The Rise of Ryuk Ransomware in the United States

For a time, in the world of cybercrime, Ryuk ransomware may have not been as widely seen in usage. Recently, however, there has been a growing rise in Ryuk ransomware attacks. In the new year so far, Ryuk ransomware has been used to compromise state owned systems; the state of Florida had to pay $1M in January to its Ryuk attackers, with the recent attack being the City of Durham, North Carolina.

According to local media reports, the compromise of the City of Durham’s network led to the total shutdown of the network, on which the Durham Police Department, the Sheriff’s Office and communication center rely on. This was a measure to stop the attack from spreading further than it had. Although there hasn’t been news on the amount of damage done regarding the data that the attackers have, it is very possible that they must have gotten their hands on the data they needed. To understand how this is possible, let’s talk about Ryuk.

What really is Ryuk Ransomware?

Ryuk ransomware, developed by a Russian hacker group, is a modification of Hermes ransomware with similar characteristics; they invade and encrypt network systems, deleting shadow copies on the network’s endpoints in the process. However, they differ in their method of encryption; Ryuk uses RSA public key, and Hermes uses RSA and private key pair. Ryuk is known to involve a high level of manual processing; an attacker will have to deem its prey worthy enough to go through with it. This is why it targets mainly large organizations with potentials of big payoffs.

Ryuk ransomware, itself, is not the beginning of compromised security, it is rather a ransomware that grows into full form, metamorphosing into a lethal malware. It begins with phishing emails, which leads to the installation of bots that infiltrates the entire network. The bots (TrickBot, Emotet etc.) eventually deploys Ryuk, but before the actual deployment of Ryuk, the network must have been compromised already as these bots steal sensitive information from a network. Ryuk ransomware actors, after its deployment, drop binary setup algorithms and run them using a shell. This will bring about the deployment of the malware on all devices on the network, giving the actors the upper hand to negotiate large sum of money.

This whole process takes weeks, suggesting that victims like the City of Durham, North Carolina had its cybersecurity compromised weeks before they detected it. The fact is city systems in the United States, compared to private sector systems, are less protected in terms of cybersecurity. This is why they have been easy targets to ransomware of this magnitude. Cities and public owned networks need to invest more in cybersecurity in general, ensuring that proper threat assessment, monitoring and prevention are in place. If not, systems will continue to fall victim to Ryuk ransomware and other malicious attacks resulting in large financial losses and sensitive information compromised.