IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Ryuk ransomware is now targeting web servers

Researchers discover that new functionality has been added to the malware to increase damage

Security researchers have discovered a new variant of the Ryuk ransomware that is targeting web servers.

According to a blog post by Marc Elias, a security researcher on the McAfee Advanced Threat Research team, Ryuk ransomware has shifted its attention to web servers since it no longer encrypts the index file but replaces it with the ransom note instead. 

Elias said that the Ryuk infection chain usually starts with a spear phishing email that includes a malicious URL or  Office document to gain initial entry into victim environments.In certain cases, compromised RDP computers provide the initial access.

In the first scenario, either Trickbot or BazarLoader will be executed and used as a loader malware, offering other actors the opportunity to purchase hacked machines.

Once access to the victim’s machines is acquired by the ransomware actors, a Cobalt Strike beacon is often downloaded in order to obtain users’ credentials and move laterally on the network to take over the domain controllers. Finally, the Ryuk binary is distributed to every machine from the domain controllers.

Elias said that Ryuk copies itself three times in the current directory with different names and launches these new executables with distinct command lines to execute different functionality in each execution.To notify the user about the encryption, Ryuk drops an HTML ransom note in every folder that it encrypts. 

Related Resource

Owning your own access security

The key to building strong cloud security and avoiding the risk of vendor lock-in

Whitepaper front coverDownload now

“This note is remarkably similar to the note used in other Ryuk variants, with the only difference being the use of a contact button with some instructions to install the Tor Browser,” said Elias.

After file encryption, the ransomware will print 50 copies of the ransom note on the default printer.

Elias said that organizations should be on the lookout for traces and behaviors that correlate to open source pen test tools such as winPEAS, Lazagne, Bloodhound and Sharp Hound, or hacking frameworks like Cobalt Strike, Metasploit, Empire or Covenant, as well as abnormal behavior of non-malicious tools that have a dual use. 

“These seemingly legitimate tools (e.g., ADfind, PSExec, PowerShell, etc.) can be used for things like enumeration and execution. Subsequently, be on the lookout for abnormal usage of Windows Management Instrumentation WMIC (T1047),” he said.

Elias added that in the first half of the year, several Ryuk actors have been known to be actively launching new campaigns and targeting organizations all over the world. 

“This is the reason we believe the criminals behind Ryuk will continue to develop new features and invent new methods to maximize their profits,” he added.

Featured Resources

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

Free Download

The Total Economic Impact™ of IBM robotic process automation

Cost savings and business benefits enabled by robotic process automation

Free Download

Multi-cloud data integration for data leaders

A holistic data-fabric approach to multi-cloud integration

Free Download

MLOps and trustworthy AI for data leaders

A data fabric approach to MLOps and trustworthy AI

Free Download

Recommended

2022 IBM's Security X-Force cloud threat landscape report
Whitepaper

2022 IBM's Security X-Force cloud threat landscape report

22 Nov 2022
2022 Magic quadrant for Security Information and Event Management (SIEM)
Whitepaper

2022 Magic quadrant for Security Information and Event Management (SIEM)

22 Nov 2022
Seven realities facing SMBs as they enter a future of increased cyber threats
Whitepaper

Seven realities facing SMBs as they enter a future of increased cyber threats

21 Nov 2022
The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

14 Nov 2022

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

14 Nov 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
Interpol arrests nearly 1,000 cyber criminals in months-long anti-fraud operation
cyber crime

Interpol arrests nearly 1,000 cyber criminals in months-long anti-fraud operation

25 Nov 2022