Towards the end of last year, cyber-attacks that apparently bore the distinct signature of Ryuk ransomware struck numerous major news corporations, including the Los Angeles Times and Tribune Publishing.
Cyber-attackers don’t take time off for the holidays like the rest of us!
In the case of the Union-Tribune, it was reported that sports editors initially noticed that they were unable to transmit their finished pages to the printing facility. The next day it got worse, with major disruptions to Saturday editions for many publications.
What is Ryuk Ransomware and How is it Different?
Unlike many other more common strains of ransomware, which are generally distributed systematically via huge spam campaigns, Ryuk is tailored and targeted for specific organizations. Of the organizations that have been hit so far, it seems as though the attackers are targeting organizations where they can cause the biggest disruption, such as hospitals, ports and now major news corporations.
The way Ryuk is built means that it is perfectly designed for very small-scale operations. It will only encrypt the most sensitive data and assets most critical to the targeted organization. This is because the infection and distribution side of the ransomware is carried out manually.
Although Ryuk has many unique features, analysis from security company Check Point shows that it shares some code similarities with Hermes, a ransomware strain from North Korean hacker group Lazarus.
What Does a Ryuk Ransomware Attack Look Like?
The easiest way to tell that you’ve been affected specifically by Ryuk ransomware is that, amongst all your newly encrypted files, you will get a ransom note titles “RyukReadMe.txt”. There are a few versions of the ransom note, a longer one and a shorter one, both are fairly poorly written, with spelling and grammar errors, but a very serious and valid final message; no system is safe.
Below is a screenshot of one of the ransom notes that led to an organization paying 50BTC (roughly around $190,000 at the time of writing), which is the highest recorded payment:
How Can You Detect and Prevent the Spread of Ransomware?
Many strains of ransomware, including the now infamous WannaCry, encrypt your files and folders and rename the extensions with a new suffix. Judging by the ransom note, the same is true for Ryuk. This means that you should be able to spot ransomware attacks like this as they are in progress and take immediate action.
Unfortunately, the native auditing capabilities of the systems you are using to store your critical data will not be proactive or sophisticated enough to give you the level of detail you need to spot ransomware. What you will need to do is to invest in a data security solution, such as LepideAuditor.
LepideAuditor will enable you to instantly detect any suspicious changes to files, folders and the permissions surrounding them, which will help you react quicker to any potential ransomware attacks in progress. The solution provides you with real time alerts which can be based on a single event or a threshold (such as a large number of file name changes over a short period of time).
Once you have detected an unwanted change, LepideAuditor will allow you to take proactive and automated steps to mitigate the risk. LepideAuditor enables you to run your own custom script to perform a specific task such as disabling a user account, deleting a user account, revoking permissions or shutting down a particular computer. This instant incident response will help you detect and prevent the spread of ransomware in your IT environment.
For more information on how LepideAuditor helps you deal with ransomware attacks, click here.