IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Ryuk behind a third of all ransomware attacks in 2020

Attacks surged from just 5,000 during the first three quarters of 2019 to 67 million in 2020 so far

Despite a continued decline in global malware infections, ransomware deployment has surged in 2020, with the Ryuk strain, in particular, gaining plenty of traction.

Global malware infections hit 4.4 billion during the first three quarters of the year, representing a 39% year-on-year decline against the comparable period for 2019. Ransomware incidents rose by 40% during the same timeframe, however, hitting 199.7 million incidents, with a third of these alone attributed to the fledgeling Ryuk strain.

To illustrate just how far Ryuk has come, only 5,123 attacks were recorded during the first three quarters of 2019, compared to 67 million during 2020, according to research by SonicWall.

Although it’s relatively young, Ryuk ransomware has already seen substantial evolution. Starting life as a derivative of the Hermes 2.1 strain and a payload for banking Trojans such as Trickbot, it is now one of the most widely-sought-after hacking tools. Ryuk is often used in spam email campaigns – but also targets specific organisations for huge payouts.

Only days ago, for example, hackers used a new variant of the strain to attack French IT services giant Sopra Steria, with the company claiming it would take weeks to recover. The FBI has also just warned that hackers are targeting the US health sector, including hospitals, with Trickbot malware, leading to Ryuk ransomware attacks, data theft, and disruption.

Recent research by Sophos also shows some variation in the delivery method, with operators now being able to use Ryuk through the malware-as-a-service tool known as Buer – the first time such a tool has been recorded delivering any ransomware strain.

“What’s interesting is that Ryuk is a relatively young ransomware family that was discovered in August 2018 and has made significant gains in popularity in 2020,” said SonicWall vice president for platform architecture, Dmitriy Ayrapetov. “The increase of remote and mobile workforces appears to have increased its prevalence, resulting not only in financial losses, but also impacting healthcare services with attacks on hospitals.

“Ryuk is especially dangerous because it is targeted, manual, and often leveraged via a multi-stage attack preceded by Emotet and TrickBot malware. Therefore, if an organization has Ryuk, it’s a pretty good indication that it’s infested with several types of malware.”

Those deploying Ryuk will commonly use off-the-shelf products such as Cobalt Strike and PowerShell Empire to steal user credentials when targeting a network, allowing them to dump clear text passwords or hash values from memory with the use of Mimikatz – an open-source tool that saves authentication credentials.

Hackers will then fully map the network to understand the scope of the infection, and consciously limit suspicious activity, before moving laterally through the network using native tools such as PowerShell and Remote Desktop Protocol (RDP). Once dropped, Ryuk uses AES-256 encryption to encrypt files and an RSA public key to encrypt the AES key, while also attempting to shut down or uninstall any security applications on a target system.

A ‘read me’ file is then placed on the system, normally demanding a ransom to decrypt seized files, as well as either one or two email addresses through which the victim can contact the hackers. Robust security software is normally highly effective at stopping Ryuk, although once infected, the RSA encryption algorithm used is near-impossible to brute force, and there are currently no free online decryption tools.

SonicWall’s researchers tracked aggressive growth of ransomware attacks during each month of Q3, including a massive spike in September. Although sensors in the UK, Germany, and India recorded decreases, the US saw a staggering 145.2 million ransomware hits, a 139% year-on-year increase.

This is despite the general continued decline in malware infections, with the researchers suggesting that cyber criminals are increasingly pivoting to vectors such as ransomware to take advantage of mass remote working.

The ransomware surge is accompanied by a 19% increase in intrusion attempts, 30% spike in IoT malware, a 3% growth in encrypted threats, and a 2% increase in cryptojacking incidents.

Featured Resources

Meeting the future of education with confidence

How the switch to digital learning has created an opportunity to meet the needs of every student, always

Free Download

The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana

Cost savings and business benefits

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

Technology reimagined

Why PCaaS is perfect for modern schools

Free Download


Best free malware removal tools 2022

Best free malware removal tools 2022

22 Jun 2022
A guide to cyber security certification and training
Careers & training

A guide to cyber security certification and training

16 Jun 2022
What is shoulder surfing?
social engineering

What is shoulder surfing?

10 Jun 2022
CIAM buyer’s guide

CIAM buyer’s guide

6 Jun 2022

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

7 Jun 2022
Delivery firm Yodel disrupted by cyber attack
cyber attacks

Delivery firm Yodel disrupted by cyber attack

21 Jun 2022
Swift exit: How the world cut off Russian banks

Swift exit: How the world cut off Russian banks

24 Jun 2022