Ryuk Adds New Features to Increase Devastation
The latest variant of the devastating Ryuk ransomware has been spotted with a new feature that allows it to turn on devices connected to the infected network. By taking advantage of Wake-on-Lan functionality, Ryuk can is able to mount additional remote devices to further its encryption protocols. While it’s possible to only allow such commands from an administrator’s machine, those are also the most likely to be compromised since they have the largest access base.
Ryuk is allegedly linked to the state sponsored hacking group Lazarus and the earlier Hermes variant of ransomware. Unlike common ransomware strains that are distributed via massive spam campaigns and exploit kits, Ryuk is mostly used in targeted attacks. Ryuk’s earning crossed over $700,000 after just a few months of operation, indicating how successful their strategy has been. Ryuk uses process injection techniques to hide itself from AV solutions. Ryuk uses a three-tier encryption model where encryption keys are encrypted using RSA encryption and AES encryption is used to encrypt user’s files. Ryuk has infected very high-profile targets and demanded insanely huge ransom amounts, in the order of millions of dollars.
Ryuk ransomware continues to wreak havoc – and one U.S. state in particular recently suffered from another successful attack that likely could have been prevented.
Several school districts and government offices in Louisiana were hit by an attack this summer. Unfortunately, the story was just repeated as several state agencies fell victim to another attack on November 18. In this case, the cyberattack shut down systems in the governor’s office, the Department of Motor Vehicles, the Department of Health, and The Department of Children and Family Services.
Once again, it is believed that the ransomware infection started as the result of a phishing email, an attack vector that continues to prove extremely effective.
Luckily, this attack was recognized relatively quickly, so the state’s IT and cybersecurity response teams immediately shut down several websites and online services to keep the ransomware from spreading to other agencies. Louisiana representatives reported that several servers were affected which, as expected, resulted in several service disruptions.
Today, we activated the state's cybersecurity team in response to an attempted ransomware attack that is affecting some state servers. The Office of Technology Services identified a cybersecurity threat that affected some, but not all state servers. #lagov #lalege — John Bel Edwards (@LouisianaGov) November 18, 2019
Governor John Bel Edwards reported that the state did not pay a ransom and did not lose any data since the state was able to restore its systems from backups.
What they did lose was a lot of time – and time is money. In fact, some services were offline for more than a week, during which time people couldn’t get the services they expected.
While ransomware attacks targeting organizations are constant – experts estimate they occur every 14 seconds – the truth is this lost time and money can be prevented.
A recently released study by Emsisoft tells us that during the first nine months of 2019, more than 600 ransomware attacks battered government offices, school districts, and healthcare providers across the U.S. (although we think that the actual figure is much higher). And while that figure is for in U.S. only, the same story is happening around the globe.
The situation caused the U.S. Senate to recently pass a bill creating cyber hunt and incident response teams at the Department of Homeland Security. These teams will assist targets of ransomware and other cyberattacks. Their strategies and tactics should help improve the situation a bit – but the key point is to prepare before an attack occurs.
If the local governments use modern cyber protection solutions, which combine reliable backups with cutting-edge anti-ransomware technologies, they could recover from incidents in a matter of minutes or hours – preventing weeks or months of downtime.