Ryuk 2020: Distributing Ransomware via TrickBot and BazarLoader

Ryuk first appeared in August 2018, when it was first reported to have targeted several organizations across the globe. Since then, Ryuk has become a staple in the cybercrime scene. In fact, as one of the most ubiquitous ransomware families, it is responsible for a third of all ransomware attacks in 2020.

Ryuk employs a wide range of delivery methods. It is commonly known to be deployed by other malware families such as Trickbot or Emotet, as seen in an incident from early 2019 where malicious actors first used Trickbot to move laterally within their victim’s system before using it to deploy the ransomware. Ryuk has also been seen exploiting various vulnerabilities both as a propagation method and as part of its routine.

What makes Ryuk particularly dangerous is its ability to move laterally within the system. It uses both malicious tools and vulnerabilities like EternalBlue and Zerologon to propagate within a network. This means that instead of having to infect each endpoint individually, Ryuk merely has to get a foothold within the IT infrastructure to infect multiple machines.

Starting this year, Ryuk began using another dropper called BazarLoader (also known as BazarBackdoor). Like Trickbot, BazarLoader is also primarily distributed via phishing emails that contain either malicious attachments or links to websites (typically free, online file-hosting solutions) that host malware. These phishing emails use normal social engineering techniques: For example, they are usually disguised as business correspondence or other important messages. Once the payload is distributed, a command-and-control (C&C) server is used to deploy and install the backdoor. According to the advisory, the threat actor behind TrickBot is also connected to BazarLoader.

One of the characteristics that distinguishes Ryuk from previous ransomware families is the amount that is extorted by the malicious actors behind it. As of the first quarter of 2020, the ransomware payment for a Ryuk attack averaged at US$ 1.3 million.

From May to September of 2020, there was little Ryuk activity (if any). Nevertheless, a few notable incidents did occur earlier this year, such as the infection of a US government contractor in February. More recently, Ryuk has been observed being deployed in conjunction with the Zerologon vulnerability to encrypt whole domains in a span of a few hours.

What are Ryuk’s current targets?

Although there are currently no mentions of any mass infections in specific sectors, a few organizations have reported being recently hit by ransomware attacks. On October 27, three hospitals in St. Lawrence County in New York were hit by a series of ransomware attacks described as a new variant of Ryuk. Another hospital, the Sky Lakes Medical Center, also reported being victimized by a Ryuk attack that hit their computer systems and rendered them inaccessible.

What can be done about Ryuk attacks?

We have published a security alert with detailed mitigation steps on this page. To protect themselves, organizations are encouraged to take the following steps:

  • Patch domain controllers to protect them from being exploited by the Zerologon bug, which is used to gain domain level access.
  • Consider either completely disabling administrative shares or blocking access via firewall solutions. It’s important to note here that Ryuk has been found attempting to encrypt files using Windows administrative shares.
  • Disable PowerShell with Group Policy, as this would add another layer of protection given the widespread use of PowerShell in malware attacks on the network.
  • Always regularly back up all data (preferably by using the 3-2-1 rule) to ensure that it can still be accessed even in the event of successful ransomware encryption. The 3-2-1 rule involves keeping multiple copies of sensitive data and servers in separate and physically secure locations.
  • Consider making files read-only to most users unless they need read/write permission. Furthermore, files older than a certain period (ideally three to six months) should be switched to read-only.
  • For Trend Micro customers, ensure that all Trend Micro endpoint and server protection products enable and configure critical features such as Ransomware Protection, Predictive Machine Learning, and Behavior Monitoring.
  • For Trend Micro Cloud One™ Workload Security and Trend Micro™ Deep Security™ customers, enable Agent Self-Protection.

 Indicators of compromise (IOCs) related to this threat can be found here.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.