RYUK Ransomware Continues to Attack U.S. Businesses 23 Jul 2019 G’ SECURE LABS security@gsecurelabs.com 1 www.gsecurelabs.com www.gsecurelabs.com Ransomware has always given sudden quake by attacking the data of many businesses. According to Robinson & Cole from Lexology report, FBI recently flashes that RYUK ransomware is hitting more than 100 U.S. companies. It is predicted that RYUK will leave the damage on companies like logistics, technology, small municipalities and government agencies.” On May 18th, 2019 Monster Cloud’s CEO Zohar Pinhasi on WPTV said that RYUK is the new ransomware taking down businesses and government agencies. Ryuk, which started affecting companies in August 2018, is different from many other ransomware families, not because of its capabilities, but because of the novel way it infects systems. Image Credit: csoonline.com RYYK was first seen in August 2018 and at that time at least three organizations were hit with Ryuk infections landing the attackers about $640,000 in ransom for their efforts. Researchers at checkpoint conducted deep analysis of this threat, and one of their findings was that Ryuk shares many similarities with another ransomware family Hermes. Inside of both Ryuk and Hermes, there are numerous instances of similar or identical code segments. 2 www.gsecurelabs.com According to Flash given by FBI, when RYUK ransomware enters in your system, it deletes all files related to intrusion so it is impossible to identify the infection vector. It is able to steal credentials and brute forced Remote Desktop Protocols (RDPs) to gain access. After the attacker has gained access, more network exploitation tools can be downloaded on the victim’s system. Once RYUK gets executed, it establishes persistence in the registry, injects into running processes, looks for network connected file systems, and starts encrypting files. The FBI is looking for certain symptoms that includes information such as Recovered executable file Copies of the “readme” file—DO NOT REMOVE the file or decryption may not be possible Live memory (RAM) capture Images of infected systems Malware samples Log files E-mail addresses of the attackers A copy of the ransom note Ransom amount and whether or not the ransom was paid Bitcoin wallets used by the attackers Bitcoin wallets used to pay the ransom Names of any other malware identified on your system Copies of any communications with attackers We at G’SecureLabs have capabilities to save you from becoming a victim. Our managed detection and response (MDR) solutions have the ability to detect and prevent ransomware like RYUK through behavioural patterns shown by ransomware. MDR ensures that RYUK gets killed in very early stages of execution. This is possible with our cybersecurity professionals using machine learning (ML), IOA against these types of malware family. If you are a victim of a cyber-attack or ransomware, contact G’Securelabs at security@gsecurelabs.com Industries migrate to the new age of digital transformation. 3 www.gsecurelabs.com Global HQ Maria Montessorilaan 5, 2719 DB Zoetermeer, The Netherlands India Headquarters Pune Office B/81, Corporate House, Judges Bunglow Road, Bodakdev, Ahmedabad - 380054. India. 103, Pride House, 1st Floor, S. No. 108/7, Pune University Road, Pune- 411016, India. Phone : +91 79 2685 2554 / 55 / 56 E-mail : hello@gsecurelabs.com www.gsecurelabs.com Confidentiality Clause: This document and any files with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. 4 not the intended recipient, please destroy all copies of the document. Any unauthorized review, use, disclosure, www.gsecurelabs.com If you are dissemination, forwarding, printing or copying of this document or any action taken in reliance on this document is strictly prohibited and may be unlawful. Copyright © Gateway Group