Ryuk behind a third of all ransomware attacks in 2020

Despite a continued decline in global malware infections, ransomware deployment has surged in 2020, with the Ryuk strain, in particular, gaining plenty of traction.

Global malware infections hit 4.4 billion during the first three quarters of the year, representing a 39% year-on-year decline against the comparable period for 2019. Ransomware incidents rose by 40% during the same timeframe, however, hitting 199.7 million incidents, with a third of these alone attributed to the fledgeling Ryuk strain.

To illustrate just how far Ryuk has come, only 5,123 attacks were recorded during the first three quarters of 2019, compared to 67 million during 2020, according to research by SonicWall.

Although it’s relatively young, Ryuk ransomware has already seen substantial evolution. Starting life as a derivative of the Hermes 2.1 strain and a payload for banking Trojans such as Trickbot, it is now one of the most widely-sought-after hacking tools. Ryuk is often used in spam email campaigns – but also targets specific organisations for huge payouts.

Only days ago, for example, hackers used a new variant of the strain to attack French IT services giant Sopra Steria, with the company claiming it would take weeks to recover. The FBI has also just warned that hackers are targeting the US health sector, including hospitals, with Trickbot malware, leading to Ryuk ransomware attacks, data theft, and disruption.

Recent research by Sophos also shows some variation in the delivery method, with operators now being able to use Ryuk through the malware-as-a-service tool known as Buer – the first time such a tool has been recorded delivering any ransomware strain.

“What’s interesting is that Ryuk is a relatively young ransomware family that was discovered in August 2018 and has made significant gains in popularity in 2020,” said SonicWall vice president for platform architecture, Dmitriy Ayrapetov. “The increase of remote and mobile workforces appears to have increased its prevalence, resulting not only in financial losses, but also impacting healthcare services with attacks on hospitals.

“Ryuk is especially dangerous because it is targeted, manual, and often leveraged via a multi-stage attack preceded by Emotet and TrickBot malware. Therefore, if an organization has Ryuk, it’s a pretty good indication that it’s infested with several types of malware.”

Those deploying Ryuk will commonly use off-the-shelf products such as Cobalt Strike and PowerShell Empire to steal user credentials when targeting a network, allowing them to dump clear text passwords or hash values from memory with the use of Mimikatz – an open-source tool that saves authentication credentials.

Hackers will then fully map the network to understand the scope of the infection, and consciously limit suspicious activity, before moving laterally through the network using native tools such as PowerShell and Remote Desktop Protocol (RDP). Once dropped, Ryuk uses AES-256 encryption to encrypt files and an RSA public key to encrypt the AES key, while also attempting to shut down or uninstall any security applications on a target system.

A ‘read me’ file is then placed on the system, normally demanding a ransom to decrypt seized files, as well as either one or two email addresses through which the victim can contact the hackers. Robust security software is normally highly effective at stopping Ryuk, although once infected, the RSA encryption algorithm used is near-impossible to brute force, and there are currently no free online decryption tools.

SonicWall’s researchers tracked aggressive growth of ransomware attacks during each month of Q3, including a massive spike in September. Although sensors in the UK, Germany, and India recorded decreases, the US saw a staggering 145.2 million ransomware hits, a 139% year-on-year increase.

This is despite the general continued decline in malware infections, with the researchers suggesting that cyber criminals are increasingly pivoting to vectors such as ransomware to take advantage of mass remote working.

The ransomware surge is accompanied by a 19% increase in intrusion attempts, 30% spike in IoT malware, a 3% growth in encrypted threats, and a 2% increase in cryptojacking incidents.