Ryuk ransomware actor is known for its well-planned and customized attack based on its target. However, according to Advanced Intel's Vitali Kremez, the TrickBot trojan has not been spotted since July 2020. Rather, the TrickBot-linked operators are now deploying the Conti ransomware.
What happened recently?
The Conti ransomware group has shifted to the “double extortion” tactic, revealing a leak site as a part of their extortion strategy to force victims into paying a ransom or face public humiliation.
Some history your way
The operators of ransomware usually target large entities with high ransom demands. For example, in February. 2020, the City Of Cartersville paid $380,000 to the attackers.
- Since early 2020, most targeted entities are located in the U.S., with most targeted sectors being government (Port Lavaca City Hall, Durham Police Station) and manufacturing (EMCOR, EVRAZ, Electronic Warfare Associates), which suggests the attackers are interested in government and military-related organizations.
- Other targeted sectors range from education (Gadsden Independent School District, Havre Public Schools Board of Trustees), information technology (Finastra), to legal (Mississippi Center for Legal Services).
- The attackers use phishing emails, malicious links, and websites to infect the targeted entity’s employees with TrickBot and Emotet. Then, these bot starts spreading laterally inside the network and finally deploy the ransomware.
- The encryption scheme used by Ryuk is built for small-scale operations, specifically targeting crucial assets and resources, suggesting that its operators use it for extensively tailored attacks.
- The actors use modules from the Cobalt Strike threat emulation software, DACheck script, and PsExec tool.
- In one incident, the ransomware was deployed after an average two-week infection of Trickbot trojan.
- First appeared in August 2018, the sophisticated ransomware is believed to be the creation of “Wizard Spider,” a cybercriminal group based in Russia.
- Ryuk is based on Hermes ransomware, which was used by the North Korean Lazarus Group against the Taiwanese Far Eastern International Bank (FEIB) in October 2017.
- Experts believe that the Russian group bought Hermes’ source code from the dark web and upgraded it with a new version called “Ryuk.”
The ransomware actors specifically target the organizations capable of paying a higher ransom. To mitigate the threat, organizations must provide training to their employees to identify such malware-laced phishing emails, patch vulnerable systems, disable macros, segment access to files, regularly take backups, and use a reliable anti-malware solution.