The statistics speak for themselves: ransomware attacks increased 500% in 2019 compared to the same period last year. The importance of reaching an optimal level of cybersecurity is reflected in the latest edition of the World Economic Forum’s annual Global Risks Report, which evaluates present, future, and emerging risks all around the world. In this year’s edition, cyberattacks are ranked seventh in terms of probability and eighth in terms of impact.
This comes as no surprise if we consider the impact created by ransomware like Ryuk, which differs from other ransomware in that it mainly attacks business environments.
Therefore, if a normal user were to end up with Ryuk on her computer, she would be nothing more than a collateral victim; the real target for the ransomware’s creator is to make large sums of money by directly attacking companies.
Ryuk, a threat tailored to companies_
Ryuk is a piece of ransomware that first appeared online in August 2018, but it has been in the last few months that it has really spread. In mid-2019, many public institutions and large companies were attacked by organized cybercriminals who made use of this ransomware. This malware has evolved since it first appeared. The sample analyzed by our laboratory in the report was found during an attempted attack in mid-January 2020.
This case is more striking than usual, given how rapidly it spreads and the large number of companies that it affects. These companies have been forced to take measures such as shutting down their computers and taking their networks offline. While these steps are necessary to stop the ransomware from spreading and causing more damage, they can also be costly and have a knock-on effect on service.
Ransomware is, by definition, a malicious program that, once installed on a computer, encrypts the files it finds with a secret key. It then displays a message on the screen instructing the victim to pay a ransom to recover their files. In the case of Ryuk, the exact amount varies depending on the company that has been attacked.
The message that Ryuk displays on the screen when the victim’s computer is turned on doesn’t say how much needs to be payed, unlike WannaCry. In Ryuk’s case, the message doesn’t just show a bitcoin wallet address to make the payment; it also shows two email addresses for the victim to get in touch with the attackers directly, as well as a reference key.
Characteristics of the sample analyzed_
We start with the loader, which is responsible for identifying the system it is on and the launching the right version of Ryuk.
The hash of the loader is:
One of the characteristics of this loader is that it does not contain any metadata, that is, the malware creators didn’t include any information in the data. They occasionally include erroneous data to trick the user and make them think they are running a legitimate application. However, as we will see in the report, as they are using an attack vector that doesn’t require user interaction, the attackers didn’t think it was necessary to use this technique.
Figure 6: Sample metadata
The sample was compiled in 32 bits in order to be able to run on bother 32- and 64-bit environments
Zero trust to fight ransomware_
Ransomware is undeniably an ever-present threat that is hard to contain if you don’t have the right protections and don’t follow the appropriate guidelines. The most important thing is to base your security on a zero-trust approach: don’t trust anything until you can be sure that it is not malicious, and question everything.
Cytomic employs this approach with a combination of advanced endpoint protection in its solution Cytomic EPDR. It combines robust EDR capabilities with endpoint monitoring, telemetry enriched with threat intelligence, and scale data analytics. It also includes the managed Zero-Trust Application Service. This way, it allows you to tackle advanced attacks of any kind, as well as reducing the attack surface against threats such as Ryuk and its variants.
Find out more about Ryuk’s entry vectors, sets of samples attackers have attempted to run, the ransom note, and more, in our malware report, written by PandaLabs.