Ransomware is one of the top security concerns for many organizations. Hackers deploy it more strategically now, making it an even more significant threat. To know what’s critical about this modern trend and what others are doing differently to protect themselves, let’s study on high-profile attack deploying ransomware called Ryuk.
In August 2018, Ryuk’s usage by hackers was spotted in the wild by experts. It is distinctive from many other ransomware families, not because of its capabilities, but due to the unique way, it attacks systems. So let’s take a look at this new threat. What is Ryuk? What makes it different from other ransomware attacks? And how can businesses stop it and similar threats in the future?
Ryuk first appeared in August 2018, and its effect is not spread across the globe. Three organizations were hit with Ryuk infections over the first two months of its operations, alighting the attackers about $600,000 plus in ransom for their efforts.
Despite a full scan with popular AV products, the ransomware possesses functionality that users witness in a few other modern ransomware families. To name a few, it can identify and encrypt network drives and resources, as well as delete shadow copies on the endpoint. As a result, the cybercriminals would easily disable the Windows System Restore option for users. This makes it impossible to recover from the attack without external backups.
Another exciting phase of this ransomware is that it leaves more than one note on the computer. The second note comes in a polite tone, similar to the notes dropped by BitPaymer ransomware, which continues the puzzle.
Online experts find many similarities between Ryuk and Hermes. After an in-depth analysis of this threat, the similarities with another ransomware family: the researchers have confirmed Hermes.
Both Ryuk and Hermes pack a numerous occurrence of similar or identical code segments. Additionally, several strings within Ryuk is confirmed that refer to Hermes. After Ryuk gets launched on a system, it goes looking for the Hermes marker that is inserted into each encrypted file. This means that the file or system is attacked or encrypted – sometimes both could have occurred.
Hermes was associated with the Lazarus group, which has connections running to North Korean nation-state operations. All this information has led many analysts to consider that North Korea was behind this attack.
Numerous significant Ryuk attacks have occurred in the last few months principally in the U.S. The ransomware attacked endpoints primarily and necessitated higher ransoms from15 to 50 Bitcoins.
Onslow Water and Sewer Authority (OWASA) attack on October 15, 2018, is the best case to support the claim. The organization was halted for a brief amount of time from being able to use their computers. The customer data water and sewage services were untouched by the ransomware attack. However, the impact did cause significant damage to the organization’s network and ended in numerous databases and systems being built from the base level.
According to analysts and researchers, Ryuk worked as a secondary payload through botnets, namely the Emotet and TrickBot.
Emotet initially infected the endpoints. It can spread throughout the network, as well as launch its spam campaign from the infected endpoint. It sends additional malware to other users on the same or different systems.
From there, the most common payload that we have noticed Emotet drop over the last six months has been TrickBot. This malware can steal credentials, and also to move around the network parallelly and spread in other ways.
Both TrickBot and Emotet are used to steal data, downloaders, and even worms based on their most recent functionality. TrickBot downloads and drops Ryuk ransomware on the system, believing that the infected network is something that the attackers want to ransom.
Ryuk is active from earlier in the year but didn’t make as many headlines as when it launched its “holiday campaign,” or instead of the two most extensive sets of Ryuk infections, which happened around Christmastime.
Data Resolution attack
Data Resolution said that Ryuk infected systems by utilizing a compromised login account. The malware gave control of the organization’s data center domain to the attackers; from there, until the whole network was shut down by Data Resolution.
The company promises customers that no user data was compromised, and the attack was aimed at hijacking and not steal. Although, knowing how this malware finds its way onto an endpoint in the first place is a good sign that they’ve probably lost at least some information.
Tribune Publishing attack
Tribute Publishing umbrella was hit with Ryuk ransomware. Permanently damaging these organizations’ capacity to print their papers. Editors at the San Diego Union-Tribune was unable to send finished pages to the printing press – the attack was found on a Thursday night. These issues have since been resolved.
Ryuk attacks Protection
We know how and why Ryuk attacks businesses, let’s focus on specific technologies and operations that are proven effective against this threat.
Comodo Advanced Endpoint Protection (AEP), comes with useful security features. The Comodo AEP is the best endpoint protection or security tool available in the market. It uses containment technology, thereby, all the unknown (and therefore suspicious) files are run within virtual containers without affecting the host system’s resources or user data.
Antivirus Scanning: Its has an antivirus scanning feature capable of scanning endpoints against a massive list of known good and bad files compiled from years as the world’s most substantial certificate authority and the 85 million endpoints deployed worldwide.
VirusScope behavioral analysis: Uses techniques such as API hooking, DLL injection prevention, and more to identify indicators of compromise while keeping the endpoint safe and without affecting the usability
Valkyrie verdict decision engine: While running in auto-containment, unknown files are uploaded to a global threat cloud for real-time analysis, returning a verdict within 45 seconds for 95% of the files submitted.
Human analysis: In the 5% of cases where VirusScope and Valkyrie are unable to return a verdict, the file can be sent to researchers for human analysis who decide within SLA timelines.
Host intrusion prevention: Rules-based HIPS that monitors application activities and system processes, blocking those that are malicious by halting actions that could damage critical system components.
Personal packet filtering firewall: Provides granular management of inbound and outbound network activities, hides system ports from scans, and provides warnings when suspicious activities are detected. Can be administered remotely or by a local administrator
Device Management and Application Security
Device management and application security are central to endpoint security. And both these factors are given equal importance. ‘Strong mobile policies, easy-to-implement default profiles, over-the-air enrollment, antitheft provision, remote data wipe, and many other features ensure comprehensive device management. Whereas features like ‘application inventory, application blacklisting and whitelisting, remote management, patch management ensure comprehensive application management as well.
For more details visit our website!