IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Ryuk ransomware earnings top $150 million

The devastating strain is now among the most widely-deployed following several high-profile attacks in 2020

The operators behind the notorious Ryuk ransomware family, one of the world’s fastest-spreading strains, have earned more than $150 million (roughly £110 million) through criminal activity to date.

The ransomware strain has targeted high-profile organisations across the world in recent months, accruing millions of dollars in ransom payments, normally in Bitcoin from a single broker, according to research by Advanced-Intel and HYAS.

Analysis of Bitcoin transactions from known Ryuk addresses has revealed a criminal enterprise estimated to be worth more than $150 million, with ransom payments sometimes amounting to millions of dollars at a time.

Several major organisations have fallen at the hand of Ryuk last year, including French IT services giant Sopra Steria, which confirmed in October it was targeted in an attack that took weeks for the firm to recover from. This incident reportedly cost the company up to €50 million (approximately £45 million). Ryuk has also targeted healthcare organisations in the past, including attacks on several US hospitals in September last year.

Advanced-Intel researcher Vitali Kremez previously revealed in November 2020 that Ryuk’s largest ransom payment was 2,200 Bitcoins, worth $34 million (roughly £25 million) at the time. If that ransom was paid today, it would be worth more than $90 million (more than £66 million), due to the recent Bitcoin surge.

The scale of disruption caused by Ryuk is impressive considering it’s a relatively young strain which only rose to prominence in 2020, having previously been relatively obscure. Research shows only 5,123 attacks were recorded in the first three quarters of 2019, for instance, compared to 67 million during 2020, with Ryuk comprising a third of all ransomware attacks last year.

The new research also outlined how precursor malware strains, which infect enterprise systems before Ryuk is deployed, assess targets for how lucrative they may be. These calculate a score based on various factors to determine how likely victims might be to pay a larger ransom, which informs the operators’ next steps.

The Ryuk hackers are also described as “very business-like” in the report, and “have zero sympathy for the status, purpose, or ability of the victims to pay”. Victims may attempt to negotiate, but the operators commonly respond with a one-word denial. In one case, Ryuk refused to acknowledge the fact that an organisation lacked the means to pay due to being involved in poverty relief. 

The researchers cited various steps that organisations can take to best protect themselves against being hit by Ryuk or any of the precursor malware strains, including Emotet, Zloader, and Qakbot among others.

Related Resource

Securing a remote workforce with a zero-trust strategy

Why zero-trust is the latest foundational cyber security construct for the modern workplace

Download now

These approaches include restricting the execution of Microsoft Office macros to prevent malicious scripts from running in enterprise environments, as well as ensuring all remote access points are up-to-date and require multi-factor authentication (MFA).

Finally, organisations should consider the use of remote access tools as especially risky, including Citrix and Microsoft remote desktop protocol (RDP). The exposure of these systems should, therefore, be limited to a specific list of IP addresses when their use is required.

Featured Resources

Meeting the future of education with confidence

How the switch to digital learning has created an opportunity to meet the needs of every student, always

Free Download

The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana

Cost savings and business benefits

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

Technology reimagined

Why PCaaS is perfect for modern schools

Free Download

Recommended

Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT
ransomware

Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT

13 Apr 2022
Sabbath hackers are targeting US schools and hospitals
ransomware

Sabbath hackers are targeting US schools and hospitals

29 Nov 2021
US government warns of increased risk of ransomware over holiday season
ransomware

US government warns of increased risk of ransomware over holiday season

24 Nov 2021
Out-of-hours ransomware attacks have a greater impact on revenue
ransomware

Out-of-hours ransomware attacks have a greater impact on revenue

18 Nov 2021

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

7 Jun 2022
Delivery firm Yodel disrupted by cyber attack
cyber attacks

Delivery firm Yodel disrupted by cyber attack

21 Jun 2022
Salaries for the least popular programming languages surge as much as 44%
Development

Salaries for the least popular programming languages surge as much as 44%

23 Jun 2022