Cybersecurity Quarterly
Threat of the Quarter This Quarter’s Threat: Ryuk Ransomware by Joshua Palsgraf, Cyber Intelligence Analyst, MS-ISAC
Throughout 2019, state, local, tribal, and territorial (SLTT) government entities have increasingly encountered ransomware attacks resulting in significant network downtime, delayed services to constituents, and costly remediation efforts. Currently, Ryuk ransomware is one of the most prevalent variants in the SLTT threat landscape, with infections doubling from the second to the third quarter of the year. The increase in Ryuk infections was so great that the MS-ISAC saw twice as many infections in the month of July compared to the first half of the year. In the third quarter alone, the MS-ISAC observed Ryuk activity across 14 states. Ryuk is a type of crypto-ransomware that uses encryption to block access to a system, device, or file until a ransom is paid. Ryuk is often dropped on a system by other malware, most notably TrickBot (featured in last quarter’s Threat of the Quarter), or gains access to a system via Remote Desktop Services. Ryuk demands payment via Bitcoin cryptocurrency and directs victims to deposit the ransom in a specific Bitcoin wallet. The ransom demand is typically between 15 and 50 Bitcoins, which is roughly $100,000-$500,000, depending on
Ryuk ransomware is one of the most prevalent variants in the SLTT threat landscape, with infections doubling from the second to the third quarter of the year. The increase in infections was so great that the MS-ISAC saw twice as many infections in the month of July compared to the first half of the year. 10
the price conversion. Once on a system, Ryuk will spread through the network using PsExec or Group Policy trying to infect as many endpoints and servers as possible. Then, the malware will begin the encryption process, specifically targeting backups and successfully encrypting them in most cases. Ryuk is often the last piece of malware dropped in an infection cycle that starts with either Emotet or TrickBot. Multiple malware infections may greatly complicate the process of remediation. The MS-ISAC has observed an increase in cases where Emotet or TrickBot are the initial infections and multiple malware variants are dropped onto the system with the end result being a Ryuk infection. For example, the MS-ISAC recently assisted in an incident where TrickBot successfully disabled the organization's endpoint antivirus application, spread throughout their network, and ended up infecting hundreds of endpoints and multiple servers. Since TrickBot is a banking trojan, it likely harvested and exfiltrated financial account information on the infected systems prior to dropping the Ryuk ransomware infection. Ryuk was dropped throughout the network, encrypting the organization’s data and backups, leaving ransom notes on the infected machines.