The backdrop
Initially spotted in August 2018, Ryuk deploys highly-targeted campaigns in enterprise environments. Ryuk is a ransomware, which is a form of malware that blocks access to systems until the demanded amount is paid. Ryuk is known for blocking access to computers and data centers belonging to various organizations across the globe.
The threat actors behind Ryuk, identified as Grim Spider, are said to have made millions of dollars by carefully selecting large organizations that can afford to pay the ransom in exchange for access to the encrypted files.
Relationship with other malware
Researchers have observed various similarities between Hermes and Ryuk malware.
Based on these observations, there are speculations that Ryuk may be built over the Hermes malware.
According to various reports, Ryuk is believed to be delivered by the TrickBot or Emotet Trojan. Malware campaigns combining TrickBot, Emotet, and Ryuk have also been reported.
Modus operandi
Ryuk has been designed to attack the critical parts of an infected system for maximum impact.
List of attacks
Starting August last year, Ryuk has been in the news fairly often for impacting the operations of various firms.
August 2018: Ryuk made its debut this month by encrypting the systems of various organizations across the globe. Few organizations are said to have paid a massive ransom to retrieve their data.
October 2018
Onslow Water and Sewer Authority (ONWSA) was affected by the Ryuk ransomware. The North Carolina based water utility opted to not pay the ransom.
Recipe Unlimited, a Canadian company that runs several restaurant chains was infected by Ryuk, forcing several restaurants to shut down, and many others to accept payments only in cash.
December 2018
All Tribune Publishing newspapers and those that were formerly part of Tribune were affected by a Ryuk attack. Notoriously known as the Christmas campaign, Ryuk affected various other firms around this time including Dataresolution.net.
May 2019
Ryuk disrupted the functioning of C.E. Niehoff & Co., a manufacturing firm. The IT staff unplugged affected machines before they read the ransom note which warned them not to do so. This resulted in the firm having to rebuild all the infected systems.
July 2019
LaPorte County in Indiana fell victim to a Ryuk attack. The county paid $130,000 in bitcoin to recover the encrypted data.
The month of July also witnessed another Ryuk infiltration in New Bedford that demanded $5.3 million. The city refused to pay and rebuilt their systems from backup.
September 2019
A new malware that seems to share a close relationship with Ryuk has been reported. It is not clear if the Ryuk’s operators are behind the new malware, or if another group has gained access and modified the code.
Publisher