- Security News
- Cybercrime & Digital Threats
- Ryuk 2020: Distributing Ransomware via TrickBot and BazarLoader
Ryuk first appeared in August 2018, when it was first reported to have targeted several organizations across the globe. Since then, Ryuk has become a staple in the cybercrime scene. In fact, as one of the most ubiquitous ransomware families, it is responsible for a third of all ransomware attacks in 2020.
Ryuk employs a wide range of delivery methods. It is commonly known to be deployed by other malware families such as Trickbot or Emotet, as seen in an incident from early 2019 where malicious actors first used Trickbot to move laterally within their victim’s system before using it to deploy the ransomware. Ryuk has also been seen exploiting various vulnerabilities both as a propagation method and as part of its routine.
What makes Ryuk particularly dangerous is its ability to move laterally within the system. It uses both malicious tools and vulnerabilities like EternalBlue and Zerologon to propagate within a network. This means that instead of having to infect each endpoint individually, Ryuk merely has to get a foothold within the IT infrastructure to infect multiple machines.
Starting this year, Ryuk began using another dropper called BazarLoader (also known as BazarBackdoor). Like Trickbot, BazarLoader is also primarily distributed via phishing emails that contain either malicious attachments or links to websites (typically free, online file-hosting solutions) that host malware. These phishing emails use normal social engineering techniques: For example, they are usually disguised as business correspondence or other important messages. Once the payload is distributed, a command-and-control (C&C) server is used to deploy and install the backdoor. According to the advisory, the threat actor behind TrickBot is also connected to BazarLoader.
One of the characteristics that distinguishes Ryuk from previous ransomware families is the amount that is extorted by the malicious actors behind it. As of the first quarter of 2020, the ransomware payment for a Ryuk attack averaged at US$ 1.3 million.
From May to September of 2020, there was little Ryuk activity (if any). Nevertheless, a few notable incidents did occur earlier this year, such as the infection of a US government contractor in February. More recently, Ryuk has been observed being deployed in conjunction with the Zerologon vulnerability to encrypt whole domains in a span of a few hours.
Although there are currently no mentions of any mass infections in specific sectors, a few organizations have reported being recently hit by ransomware attacks. On October 27, three hospitals in St. Lawrence County in New York were hit by a series of ransomware attacks described as a new variant of Ryuk. Another hospital, the Sky Lakes Medical Center, also reported being victimized by a Ryuk attack that hit their computer systems and rendered them inaccessible.
We have published a security alert with detailed mitigation steps on this page. To protect themselves, organizations are encouraged to take the following steps:
Indicators of compromise (IOCs) related to this threat can be found here.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.