This dangerous ransomware is using a new trick to encrypt your network

Ryuk ransomware now has the ability to use a worm-like capability to spread itself to any Windows machine on the same network as the initial compromise, warns cybersecurity agency.
Written by Danny Palmer, Senior Writer

A new version of Ryuk ransomware is equipped with an additional worm-like capability to spread itself around infected networks, potentially making it even more dangerous than it was before.

Ryuk is one of the most prolific forms of ransomware, with its cyber-criminal operators thought to have made over $150 million in Bitcoin ransom payments from victim organisations around the world.

Like other forms of ransomware, Ryuk encrypts a network, rendering systems useless and the cyber criminals behind the attack demand a payment in exchange for the decryption key. This demand can stretch into millions of dollars.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Ryuk has become one of the one most successful families of ransomware – and it's regularly updated in order to maintain its effectiveness.

Now France's national cybersecurity agency – Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI), translated into English as National Agency for the Security of Information Systems – has detailed how the latest version of Ryuk is able to self-replicate itself over a local network.

The ransomware can propagate itself across the network using Wake-on-LAN, a feature that enables Windows computers to be turned on remotely by another machine on the same network. By spreading to every reachable machine on the network, the Ryuk attack can be much more damaging.

This capability was discovered while ANSSI was responding to an unidentified Ryuk ransomware incident earlier this year.

The ANSSI paper warms that Ryuk remains particularly active and that "at least one of its operators attacked hospitals during a pandemic".

Hospitals appear to have been a particular target for Ryuk ransomware attacks, despite the – or perhaps because of – the ongoing COVID-19 pandemic, with access to networks vital for patient care. And given the ongoing situation, some hospitals are giving in to ransom demands, perceiving that approach to be the simplest way to keep treating patients – although even paying the ransom doesn't guarantee a smooth restoration off the network.

Ryuk is commonly delivered to victims as the final stage of multi-stage attacks, with networks initially compromised with Trickbot, Emotet or BazarLoader – often by phishing attacks. Those compromised networks are then passed on or leased out to the Ryuk gang in order to infect them with ransomware.

SEE: Phishing: These are the most common techniques used to attack your PC

Often, the initial compromise of networks to install malware takes of advantage of organisations not applying patches against known vulnerabilities.

Therefore, one of the key things an organisation can do to help protect itself against cyberattacks is to ensure the latest security updates are applied across the network as soon as possible after release, particularly when it comes to critical vulnerabilities.

Organisations should also regularly backup the network – and store those backups offline – so that in the event of falling victim to a ransomware attack, the network can be recovered without giving into the demands of cyber criminals.


Editorial standards