What is Ryuk Ransomware?
Last week, we told you that Federal agencies issued an unprecedented (if that word doesn’t describe 2020 I don’t know what does) warning against “an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.” The advisory, which comes from the Cybersecurity Infrastructure and Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS), describes the tactics, techniques, and procedures (TTPs) used by cybercriminals against targets in the Healthcare and Public Health (HPH) Sector to infect systems with ransomware, notably Ryuk and Conti, for financial gain.
Lots of acronyms, but bear with us.
The Ryuk ransomware, operated by the TrickBot gang, was first spotted in August of 2018, but gained notoriety in 2019 once they began demanding multi-million-dollar ransoms from hospitals, local governments, and privately owned companies. Once the COVID-19 pandemic began, security experts noticed an increase in the number of high-value targets with the new stealthy BazarLoader trojan before deploying the Ryuk ransomware. In fact, the operators of the ransomware pulled in over $61 million just in the US, according to figures from the Federal Bureau of Investigation. And that’s just what was reported—other estimates place Ryuk’s take in 2019 in the hundreds of millions of dollars.
What makes the Ryuk attacks so notable?
According to the security experts who investigated a simulated attack, the speed in which the attacks can move from initial compromise to ransomware deployment is what makes this attack so dangerous. Within three and a half hours of a target opening a phishing email attachment, attackers were already conducting network reconnaissance. Within a day, they had gained access to a domain controller, and were in the early stages of an attempt to deploy ransomware.
What should you do if you experience a Ryuk attack?
If you are currently under attack, we strongly suggest you consider the Sophos Rapid Response solution. Because Louisville Geek is a certified Sophos partner, we can offer immediate assistance (even if you are not currently using Sophos). We have expert responders waiting to assist 24/7 and we can have you fully onboarded in just a few hours. In fact, most customers are triaged in as little as 48 hours. If you are not a current customer of Louisville Geek, please contact us. If you are a customer of Louisville Geek, please submit a support ticket.