Tue | Mar 2, 2021 | 8:46 AM PST

The Ryuk ransomware strain is making headlines again as a new version has been discovered.

Ryuk was first observed in August 2018 as a variant of the Hermes 2.1 ransomware, which was sold on the underground forum exploit.in by the cybercriminal group CryptoTech.

However, unlike Hermes, Ryuk was never made available on the forum, and CryptoTech has since ceased all of its activities, so there is some doubt regarding the origins of the malware.

Researchers believe that Ryuk is sold as a tool kit to groups of cybercriminals, so there could hypothetically be as many variants as there are criminal groups that buy the code, according to the French National Cyber Security Agency (ANSSI). 

Ryuk variant has 'worm-like characteristics'

The ANSSI recently published a detailed report on Ryuk, including background, chains of infection, and associated cybercriminal groups.

And the cybersecurity agency highlighted a significant, and new, discovery:

"A Ryuk sample with worm-like capabilities allowing it to spread automatically within networks it infects, was discovered during an incident response handled by the ANSSI in early 2021."

The new version of Ryuk ransomware

The new version of Ryuk includes all of its previous functions, but unfortunately, it now has the ability to self replicate over the local network. This presents a number of new challenges for cybersecurity teams. 

Here is a brief summary on the new version from the ANSSI:

"Through the use of scheduled tasks, the malware propagates itself—machine to machine—within the Windows domain.

Once launched, it will thus spread itself on every reachable machine on which Windows RPC accesses are possible.

It would appear that this specific Ryuk version does not carry any exclusion mechanism (MUTEX like) preventing infections of the same machine over and over again."

Containment of this strain of Ryuk can be particularly challenging, as the malware does not check if a machine has already been infected, meaning there is no simple system object creation that could prevent infection.

The ANSSI notes that a privileged account of the domain is used for malware propagation. And that if this user's password is changed, the replication will continue as long as the Kerberos tickets (an authentication method) are not expired. 

Even during a successful attack, it is worth noting that internet browsers and essential components of the operating system are left intact so the victim can read the ransom demand, purchase cryptocurrencies, and pay the ransom.

Who are the targets of Ryuk ransomware attacks?

Ryuk is considered a "big game" type of ransomware. Another way of saying this is "big money."

Since its 2018 discovery, researchers say that Ryuk victims are typically targeted based on their ability to pay high ransom demands.

And although it has not been used to target one specific sector, the ANSSI says the majority of attacks involve organizations in the U.S. and Canada.

As of October 2020, Ryuk is believed to have been responsible for 75% of the attacks on the American healthcare sector. 

The ANSSI included this note in their section on victimology:

"According to Prevailion, as of 3 November 2020, approximately 1,400 entities are thought to be communicating with Cobalt Strike command and control (C2) servers associated with UNC1878, a Ryuk user. These entities are believed to be American hospitals and government agencies, pharmaceutical companies and universities in the rest of the world."

If you want more detailed and technical information regarding Ryuk and this newly discovered strain, you can read ANSSI's report in its entirety.

The lifecycle of ransomware response

Regardless of the type of ransomware that hits your organization, it can feel like the sky is falling if an attack is successful.

Cyber attorney Shawn Tuma recently spoke about this at a virtual SecureWorld conference.

"Ransomware is the kind of thing where you can go to bed the night before, lay your head down on your pillow, have your organization doing great, and you wake up in the morning to have everything shut down and your whole world changed. That's a huge impact. And it's not just a technical aspect of going through that incident response. But there is also an emotional side."

Tuma then proceeded to walk through the ransomware response lifecycle, hour by hour, then the first 72 hours, and continuing on through time.

Listen to this SecureWorld Sessions podcast episode as Tuma walks you through ransomware incident response, so you can prepare:

Also, check out Trend Micro's State of Ransomware report for the latest trends and the operational techniques of multiple variants.