Ryuk's Rampage Has Lessons for the Enterprise

Ryuk's Rampage Has Lessons for the Enterprise
The Ryuk ransomware epidemic is no accident. The cybercriminals responsible for its spread have systematically exploited weaknesses in enterprise defenses that must be addressed.

The Ryuk ransomware gang is hiring ... and that's bad news. In a conversation with Natalia Godyla of Microsoft in January, Jake Williams, the founder of Rendition Infosec, noted that his team spotted job advertisements in Dark Web forums from accounts associated with Ryuk's operators.

"They're looking for experienced ransomware operators, and they have a whole set of criteria, including that they want to see a history that you're getting an average $400,000 payout," Williams said. "They haven't asked for help in the past. They have more work than they can handle."

Good times for the Ryuk gang mean bad times for everyone else. The Ryuk ransomware, which appeared in 2018, has become one of the most potent threats to organizations — especially in healthcare, where research suggests it is responsible for three-quarters of ransomware attacks on healthcare organizations. It is also among the most costly ransomware families, with average ransom demands over $100,000, according to CheckPoint.

Targeting Enterprise Weak PointsThe Ryuk malware is a variant of an existing ransomware strain known as Hermes 2.1 and is often distributed by commodity malware tools such as TrickBot. But Ryuk's operators invented new ways to deploy their malware, which targets weaknesses common to even the most sophisticated firms.

Ryuk's operators used highly tailored phishing emails to gain footholds within their targets. Its operators "live off the land," using standard tools such as net view and Ping to surveil and map networks. Next, standard Windows administrative applications such as PowerShell an ..