Ryuk (ransomware)

Ryuk is a type of ransomware known for targeting large, public-entity Microsoft Windows cybersystems. It typically encrypts data on an infected system, rendering the data inaccessible until a ransom is paid in untraceable bitcoin. Ryuk is believed to be used by two or more criminal groups, most likely Russian or Ukrainian, who target organizations rather than individual consumers.

Origin
The Ryuk ransomware first appeared in 2018. Ryuk was initially suspected to be of North Korean origin, then later thought to have been created by only one group or actor. It is now suspected that Ryuk has been created by multiple Russian criminal cartels. The criminal group known as Ryuk seeks primarily to extort ransom payments to decrypt the data that its malware has encrypted and as a result rendered useless. Following an attack on the Baltimore County (Maryland) school system in November 2020, a cybersecurity threat analyst said to the Baltimore Sun, the Ryuk criminal group "tends to be all business... they just like to get the job done": to extort a large ransom payoff.

How it works
In the UK, the National Cyber Security Centre notes that Ryuk uses Trickbot computer malware to install itself, once access is gained to a network's servers. It has the capability to defeat many anti-malware countermeasures that may be present and can completely disable a computer network. It can even seek out and disable backup files if kept on shared servers. Emotet is also used by Ryuk hackers to gain access to computers as the initial loader or "Trojan horse".

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) website provides detailed information on how Ryuk infects and takes control of a computer network, saying that access may be initially gained by: "... phishing campaigns that contain either links to malicious websites that host the malware or attachments with the malware. Loaders start the infection chain by distributing the payload; they deploy and execute the backdoor from the command and control server and install it on the victim’s machine". The phishing efforts generally contain malicious documents (or hyperlinks to them). When the victim enables it, a malicious macro or loader starts the infection sequence. Like many other ransomware families, Ryuk deletes shadow copy files and stops processes from the hardcoded list.

Once Ryuk takes control of a system, it encrypts the stored data, making it impossible for users to access unless a ransom is paid by the victim in untraceable bitcoin. In many cases, days or weeks may elapse between the time hackers initially gain access to a system before the massive encryption occurs, as the criminals penetrate deeper into the network to inflict maximum damage. Ryuk is an especially pernicious type of malware because it also finds and encrypts network drives and resources. It also disables the System Restore feature of Microsoft Windows that would otherwise allow restoring the computer's system files, applications, and Windows Registry to their previous, unencrypted state.

To combat these ransomware attacks, the U.S. Cyber Command initiated a counter-attack in September, 2020, to disconnect Trickbot from internet servers. Shortly thereafter, Microsoft invoked trademark law to disrupt a Ryuk botnet.

Ransomware victims
Ryuk targets large organizations with the ability to pay significant sums of money to regain access to their valuable data. All told, more than $61 million in ransom was paid due to Ryuk malware attacks in 2018–2019, according to the FBI. In December, 2018, a Ryuk-based attack affected publication of the Los Angeles Times and newspapers across the country using Tribune Publishing software. Printing of the Fort Lauderdale Sun Sentinel in Florida was halted and even the newspaper's telephones did not work. On 20 October, 2020, an information technology consulting company based in Paris, Sopra Steria, itself suffered a Ryuk ransomware attack. The cybercriminals encrypted the company's data using a variant of Ryuk, making it inaccessible unless a ransom is paid. The attack will cost the company $47–59 million, it estimated. In the wake of the attack, Ryuk was described as "one of the most dangerous ransomware groups that operate through phishing campaigns".

Between 2019 and 2020, U.S. hospitals in California, New York, and Oregon, as well as in the UK and Germany, have been affected by Ryuk malware, resulting in difficulties with accessing patient records and even impairing critical care. Doctors at affected hospitals have resorted to writing paper instructions, instead of using their inoperable computers. In the U.S., a joint statement was issued on October 29, 2020, by three Federal government agencies, the FBI, CISA, and the Department of Health and Human Services, warning that hospitals should anticipate an " 'increased and imminent' wave of ransomware cyberattacks that could compromise patient care and expose personal information", likely from Ryuk attacks. More than a dozen U.S. hospitals were hit by Ryuk attacks in late 2020, shutting down access to patient records and even disrupting chemotherapy treatments for cancer sufferers.

Also targeted are vulnerable public-sector entities often using older software and not following best protocols for computer security. Lake City, Florida, for example, paid $460,000 in ransom after one of its employees opened an email containing a variant of Ryuk malware in June, 2019.

The ransomware has been used to attack dozens of U.S. school systems, which are often deficient in cybersecurity. Since 2019, more than a thousand schools have been victimized. Sometimes the resulting impairment takes weeks to repair. In 2020, schools from Havre, Montana, to Baltimore County, Maryland, have experienced Ryuk ransomware attacks. Ransom demanded by the perpetrators has ranged from $100,000 to $377,000 or more. Online education provider Stride, Inc. was attacked by Ryuk ransomware criminals in November 2020, rendering some of K12's records inaccessible and leading to the threatened release of students' personal information. The Virginia-based firm paid an undisclosed ransom amount, saying, "Based on the specific characteristics of the case, and the guidance we have received about the attack and the threat actor, we believe the payment was a reasonable measure to take in order to prevent misuse of any information the attacker obtained".

The large Baltimore County Public Schools system in Maryland, serving 115,000 students and having a budget of $1.5 billion, had to suspend all classes after problems were experienced with its computer network beginning on November 24, 2020, reportedly due to Ryuk. The system's crash first manifested itself when teachers attempting to enter students' grades found themselves locked out and noticed Ryuk file extensions. County school officials characterized it as "a catastrophic attack on our technology system" and said it could be weeks before recovery is complete. The school system's director of information technology said, “This is a ransomware attack which encrypts data as it sits and does not access or remove it from our system". Prior to the crippling malware attack, state auditors from the Maryland Office of Legislative Audits performed a periodic audit of the Baltimore County School System's computer network in 2019. They found several vulnerabilities in the system, such as insufficient monitoring of security activities, publicly accessible servers not isolated from the school system's internal network, and a lack of "intrusion detection ... for untrusted traffic". Avi Rubin, Technical Director of the Information Security Institute at Johns Hopkins University, said the auditors' discovery of "computers that were running on the internal network with no intrusion detection capabilities" was of particular concern. Although the final report by the Maryland Office of Legislative Audits was released on November 19, 2020, the auditors initially warned the school system of its findings in October, 2019.

Ryuk's reach is global, hitting councils and government agencies across the globe. One such attack landed on the City of Onkaparinga, South Australia. In December 2019, the Ryuk virus took hold of the city's IT infrastructure. The attack left hundreds of employees in limbo as the cities IT department worked on reinstating operations. Each time backups were reinstated the Ryuk virus would start the process of attacking the system all over again. The attack continued for four days before the IT team were able to contain the virus and reinstate the necessary backups.

In early 2021, a new strain of the Ryuk ransomware was discovered that features worm-like capabilities that can lead to it self-propagating and being distributed to other devices on the local database it is infiltrating.