The Ryuk Ransomware Now Uses Wake-on-Lan

Ryuk Adds New Features to Increase Devastation

The latest variant of the devastating Ryuk ransomware has been spotted with a new feature that allows it to turn on devices connected to the infected network. By taking advantage of Wake-on-Lan functionality, Ryuk can is able to mount additional remote devices to further its encryption protocols. While it’s possible to only allow such commands from an administrator’s machine, those are also the most likely to be compromised since they have the largest access base.

Ryuk is allegedly linked to the state sponsored hacking group Lazarus and the earlier Hermes variant of ransomware. Unlike common ransomware strains that are distributed via massive spam campaigns and exploit kits, Ryuk is mostly used in targeted attacks. Ryuk’s earning crossed over $700,000 after just a few months of operation, indicating how successful their strategy has been. Ryuk uses process injection techniques to hide itself from AV solutions. Ryuk uses a three-tier encryption model where encryption keys are encrypted using RSA encryption and AES encryption is used to encrypt user’s files. Ryuk has infected very high-profile targets and demanded insanely huge ransom amounts, in the order of millions of dollars.

Ryuk ransomware continues to wreak havoc – and one U.S. state in particular recently suffered from another successful attack that likely could have been prevented. 

Several school districts and government offices in Louisiana were hit by an attack this summer. Unfortunately, the story was just repeated as several state agencies fell victim to another attack on November 18. In this case, the cyberattack shut down systems in the governor’s office, the Department of Motor Vehicles, the Department of Health, and The Department of Children and Family Services.

Once again, it is believed that the ransomware infection started as the result of a phishing email, an attack vector that continues to prove extremely effective.

Fast reaction

Luckily, this attack was recognized relatively quickly, so the state’s IT and cybersecurity response teams immediately shut down several websites and online services to keep the ransomware from spreading to other agencies. Louisiana representatives reported that several servers were affected which, as expected, resulted in several service disruptions.

Today, we activated the state's cybersecurity team in response to an attempted ransomware attack that is affecting some state servers. The Office of Technology Services identified a cybersecurity threat that affected some, but not all state servers. #lagov #lalege — John Bel Edwards (@LouisianaGov) November 18, 2019

Governor John Bel Edwards reported that the state did not pay a ransom and did not lose any data since the state was able to restore its systems from backups.

What they did lose was a lot of time – and time is money. In fact, some services were offline for more than a week, during which time people couldn’t get the services they expected.

While ransomware attacks targeting organizations are constant – experts estimate they occur every 14 seconds – the truth is this lost time and money can be prevented.

Preventing cyberthreats

A recently released study by Emsisoft tells us that during the first nine months of 2019, more than 600 ransomware attacks battered government offices, school districts, and healthcare providers across the U.S. (although we think that the actual figure is much higher). And while that figure is for in U.S. only, the same story is happening around the globe.

The situation caused the U.S. Senate to recently pass a bill creating cyber hunt and incident response teams at the Department of Homeland Security. These teams will assist targets of ransomware and other cyberattacks. Their strategies and tactics should help improve the situation a bit – but the key point is to prepare before an attack occurs.

If the local governments use modern cyber protection solutions, which combine reliable backups with cutting-edge anti-ransomware technologies, they could recover from incidents in a matter of minutes or hours – preventing weeks or months of downtime.

Proven anti-ransomware software

Acronis Active Protection artificial-intelligence-based anti-malware defense, is able to stop such new ransomware strains in real-time and automatically restore any damaged files. Integrated into cyber protection solutions like Acronis Cyber Backup for businesses and available for service providers to add to their offering via the Acronis Cyber Cloud – it’s been shown by independent lab testing to be the most effective solution against zero-day ransomware attacks, cryptojacking attacks, and defending Acronis backups from being targeted.

More importantly, it’s so effective it stopped more than 400,000 ransomware attacks last year, preventing an estimated $200 million in damages.

To learn more about the newest ransomware threats like Ryuk, be sure to bookmark www.gridheart.com/blog which includes news of the latest most notorious ransomware threats.