Ryuk doesn’t let go, still the most feared Ransomware

By Pierguido Iezzi, Co-Founder Swascan

Ryuk dominated the Ransomware attack landscape for the fourth consecutive quarter, according to a study conducted by Cisco Talos researchers that considered and analyzed a large sample of Incident Response.

His operators are changing strategies, greatly increasing the risk to organizations, whose response efforts are also hampered by COVID-19.

The study, in fact, revealed how Ryuk operators are changing their techniques and using new means to make their targets strike.

How Ryuk has maintained "primacy"

In recent quarters, Ryuk has evolved in a way that unequivocally suggests that Criminal Hackers are changing their tactics.

In fact, an emerging trend has been observed in Ryuk, where the infection is not necessarily preceded by the classic Trojan, thus allowing the ransomware to go undetected for some time.

Until recently, Emotet and TrickBot were used as initial droppers for Ryuk, but now it seems that this tactic has been abandoned. The operators of this Ransomware have switched to more refined tools, which can help them bypass security tools, remain silent and give them a longer time frame to achieve their goals.

But the Ransomware has evolved in other ways as well: Ryuk began relying on and using coded PowerShell commands to download its payload, disable antivirus and security tools, disrupt backups, and scan the network to provide a list of online and offline hosts.

As if that wasn't enough, the Criminal Hackers behind these attacks have begun mining sensitive data to use as leverage to force victims to pay the ransom, continuing a trend that began in 2019.

How Ryuk Strikes

Phishing remained the primary attack vector where it was possible to identify the initial point of entry, the researchers explain, noting that this was difficult due to shortages of reliable records.

Nevertheless, there were also several instances where attackers forced a target's RDP services.

It is difficult to say what contributed to this change; however, it is easy to speculate how, in part, it is due to the increase in remote workers caused by COVID-19, which has expanded the attack surface.

There has also been an increase in Phobos ransomware attacks, which typically leverage compromised RDS connections as the initial vector, but despite these indicators, phishing still remains the primary infection vector.

One of the key impacts of the Pandemic period for organizations, especially those in the healthcare industry, remains that related to their ability to respond to attacks.

Pre-COVID-19 Incident Response policies certainly didn't account for a Pandemic at the same time as a Cyber attack!

Factors such as bandwidth limitations and people tasked with responding are rare, but they have affected the ability of organizations to handle these types of attacks, which is why they have continued to flourish.