Ryuk ransomware earnings top $150 million

The devastating strain is now among the most widely-deployed following several high-profile attacks in 2020

The operators behind the notorious Ryuk ransomware family, one of the world’s fastest-spreading strains, have earned more than $150 million (roughly £110 million) through criminal activity to date.

The ransomware strain has targeted high-profile organisations across the world in recent months, accruing millions of dollars in ransom payments, normally in Bitcoin from a single broker, according to research by Advanced-Intel and HYAS.

Analysis of Bitcoin transactions from known Ryuk addresses has revealed a criminal enterprise estimated to be worth more than $150 million, with ransom payments sometimes amounting to millions of dollars at a time.

Several major organisations have fallen at the hand of Ryuk last year, including French IT services giant Sopra Steria, which confirmed in October it was targeted in an attack that took weeks for the firm to recover from. This incident reportedly cost the company up to €50 million (approximately £45 million). Ryuk has also targeted healthcare organisations in the past, including attacks on several US hospitals in September last year.

Advanced-Intel researcher Vitali Kremez previously revealed in November 2020 that Ryuk’s largest ransom payment was 2,200 Bitcoins, worth $34 million (roughly £25 million) at the time. If that ransom was paid today, it would be worth more than $90 million (more than £66 million), due to the recent Bitcoin surge.

The scale of disruption caused by Ryuk is impressive considering it’s a relatively young strain which only rose to prominence in 2020, having previously been relatively obscure. Research shows only 5,123 attacks were recorded in the first three quarters of 2019, for instance, compared to 67 million during 2020, with Ryuk comprising a third of all ransomware attacks last year.

The new research also outlined how precursor malware strains, which infect enterprise systems before Ryuk is deployed, assess targets for how lucrative they may be. These calculate a score based on various factors to determine how likely victims might be to pay a larger ransom, which informs the operators’ next steps.

The Ryuk hackers are also described as “very business-like” in the report, and “have zero sympathy for the status, purpose, or ability of the victims to pay”. Victims may attempt to negotiate, but the operators commonly respond with a one-word denial. In one case, Ryuk refused to acknowledge the fact that an organisation lacked the means to pay due to being involved in poverty relief. 

The researchers cited various steps that organisations can take to best protect themselves against being hit by Ryuk or any of the precursor malware strains, including Emotet, Zloader, and Qakbot among others.

Related Resource

Securing a remote workforce with a zero-trust strategy

Why zero-trust is the latest foundational cyber security construct for the modern workplace

Download now

These approaches include restricting the execution of Microsoft Office macros to prevent malicious scripts from running in enterprise environments, as well as ensuring all remote access points are up-to-date and require multi-factor authentication (MFA).

Finally, organisations should consider the use of remote access tools as especially risky, including Citrix and Microsoft remote desktop protocol (RDP). The exposure of these systems should, therefore, be limited to a specific list of IP addresses when their use is required.

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Best ransomware removal tools
ransomware

Best ransomware removal tools

14 Oct 2021
Senator to introduce new bill to force ransomware payment disclosures
ransomware

Senator to introduce new bill to force ransomware payment disclosures

6 Oct 2021
Two-thirds of organizations have fallen victim to ransomware
ransomware

Two-thirds of organizations have fallen victim to ransomware

29 Sep 2021
Researchers disclose top flaws abused by ransomware gangs
ransomware

Researchers disclose top flaws abused by ransomware gangs

20 Sep 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
HPE wins networking contract with Birmingham 2022 Commonwealth Games
Network & Internet

HPE wins networking contract with Birmingham 2022 Commonwealth Games

15 Oct 2021
Veritas Backup Exec 21.3 review: Covers every angle
backup software

Veritas Backup Exec 21.3 review: Covers every angle

14 Oct 2021