Ryuk ransomware is now targeting web servers
Researchers discover that new functionality has been added to the malware to increase damage


Security researchers have discovered a new variant of the Ryuk ransomware that is targeting web servers.
According to a blog post by Marc Elias, a security researcher on the McAfee Advanced Threat Research team, Ryuk ransomware has shifted its attention to web servers since it no longer encrypts the index file but replaces it with the ransom note instead.
Elias said that the Ryuk infection chain usually starts with a spear phishing email that includes a malicious URL or Office document to gain initial entry into victim environments.In certain cases, compromised RDP computers provide the initial access.
In the first scenario, either Trickbot or BazarLoader will be executed and used as a loader malware, offering other actors the opportunity to purchase hacked machines.
Once access to the victim’s machines is acquired by the ransomware actors, a Cobalt Strike beacon is often downloaded in order to obtain users’ credentials and move laterally on the network to take over the domain controllers. Finally, the Ryuk binary is distributed to every machine from the domain controllers.
Elias said that Ryuk copies itself three times in the current directory with different names and launches these new executables with distinct command lines to execute different functionality in each execution.To notify the user about the encryption, Ryuk drops an HTML ransom note in every folder that it encrypts.
RELATED RESOURCE
Owning your own access security
The key to building strong cloud security and avoiding the risk of vendor lock-in
“This note is remarkably similar to the note used in other Ryuk variants, with the only difference being the use of a contact button with some instructions to install the Tor Browser,” said Elias.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
After file encryption, the ransomware will print 50 copies of the ransom note on the default printer.
Elias said that organizations should be on the lookout for traces and behaviors that correlate to open source pen test tools such as winPEAS, Lazagne, Bloodhound and Sharp Hound, or hacking frameworks like Cobalt Strike, Metasploit, Empire or Covenant, as well as abnormal behavior of non-malicious tools that have a dual use.
“These seemingly legitimate tools (e.g., ADfind, PSExec, PowerShell, etc.) can be used for things like enumeration and execution. Subsequently, be on the lookout for abnormal usage of Windows Management Instrumentation WMIC (T1047),” he said.
Elias added that in the first half of the year, several Ryuk actors have been known to be actively launching new campaigns and targeting organizations all over the world.
“This is the reason we believe the criminals behind Ryuk will continue to develop new features and invent new methods to maximize their profits,” he added.
Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.
-
AI coding tools are booming – and developers in this one country are by far the most frequent users
News AI coding tools are soaring in popularity worldwide, but developers in one particular country are among the most frequent users.
-
Cisco warns of critical flaw in Unified Communications Manager – so you better patch now
News While the bug doesn't appear to have been exploited in the wild, Cisco customers are advised to move fast to apply a patch
-
A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims – but cyber experts warn it's not exactly a 'gesture of goodwill'
News The Hunters International ransomware group is rebranding and switching tactics
-
Swiss government data published following supply chain attack – here’s what we know about the culprits
News Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
Ransomware victims are getting better at haggling with hackers
News While nearly half of companies paid a ransom to get their data back last year, victims are taking an increasingly hard line with hackers to strike fair deals.
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker group
News An analysis of May's SQL database dump shows how much LockBit was really making
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabs
News An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs
-
It's been a bad week for ransomware operators
News A host of ransomware strains have been neutralized, servers seized, and key players indicted
-
Everything we know about the Peter Green Chilled cyber attack
News A ransomware attack on the chilled food distributor highlights the supply chain risks within the retail sector
-
Scattered Spider: Who are the alleged hackers behind the M&S cyber attack?
News The Scattered Spider group has been highly active in recent years