Ryuk ransomware operation updates hacking techniques

We have been hearing about the Ryck ransomware since 2018 and has been has been targeting businesses, hospitals, government institutions and other organizations.

When Ryuk infects a system, it first shuts down 180 services and 40 processes. These services and processes could prevent Ryuk from doing its work, or they are needed to facilitate the attack. At that point, the encryption can occur. Ryuk encrypts files such as photos, videos, databases, and documents – all the data you care about – using AES-256 encryption. The symmetric encryption keys are then encrypted using asymmetric RSA-4096. Ryuk is able to encrypt remotely, including remote administrative shares.

The Ryuk attackers demand higher ransom payments from their victims compared to many other ransomware gangs. The ransom amounts associated with Ryuk typically range between 15 and 50 Bitcoins, or roughly between $100,000 and $500,000.

Ryuk is exclusively distributed through TrickBot or follows an infection with the Trojan. The deployment of Ryuk happens weeks after TrickBot first shows up on a network. This is likely because attackers use the data collected by TrickBot to identify potentially valuable networks for Ryuk. It distributes and make an attack chain. Microsoft refers to Ryuk as a human-operated ransomware attack, and it's part of a larger trend of ransomware gangs adopting highly targeted and stealthy techniques that were primarily associated with advanced persistent threat (APT) groups in the past.

The target selection is followed by manual hacking activities that involve network reconnaissance and lateral movement with the goal of compromising domain controllers and gaining access to as many systems as possible. This ensures that when Ryuk is deployed, the damage is swift and widespread across the network, which is more likely to force an organization's hand than holding just a few of its endpoints hostage.

A variant of the older Hermes ransomware, Ryuk tops the list of the most dangerous ransomware attacks. In the CrowdStrike 2020 Global Threat Report, Ryuk accounts for three of the top 10 largest ransom demands of the year: USD $5.3 million, $9.9 million, and $12.5 million. Ryuk has successfully attacked industries and companies around the globe. Hackers call the practice of targeting large companies “big game hunting” (BGH).

Interestingly, this ransomware family carries a Japanese name from the anime movie Death Note. The name means “gift of god.” It seems an odd choice for ransomware since the targets lose data or money. From the hacker's perspective, however, it could be considered a gift of god.

A Russian cybercriminal group known as WIZARD SPIDER is believed to operate Ryuk ransomware. UNC1878, an Eastern European threat actor, has been behind some healthcare-specific attacks. The deployment of this ransomware is not direct; hackers download other malware onto a computer first.