skip to Main Content

Cybercrime, the NCSC exposes Ryuk ransomware

The UK NCSC: Ryuk ransomware is targeting organisations globally. In some cases, Emotet and Trickbot infections have also been identified on networks targeted by the cybercrime malware

Ryuk ransomware is targeting organisations globally, including in the UK. It has been confirmed by NCSC cyber security experts in a report. In some cases, moreover, Emotet and Trickbot infections have also been identified on networks targeted by the malicious code. Ryuk was first seen in August 2018 and has been responsible for multiple attacks globally. It is a targeted ransomware where demands are set according to the victim’s perceived ability to pay. The cybercrime code is often not observed until a period of time after the initial infection – ranging from days to months – which allows the actor time to carry out reconnaissance inside an infected network, identifying and targeting critical network systems and therefore maximising the impact of the attack. But it may also offer the potential to mitigate against a ransomware attack before it occurs, if the initial infection is detected and remedied. 

The links between Ryuk and the Emotet and Trickbot banking trojans

According to the NCSC cyber security experts, Ryuk ransomware has been linked to other malware families, in particular the Emotet and Trickbot banking trojans, although it could also be dropped by other malware. According to industry reporting, when a Ryuk infection occurs, Emotet is commonly observed distributing Trickbot as part of the infection chain. Trickbot subsequently deploys additional post-exploitation tooling to enable their operations, including Mimikatz and PowerShell Empire modules. These facilitate credential harvesting, remotely monitoring of the victim’s workstation, and performing lateral movement to other machines within a network. This initial infection enables the attacker to assess whether the machine presents a ransomware opportunity, and if so, to deploy Ryuk. The relationship between these threats is modular in nature: Emotet drops other implants; Trickbot has been distributed by other methods. It is however possible that Ryuk could be deployed through others infection chains.

The cyber security experts: Why Ryuk is a persistent infection

Ryuk is a persistent infection. The ransomare’s installer will attempt to stop certain anti-malware software and install the appropriate version of the cybercrime code, depending on a system’s architecture.  The ransomware itself does not contain the ability to move laterally within a network, hence the reliance on access via a primary infection, but it does however have the ability to enumerate network shares and encrypt those it can access. This, coupled with the ransomware’s use of anti-forensic recovery techniques (such as manipulating the virtual shadow copy), is a technique to make recovering from backups difficult. All non-executable files across the system will be encrypted and will be renamed with the .ryk file extension. A ransom note will be dropped in each processed folder with the name RyukReadMe (.html or .txt). 

Back To Top