Ryuk ransomware earnings top $150 million

The devastating strain is now among the most widely-deployed following several high-profile attacks in 2020

Abstract image of a padlock above a large ransomware sign to symbolise cyber security

The operators behind the notorious Ryuk ransomware family, one of the world’s fastest-spreading strains, have earned more than $150 million (roughly £110 million) through criminal activity to date.

The ransomware strain has targeted high-profile organisations across the world in recent months, accruing millions of dollars in ransom payments, normally in Bitcoin from a single broker, according to research by Advanced-Intel and HYAS.

Analysis of Bitcoin transactions from known Ryuk addresses has revealed a criminal enterprise estimated to be worth more than $150 million, with ransom payments sometimes amounting to millions of dollars at a time.

Several major organisations have fallen at the hand of Ryuk last year, including French IT services giant Sopra Steria, which confirmed in October it was targeted in an attack that took weeks for the firm to recover from. This incident reportedly cost the company up to €50 million (approximately £45 million). Ryuk has also targeted healthcare organisations in the past, including attacks on several US hospitals in September last year.

Advanced-Intel researcher Vitali Kremez previously revealed in November 2020 that Ryuk’s largest ransom payment was 2,200 Bitcoins, worth $34 million (roughly £25 million) at the time. If that ransom was paid today, it would be worth more than $90 million (more than £66 million), due to the recent Bitcoin surge.

The scale of disruption caused by Ryuk is impressive considering it’s a relatively young strain which only rose to prominence in 2020, having previously been relatively obscure. Research shows only 5,123 attacks were recorded in the first three quarters of 2019, for instance, compared to 67 million during 2020, with Ryuk comprising a third of all ransomware attacks last year.

The new research also outlined how precursor malware strains, which infect enterprise systems before Ryuk is deployed, assess targets for how lucrative they may be. These calculate a score based on various factors to determine how likely victims might be to pay a larger ransom, which informs the operators’ next steps.

The Ryuk hackers are also described as “very business-like” in the report, and “have zero sympathy for the status, purpose, or ability of the victims to pay”. Victims may attempt to negotiate, but the operators commonly respond with a one-word denial. In one case, Ryuk refused to acknowledge the fact that an organisation lacked the means to pay due to being involved in poverty relief. 

The researchers cited various steps that organisations can take to best protect themselves against being hit by Ryuk or any of the precursor malware strains, including Emotet, Zloader, and Qakbot among others.

Related Resource

Securing a remote workforce with a zero-trust strategy

Why zero-trust is the latest foundational cyber security construct for the modern workplace

Download now

These approaches include restricting the execution of Microsoft Office macros to prevent malicious scripts from running in enterprise environments, as well as ensuring all remote access points are up-to-date and require multi-factor authentication (MFA).

Finally, organisations should consider the use of remote access tools as especially risky, including Citrix and Microsoft remote desktop protocol (RDP). The exposure of these systems should, therefore, be limited to a specific list of IP addresses when their use is required.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

Best ransomware removal tools
ransomware

Best ransomware removal tools

16 Dec 2020

Most Popular

IT retailer faces €10.4m GDPR fine for employee surveillance
General Data Protection Regulation (GDPR)

IT retailer faces €10.4m GDPR fine for employee surveillance

18 Jan 2021
Citrix buys Slack competitor Wrike in record $2.25bn deal
collaboration

Citrix buys Slack competitor Wrike in record $2.25bn deal

19 Jan 2021
Should IT departments call time on WhatsApp?
communications

Should IT departments call time on WhatsApp?

15 Jan 2021