Ryuk behind a third of all ransomware attacks in 2020

Attacks surged from just 5,000 during the first three quarters of 2019 to 67 million in 2020 so far

Despite a continued decline in global malware infections, ransomware deployment has surged in 2020, with the Ryuk strain, in particular, gaining plenty of traction.

Global malware infections hit 4.4 billion during the first three quarters of the year, representing a 39% year-on-year decline against the comparable period for 2019. Ransomware incidents rose by 40% during the same timeframe, however, hitting 199.7 million incidents, with a third of these alone attributed to the fledgeling Ryuk strain.

To illustrate just how far Ryuk has come, only 5,123 attacks were recorded during the first three quarters of 2019, compared to 67 million during 2020, according to research by SonicWall.

Although it’s relatively young, Ryuk ransomware has already seen substantial evolution. Starting life as a derivative of the Hermes 2.1 strain and a payload for banking Trojans such as Trickbot, it is now one of the most widely-sought-after hacking tools. Ryuk is often used in spam email campaigns – but also targets specific organisations for huge payouts.

Only days ago, for example, hackers used a new variant of the strain to attack French IT services giant Sopra Steria, with the company claiming it would take weeks to recover. The FBI has also just warned that hackers are targeting the US health sector, including hospitals, with Trickbot malware, leading to Ryuk ransomware attacks, data theft, and disruption.

Recent research by Sophos also shows some variation in the delivery method, with operators now being able to use Ryuk through the malware-as-a-service tool known as Buer – the first time such a tool has been recorded delivering any ransomware strain.

“What’s interesting is that Ryuk is a relatively young ransomware family that was discovered in August 2018 and has made significant gains in popularity in 2020,” said SonicWall vice president for platform architecture, Dmitriy Ayrapetov. “The increase of remote and mobile workforces appears to have increased its prevalence, resulting not only in financial losses, but also impacting healthcare services with attacks on hospitals.

“Ryuk is especially dangerous because it is targeted, manual, and often leveraged via a multi-stage attack preceded by Emotet and TrickBot malware. Therefore, if an organization has Ryuk, it’s a pretty good indication that it’s infested with several types of malware.”

Those deploying Ryuk will commonly use off-the-shelf products such as Cobalt Strike and PowerShell Empire to steal user credentials when targeting a network, allowing them to dump clear text passwords or hash values from memory with the use of Mimikatz – an open-source tool that saves authentication credentials.

Hackers will then fully map the network to understand the scope of the infection, and consciously limit suspicious activity, before moving laterally through the network using native tools such as PowerShell and Remote Desktop Protocol (RDP). Once dropped, Ryuk uses AES-256 encryption to encrypt files and an RSA public key to encrypt the AES key, while also attempting to shut down or uninstall any security applications on a target system.

A ‘read me’ file is then placed on the system, normally demanding a ransom to decrypt seized files, as well as either one or two email addresses through which the victim can contact the hackers. Robust security software is normally highly effective at stopping Ryuk, although once infected, the RSA encryption algorithm used is near-impossible to brute force, and there are currently no free online decryption tools.

SonicWall’s researchers tracked aggressive growth of ransomware attacks during each month of Q3, including a massive spike in September. Although sensors in the UK, Germany, and India recorded decreases, the US saw a staggering 145.2 million ransomware hits, a 139% year-on-year increase.

This is despite the general continued decline in malware infections, with the researchers suggesting that cyber criminals are increasingly pivoting to vectors such as ransomware to take advantage of mass remote working.

The ransomware surge is accompanied by a 19% increase in intrusion attempts, 30% spike in IoT malware, a 3% growth in encrypted threats, and a 2% increase in cryptojacking incidents.

Featured Resources

Humility in AI: Building trustworthy and ethical AI systems

How humble AI can help safeguard your business

Download now

Future of video conferencing

Optimising video conferencing features to achieve business goals

Download now

Leadership compass: Privileged Access Management

Securing privileged accounts in a high-risk environment

Download now

Why you need to include the cloud in your disaster recovery plan

Preserving data for business success

Download now

Recommended

Best ransomware removal tools
ransomware

Best ransomware removal tools

17 Nov 2020
What is AES encryption?
Advanced Encryption Standard (AES)

What is AES encryption?

30 Nov 2020
UK's Huawei 5G ban brought forward to September 2021
Security

UK's Huawei 5G ban brought forward to September 2021

30 Nov 2020
Hacker claims to be selling C-suite executives' Microsoft credentials
Security

Hacker claims to be selling C-suite executives' Microsoft credentials

30 Nov 2020

Most Popular

What is phishing?
phishing

What is phishing?

25 Nov 2020
Huawei Mate 40 Pro 5G review: A tragically brilliant Mate
Mobile Phones

Huawei Mate 40 Pro 5G review: A tragically brilliant Mate

26 Nov 2020
Microsoft Teams no longer works on Internet Explorer
Microsoft Office

Microsoft Teams no longer works on Internet Explorer

30 Nov 2020