Ryuk Ransomware: A Threat that Looms Large

Ryuk ransomware is now a threat that has gained infamy across the world. The ransomware that first rose to prominence after impeding newspaper printing services in the United States is still an impending disaster that could strike any moment. New findings from McAfee show that Ryuk ransomware is still running rampant and this threat is especially lethal for businesses given the ransomware’s targeted nature, high ransom demand, and bad decryptor that have already caused several businesses to shut down.

“In a world where cybercriminals are forced to constantly adapt and seek new weaknesses in systems to turn into profits, we have been observing that ransomware is once again on the rise. This is a prospect that is especially worrying given the rise of synergistic threats, where malware is written to include various malicious components with the intention of blurring the vision of the primary objective – just as a smokescreen would. As ransomware threats evolve, our advice for victims is simple: always seek professional advice when you are faced with a targeted ransomware attack such as Ryuk. A wealth of advice can also be accessed via the NoMoreRansom initiative’s website,” says Mr John Fokker, Head of Cyber Investigations at McAfee.

In order to gain more insights on the dreaded ransomware, McAfee teamed up with Coveware to take a closer look at the adversary and victim dynamics of Ryuk Ransomware and structured the research using the Diamond threat model. This model relates four basic elements of an intrusion: adversary, capabilities, infrastructure and victim. As far as the Ryuk Ransomware is concerned, the model can be applied as follows: “An Adversary, cyber-criminal(s), have a capability (Ryuk Ransomware) that is being spread via a TrickBot infection Infrastructure targeting specific victims.

NoMoreRansom, one of the partners of Coveware specialized in ransomware negotiations, provided valuable insights on linking adversary and victim. “By aggregating ransomware negotiation and payment data, Coveware was able to identify strain-specific ransomware trends. With regards to Ryuk, it should be noted that ransom amounts average more than 10x the average, making it the costliest type of ransomware. Coveware also observed that some Ryuk ransoms were highly negotiable, while others were not. The bar-belled negotiation results generated an average ransom payment of $71k, a 60% discount from an average opening ask of $145k,” says the report.

The report also states that in certain cases the adversary would rather receive infrequent large windfalls (often in excess of 100BTC), while in other cases the adversary was keen to monetize every attack and accept lower amounts to ensure payment. This difference in modus operandi suggests that more than one cyber-criminal group is operating Ryuk ransomware.

Some of the other key findings of the report state that

• At this moment there are several actors or actor-groups spreading Ryuk based on the extortion method and varying communications with the victims.
• The actors behind Ryuk have a relation with one of the post-Soviet republics, based on Russian text found in one of the encrypted files and cultural references observed in the ransom negotiations. Actors most likely have an affiliation or relations with the actors behind Trickbot.
• Based on code overlap in the ransomware and decrpytor, McAfee and Coveware can conclude Ryuk is a direct descendant from Hermes2.1 ransomware.
• Ryuk is not designed to be used in a largescale corporate environment, based on the scalability issues and other errors in the decryptor code – despite this it has still been highly profitable.

Ryuk Ransomware: Which Industry Does it Pose an Existential Risk to?

Even though the average ransom discounts of Ryuk are large (~60%), the absolute level of the ransom is extreme. Accordingly, evidence that links ransom demands to the size of the network footprint of the victim company has been seen. However, this doesn’t mean that the ransom demand correlates to the victims actual operational and financial size.

Companies in the IT Hosting and the Freight and Logistics industries have been particularly susceptible to this discrepancy. Coveware has assisted at least 3 companies that have had to unwind their business when an affordable ransom amount, could not be reached. Typically, downtime costs are 10x the ransom amount, but in these industries downtime costs can be particularly extreme.

IT Hosting companies are of note as the size and number of their servers can make them appear like a large organization. Unfortunately, the business of hosting involves high fixed costs, low operating margins, and zero tolerance of downtime by end clients.  Hosting companies that get attacked typically have a few hours to restore service before their clients drop them for alternatives. Moreover, these companies suffer irreparable harm to their reputations, and may trigger SLA breaches that leave them exposed to liability.  The inability to pay a six-figure ransom has caused multiple hosting companies to shut down.

Freight and Logistics firms are also acutely exposed. These firms also present like larger firms given the volume of data they move and their network footprint. Additionally, attacks against Freight and Logistics firms can cause immediate supply chain issues for the victims’ end clients, who are subsequently forced to route through other service providers. Similar to IT Hosting, Freight and Logistics firms have low operating margins and end clients with little tolerance for service interruptions. The inability to pay or negotiate a large ransom has materially impacted several firms in this industry.

"Because of the extremely high ransom demands and highly problematic decryption tool, a Ryuk attack can be fatal to a business with no backups and high sensitivity to downtime. Distribution of Ryuk ransomware has proliferated in the last 90 days. It is quite common for small businesses to be attacked and extorted for small amounts, and very large businesses to be attacked and extorted for larger amounts. Our research with McAfee indicates that Ryuk is being distributed by multiple groups," says Bill Siegel, CEO and Co-founder of Coveware.

What Needs to be Done to Address Ryuk Ransomware?

The report mentions that in the last seven months Ryuk has proven to be a highly profitable form of ransomware, despite the poor programming behind it and its decryptor. The criminals have proven to be ruthless and several of their victims were forced to wind down their businesses after they were unable to afford the exorbitant ransom.

When a company does give in to the high demands it is extra painful to see a situation occur where they are permanently unable to recover their files due to the faulty decryptor. A solid data loss prevention strategy still remains the best advice against all forms of ransomware, for general prevention advice please visit NoMoreRansom. Always seek professional assistance when you are faced with a targeted ransomware attack such as Ryuk.

“When it comes to ransomware, in order to keep pace with attackers we must work together against threats – whether that’s coordination between public and private organizations, sharing of threat intelligence or education within individual businesses,” adds Mr John Fokker, Head of Cyber Investigations at McAfee.