Ryuk ransomware was a malicious malware that explicitly targeted enterprise environments for a large Bitcoin payment. Ryuk claimed to have insurance amounts and response firms, including breach coach law firms and forensics firms on insurance panels, well gathered in their victims’ intelligence profiles.
GRIM SPIDER was the group behind the ransomware, targeting medium to large corporations since August 2018. Based on mine and other incident responders, the average ransom demand can range from 1 million to 8 million dollars. Ryuk ransomware attacks target large corporations for monetary gain in the form of Bitcoin as payment. Bitcoin is a payment strategy for ransom demands since it cannot be easily traced to a person or relegated. This helps the attackers stay anonymous for a while until they try to cash in many cases.
Attack vectors are initiated either through Remote Desktop Protocol (RDP) or phishing emails. RDP is when an individual accesses the company’s network from a remote location. Phishing is when an individual receives a fake email from a hacker, which allows the hacker to steal the recipient’s data and information. RDP is a target vector because most organizations do not secure their ports. Phishing emails are also targeted because of the trust users place in the credibility of emails.
The sequence of attack:
- To gain initial access, the attacker can either go through the RDP or implement phishing tactics.
- Once accessed, the attacker uses Trickbot, Mimikatze and other software to acquire the credentials of employees higher up in the company.
- This allows attackers to survey the network and locate valuable information for a large ransom. That is because the targeted information is needed for the company to function.
- Then, the attackers use PsExec to add a batch script to all targeted machines. Following this, PsExec is used to copy the Ryuk binary onto the Root directory of the targeted machines. Thus, a new service was created to launch the Ryuk binary and start the attack.
- This starts the process for Ryuk to encrypt files on infected machines, which then displays the ransom note from the attacker.
In response to the high frequency of Ryuk ransomware attacks, a decryptor tool called Ryuk Ransomware Decryptor was created. My team has gained control over the decryptor. The Ryuk Ransomware Decryptor is used in response to incidents where Ryuk Ransomware encrypts a computer. This allows victims to use the decryptor tool instead of paying the attacker to decrypt the targeted information.
The team under my direction has responded to Ryuk Ransomware incidents, where my team was able to use the Ryuk Ransomware Decryptor tool to decrypt and recover the data for the victim. The decryptor was shared to a broader cyber incident responders community and helped much faster to end this threat actor’s lifespan.