their victims.

It all starts with a spear phishing email. Hackers send out personalised emails which lure the recipient into opening a link or attachment: once opened, hackers attempt to download malware onto the victim's device. This malware – typically Emotet or TrickBot – enable hackers to access the organisation's admin credentials.

Access to these credentials is key to the hacker's success: they can use the stolen credentials to penetrate the organisation's network and establish a connection through remote desktop protocol (RDP).

This connection is all it takes for hackers to take full control of a device and infect it with Ryuk ransomware.

If a device becomes infected with ransomware, so will all of its data. Ryuk ransomware encrypts crucial files, data and assets so that only the hacker can access them. Then the hacker demands a sum of money – a ransom – in exchange for the stolen property.

Sometimes cybercriminals steal company secrets in a bid to embarrass victims into paying the ransom, or they encrypt data that organisations can't function without (hospitals are popular targets for a reason!).

One thing that all victims of Ryuk ransomware have in common is that they will pay big money to get their assets back.

Who have they targeted?

As you can imagine, the cybercriminals behind Ryuk ransomware choose their victims carefully to ensure that they get the biggest possible pay-out – that means a lot of organisations with sensitive data become targets.

According to Bleeping Computer, 13% of Ryuk's victims are organisations based in healthcare and social services. Since the summer of 2020 – where hospitals are already feeling the strain of the pandemic – Ryuk have been targeting around 20 organisations a week, most of which are in the healthcare sector.

The attacks don't appear to be stopping anytime soon: in fact, in October 2020, the FBI and U.S. Department of Homeland Security warned the healthcare industry of an "imminent cybercrime threat" to hospitals and healthcare providers across the U.S.

Law enforcement agencies are urging victims not to pay the ransom – after all, a successful hacker is more likely to attack again – but most companies have no choice but to give in to the hacker's demands.

Share: