The operators behind the notorious Ryuk ransomware family, one of the world’s fastest-spreading strains, have earned more than $150 million (roughly £110 million) through criminal activity to date.
The ransomware strain has targeted high-profile organisations across the world in recent months, accruing millions of dollars in ransom payments, normally in Bitcoin from a single broker, according to research by Advanced-Intel and HYAS.
The most popular ransomware strains targeting UK businesses Maze ransomware gang retires from cyber crime The truth about ransomware
Analysis of Bitcoin transactions from known Ryuk addresses has revealed a criminal enterprise estimated to be worth more than $150 million, with ransom payments sometimes amounting to millions of dollars at a time.
Several major organisations have fallen at the hand of Ryuk last year, including French IT services giant Sopra Steria, which confirmed in October it was targeted in an attack that took weeks for the firm to recover from. This incident reportedly cost the company up to €50 million (approximately £45 million). Ryuk has also targeted healthcare organisations in the past, including attacks on several US hospitals in September last year.
Advanced-Intel researcher Vitali Kremez previously revealed in November 2020 that Ryuk’s largest ransom payment was 2,200 Bitcoins, worth $34 million (roughly £25 million) at the time. If that ransom was paid today, it would be worth more than $90 million (more than £66 million), due to the recent Bitcoin surge.
The scale of disruption caused by Ryuk is impressive considering it’s a relatively young strain which only rose to prominence in 2020, having previously been relatively obscure. Research shows only 5,123 attacks were recorded in the first three quarters of 2019, for instance, compared to 67 million during 2020, with Ryuk comprising a third of all ransomware attacks last year.
The new research also outlined how precursor malware strains, which infect enterprise systems before Ryuk is deployed, assess targets for how lucrative they may be. These calculate a score based on various factors to determine how likely victims might be to pay a larger ransom, which informs the operators’ next steps.
The Ryuk hackers are also described as “very business-like” in the report, and “have zero sympathy for the status, purpose, or ability of the victims to pay”. Victims may attempt to negotiate, but the operators commonly respond with a one-word denial. In one case, Ryuk refused to acknowledge the fact that an organisation lacked the means to pay due to being involved in poverty relief.
The researchers cited various steps that organisations can take to best protect themselves against being hit by Ryuk or any of the precursor malware strains, including Emotet, Zloader, and Qakbot among others.
RELATED RESOURCE
Securing a remote workforce with a zero-trust strategy
Why zero-trust is the latest foundational cyber security construct for the modern workplace
These approaches include restricting the execution of Microsoft Office macros to prevent malicious scripts from running in enterprise environments, as well as ensuring all remote access points are up-to-date and require multi-factor authentication (MFA).
Finally, organisations should consider the use of remote access tools as especially risky, including Citrix and Microsoft remote desktop protocol (RDP). The exposure of these systems should, therefore, be limited to a specific list of IP addresses when their use is required.
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabsNews An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs
-
It's been a bad week for ransomware operatorsNews A host of ransomware strains have been neutralized, servers seized, and key players indicted
-
Everything we know about the Peter Green Chilled cyber attackNews A ransomware attack on the chilled food distributor highlights the supply chain risks within the retail sector
-
Scattered Spider: Who are the alleged hackers behind the M&S cyber attack?News The Scattered Spider group has been highly active in recent years
-
Ransomware attacks are rising — but quiet payouts could mean there's more than actually reported
News Ransomware attacks continue to climb, but they may be even higher than official figures show as companies choose to quietly pay to make such incidents go away.
-
Cleo attack victim list grows as Hertz confirms customer data stolen – and security experts say it won't be the lastNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackersNews Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Healthcare systems are rife with exploits — and ransomware gangs have noticedNews Nearly nine-in-ten healthcare organizations have medical devices that are vulnerable to exploits, and ransomware groups are taking notice.
