Cyber attacks are becoming increasingly sophisticated and dangerous, with serious consequences for businesses and governments. One of the most widespread and feared forms of attack is ransomware, malicious software that locks a user’s or organization’s files and demands a ransom to unlock them.
Among the various types of ransomware, Ryuk was the talk of the town until the end of 2020.
Here, we take a closer look at the characteristics of this particularly fearsome ransomware, which now appears to be only marginally active, and give some pointers on how to react.
History and origins of the Ryuk ransomware
Ryuk ransomware was first discovered in August 2018, and quickly made news for its ability to infect major organizations in various economic sectors. Ryuk has been attributed to a Russian hacker group WIZARD SPIDER.
A variant of the earlier Hermes ransomware, Ryuk tops the list of the most dangerous ransomware attacks. In the CrowdStrike 2020 global threat report, Ryuk accounts for three of the top 10 ransomware demands of the year: USD 5.3 million, USD 9.9 million and USD 12.5 million. Ryuk has successfully attacked industries and companies worldwide. Hackers refer to the practice of targeting large corporations as “big game hunting” (BGH).
Interestingly, this family of ransomware has a Japanese name derived from the anime Death Note. Its name means “God’s gift”, an odd choice for ransomware, given that targets lose data or money. But from the hacker’s point of view, it can be considered a gift from God.
Ryuk, WannaCry, NotPetya: conspicuous pioneers of the rise of ransomware
Although Ryuk isn’t the first ransomware to cause havoc, it has set itself apart from other ransomwares such as WannaCry and NotPetya.
Indeed, instead of targeting individuals and small businesses, Ryuk is (was?) designed to attack organizations with significant financial resources and vital IT infrastructure.
The hackers also appear to be carefully selecting their targets, which may mitigate the spread of the ransomware while maximizing the impact on the chosen victims.
How does Ryuk work?
Implementation of this ransomware is not immediate; it begins with the prior installation of other malware on a computer system. This usually follows a phishing attack, which makes the primary infection easier.
Ryuk is recognized as one of the most notorious examples of ransomware as a service (RaaS), in terms of the scope of infection. The RaaS concept is a model where ransomware creators make it accessible to other cybercriminals. In return, the developer receives a share of the ransom paid. This approach is a variant of the software-as-a-service (SaaS) model.
The consequences of Ryuk attacks
Ryuk’s main objective remains simple: to extort as much money as possible. Victims are usually faced with a ransom demand to recover their encrypted data and unlock their systems.
The amount demanded varies, but can easily reach record sums…
Ryuk compromised governments, universities, healthcare facilities, manufacturing companies and technology organizations until late 2020 before going very quiet and perhaps reinventing itself as Conti ransomware? Still, in 2019, Ryuk saw the highest ransom demand, with 12.5 million USD, and likely harvested a total of 150 million USD until the end of 2020.
Whatever the strain of ransomware, paying the ransom often gives rise to a moral dilemma for businesses especially when the sums involved are considerable, as is the case with ransomware such as Ruyk.
On the one hand, they don’t want to encourage the financing of criminal organizations by paying. On the other, they have to consider the costs and losses incurred by inaccessible IT systems and paralyzed operations.
In addition to financial losses, victims of such ransomware can also suffer reputational damage, loss of trust from customers and partners, and potentially legal complications related to data breaches.
If you are faced with such a situation we recommend that you contact us quickly. You can also consult our guide to the first steps to consider in the event of an incident.
