Ryuk Ransomware Shows Diversity in Targets, Consistency in Higher Payouts

The Trend Micro Security Predictions for 2018 noted that although ransomware will not retain the same explosive growth, it will remain a staple of cybercrime, with cybercriminals using it as an easily monetizable tool in their arsenal. Its persistence is perhaps best embodied by a relatively new breed of ransomware, Ryuk, which has been making waves recently with multiple incidents occurring over the past year.

Diverse targets and delivery methods

A recent flash update from the FBI revealed that over 100 organizations around the world have been beset by Ryuk attacks since August 2018. The victims come from different industries, with the most common ones being logistics and technology companies, as well as small municipalities.

The update also mentioned that identifying Ryuk’s infection vectors is difficult given the ransomware will typically delete all evidence of its dropper as part of its routine. However, given previous incidents, delivery methods for Ryuk can be highly varied — for example, it can be dropped by other malware such as Emotet or Trickbot. Attackers can also take advantage of flaws or weak points in the system to gain access to an organization’s network.

Despite the diversity in targets and delivery methods, the threat actors behind the attacks tended to focus on businesses with high revenues since these organizations have the ability to pay more substantial ransom demands.

Larger demands, higher payouts

Ransomware families such as Ryuk, GandCrab, Dharma, and LockerGoga have led to the malware’s resurgence, not just in terms of number of attacks but especially in terms of profit potential. A report from Coveware stated that ransom payout amounts increased by 89%, from US$6,733 in the fourth quarter of 2018 to US$12,762 in the first quarter of 2019.  The report confirms the FBI alert, mentioning that Ryuk in particular has been a heavy contributor to the increase in payouts by targeted organizations that can and are willing to pay ransom demands at a much higher price than other types of ransomware.

This increase in payouts serve as evidence that threat actors are shifting away from ransomware attacks that focus on sheer quantity towards choosing more ideal targets, therefore accruing larger profits for less effort.

Defending against Ryuk and other ransomware

Delivery methods for ransomware are rarely complicated. Even versatile ones like Ryuk still rely on tried and tested techniques such as exploiting vulnerabilities, sending spam and phishing emails, and stealing user credentials. Thus, it is important for organizations to implement the following security best practices to help combat the threat posed by ransomware to their operations:

  • Businesses should update their software to the newest version as soon as possible to help prevent abuse of unpatched vulnerabilities in older iterations.
  • All of the organization’s users should ensure that their data is consistently being backed up — preferably using the 3-2-1 rule that involves creating at least three copies of the data in two different storage formats with at least one copy located offsite. This ensures that data remains accessible even if ransomware succeeds in infecting the machine in which it is stored.
  • Users should be wary of suspicious emails as these can be attempts to deliver ransomware or steal user credentials that will be used for future attacks. Links contained within an email should not be clicked and attachments should not be downloaded unless the recipient is certain that it came from a legitimate source.
  • The use of system administration tools should be restricted to IT personnel or employees who need access.

Organizations that want to strengthen their overall security posture can consider looking into managed security services such as Trend Micro™ Managed Detection and Response (MDR), which is ideal for businesses that lack the manpower for dedicated security teams. MDR relies on Trend Micro’s wealth of experience in the security industry and expertise at using both internal and external threat intelligence resources in order to spot threats before they can damage an organization’s system and endpoints. MDR is also able to maximize advanced endpoint detection and response (EDR) tools to swiftly and accurately analyze threats and their behaviors. These include advanced security solutions from the Trend Micro suite such as the Deep Discovery™ Inspector solution, which allows for the detection of a threat’s lateral movement within the organization.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.