IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Ryuk behind a third of all ransomware attacks in 2020

Attacks surged from just 5,000 during the first three quarters of 2019 to 67 million in 2020 so far

Despite a continued decline in global malware infections, ransomware deployment has surged in 2020, with the Ryuk strain, in particular, gaining plenty of traction.

Global malware infections hit 4.4 billion during the first three quarters of the year, representing a 39% year-on-year decline against the comparable period for 2019. Ransomware incidents rose by 40% during the same timeframe, however, hitting 199.7 million incidents, with a third of these alone attributed to the fledgeling Ryuk strain.

To illustrate just how far Ryuk has come, only 5,123 attacks were recorded during the first three quarters of 2019, compared to 67 million during 2020, according to research by SonicWall.

Although it’s relatively young, Ryuk ransomware has already seen substantial evolution. Starting life as a derivative of the Hermes 2.1 strain and a payload for banking Trojans such as Trickbot, it is now one of the most widely-sought-after hacking tools. Ryuk is often used in spam email campaigns – but also targets specific organisations for huge payouts.

Only days ago, for example, hackers used a new variant of the strain to attack French IT services giant Sopra Steria, with the company claiming it would take weeks to recover. The FBI has also just warned that hackers are targeting the US health sector, including hospitals, with Trickbot malware, leading to Ryuk ransomware attacks, data theft, and disruption.

Recent research by Sophos also shows some variation in the delivery method, with operators now being able to use Ryuk through the malware-as-a-service tool known as Buer – the first time such a tool has been recorded delivering any ransomware strain.

“What’s interesting is that Ryuk is a relatively young ransomware family that was discovered in August 2018 and has made significant gains in popularity in 2020,” said SonicWall vice president for platform architecture, Dmitriy Ayrapetov. “The increase of remote and mobile workforces appears to have increased its prevalence, resulting not only in financial losses, but also impacting healthcare services with attacks on hospitals.

“Ryuk is especially dangerous because it is targeted, manual, and often leveraged via a multi-stage attack preceded by Emotet and TrickBot malware. Therefore, if an organization has Ryuk, it’s a pretty good indication that it’s infested with several types of malware.”

Those deploying Ryuk will commonly use off-the-shelf products such as Cobalt Strike and PowerShell Empire to steal user credentials when targeting a network, allowing them to dump clear text passwords or hash values from memory with the use of Mimikatz – an open-source tool that saves authentication credentials.

Hackers will then fully map the network to understand the scope of the infection, and consciously limit suspicious activity, before moving laterally through the network using native tools such as PowerShell and Remote Desktop Protocol (RDP). Once dropped, Ryuk uses AES-256 encryption to encrypt files and an RSA public key to encrypt the AES key, while also attempting to shut down or uninstall any security applications on a target system.

A ‘read me’ file is then placed on the system, normally demanding a ransom to decrypt seized files, as well as either one or two email addresses through which the victim can contact the hackers. Robust security software is normally highly effective at stopping Ryuk, although once infected, the RSA encryption algorithm used is near-impossible to brute force, and there are currently no free online decryption tools.

SonicWall’s researchers tracked aggressive growth of ransomware attacks during each month of Q3, including a massive spike in September. Although sensors in the UK, Germany, and India recorded decreases, the US saw a staggering 145.2 million ransomware hits, a 139% year-on-year increase.

This is despite the general continued decline in malware infections, with the researchers suggesting that cyber criminals are increasingly pivoting to vectors such as ransomware to take advantage of mass remote working.

The ransomware surge is accompanied by a 19% increase in intrusion attempts, 30% spike in IoT malware, a 3% growth in encrypted threats, and a 2% increase in cryptojacking incidents.

Featured Resources

How to hold more productive meetings

Tips and tricks to get the most out of your meetings

Free Download

Enabling the future of work with embedded real-time communication

A new dimension of human interaction is coming to digital work

Free Download

How to do hybrid work right

Overcoming challenges in the transition to hybrid work

Watch now

HCI 2.0 From HPE: How it can help your business thrive

Why SMBs need to accelerate digital transformation with HCI

Free download

Recommended

Dell Technologies World 2022: Dell unveils fastest storage architecture in company history
Server & storage

Dell Technologies World 2022: Dell unveils fastest storage architecture in company history

4 May 2022
Dell Technologies World 2022: Dell unveils security offerings for major cloud providers
public cloud

Dell Technologies World 2022: Dell unveils security offerings for major cloud providers

3 May 2022
How do you become an ethical hacker?
ethical hacking

How do you become an ethical hacker?

29 Apr 2022
What is phishing?
phishing

What is phishing?

29 Apr 2022

Most Popular

Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
How full-stack observability can accelerate IT innovation
Sponsored

How full-stack observability can accelerate IT innovation

3 May 2022