The operators behind one of the most prevalent ransomware have been working hard to further improve their malware in order to maximize the impact of the attack. The recent version of Ryuk has been observed with a new attribute, allowing it to self-replicate over local networks.

Ryuk with updated capabilities

According to a report issued by CERT-FR, this latest version was first identified in early 2021 during an incident response handled by ANSSI.
  • Ryuk operators have now upgraded the ransomware with the ability to propagate itself from machine to machine within the Windows domain through the use of scheduled tasks.
  • With these worm-like capabilities, the attackers appear to be trying to better automate their ability to rapidly disperse malware from an initial, infected system across an entire network.
  • Now the malware can be executed remotely using scheduled tasks with the help of the genuine schtasks.exe Windows tool.

Notable characteristics of Ryuk

  • Unlike several other ransomware, Ryuk does not have a data exfiltration feature or a dedicated leak website to publish data stolen from its victims.
  • Different cybersecurity firms have attributed Ryuk operators to different threat actors such as Wizard Spider (CrowdStrike) and UNC1878.
  • Ryuk is at the top of the RaaS rankings, involving Emotet and TrickBot malware-as-a-service offerings with Bazar loader or Buer loader.

Recent Ryuk activities

  • Last month, the Villefranche-sur-Saône (Rhône) hospital center was targeted by the Ryuk ransomware.
  • In January, researchers had tracked payments involving 61 bitcoin wallet addresses that were previously attributed and associated with Ryuk ransomware campaigns.

The bottom line

Ryuk is responsible for approximately 75% of ransomware attacks in the healthcare sector recently. In a multi-staged attack, actors deploy it in the final stage, after compromising targeted networks with Trickbot, Emotet, or BazarLoader. Hence, security analysts have an opportunity to block the infiltration in the beginning by staying up to date with security updates and patches.

Cyware Publisher