There have been many stories in the news about Ryuk, a targeted and powerful piece of ransomware that has been attacking organizations, including municipal governments, state courts, hospitals, enterprises, and large universities. Many of these organizations have paid hefty fees to recover their files following a Ryuk attack, only to find that any number of files have been stolen, and some of the data  left behind is beyond repair. What many people don’t understand about Ryuk is that it is not the beginning of the attack, it is the end of the attack. When Ryuk is triggered to encrypt and ransom the files the real damage has already been done and Ryuk is just insult added to the injury.

How Does Ryuk Work?

The attack begins as a phishing email or a drive-by download triggered by visiting a website or clicking on a popup. The threat actors use a dropper and a Trojan or bot to establish persistent access to the network. They use the tools of the typical Advanced Persistent Threat (APT) operators, from exploiting vulnerable machines to installing keyloggers and stealing credentials, to move around the infiltrated network. They look for information to steal, then gather and exfiltrate it, expanding their footprint as they go. They also install Ryuk on each system to which they gain access. Once they have accessed and exfiltrated everything they can, they trigger Ryuk to encrypt the effected machines and ransom their victims.

Victims of this Ryuk attack have paid hundreds of thousands of dollars to regain access to their information. Unfortunately, it is the attack that comes before Ryuk is triggered that does the real damage. If organizations knew how much information had already been stolen, they would probably be less likely to pay the ransom.

What to do After a Ryuk Attack

Unfortunately, as stated earlier, once you have been infected with Ryuk, there are only two options: pay the ransom or rebuild from backups/scratch. However, it is still strongly recommended that you contact authorities. For example, U.S. companies can contact the FBI, either through their local office, or with an IC3 complaint form. With so many different strains of Ryuk out in the wild, it is vital that as much knowledge as possible be collected in order to find a way to put a stop to such attacks. Additionally, such agencies are often the most capable of widely disseminating information, putting other organizations on high alert. From there, the focus should be on rebuilding with stronger safeguards in place with a strong emphasis on early detection.

How to Prevent Ryuk Attacks

Many organizations, both public and private, already have the precursors of Ryuk in their network. It is the detection of this persistent access that can save an organization that already has an active attack underway. Early detection and remediation can minimize exfiltration and prevent Ryuk from being placed and triggered, thwarting the ransomware element completely. The key to detecting this persistence is to know what to look for.

Core Security, a HelpSystems Company, has been tracking this attack since early 2016 in the form of the often associated Emotet banking Trojan and TrickBot bot network, among others. The presence of any of these threats is a strong indicator that you are under an attack that will likely end up as a Ryuk ransom of your network. The good news is that Core Network Insight detects Emotet, Trickbot, and other precursors of a Ryuk attack early in the infection so that you can clean up your endpoints, eliminating the persistent access to your network that gives the threat actors the opportunity to pillage your information and place Ryuk.

Core Network Insight is the only mature, purpose built, active threat detection solution on the market. It is agentless, as well as OS and platform agnostic. This means that it can detect Emotet, Trickbot, and other infections on such diverse network endpoints as workstations and servers, printers and multifunction devices, IP telephone and IP cameras, video conference units, HVAC and SCADA systems, point of sale terminals and ATMs, MRI, CT, and other DI systems and mobile medical devices, the Internet of Things, and even refrigerators with web panels and network connected coffee makers. If it has an IP address, is plugged into your network, and becomes infected, Core Network Insight will detect it fast and let you know early so you can get ahead of the attack before the damage occurs.

Is Your Environment Infected?

Download our guide on how to identify compromised devices with certainty and get ahead of threats before it's too late.