A new variant of Ryuk ransomware is more dangerous than ever: As the French cybersecurity agency ANSSI discovered, the blackmail trojan is now spreading independently in networks – this has accelerated its spread extremely.
This is reported by Bleeping Computer and explains the trick that the notorious blackmail Trojan Ryuk is now using. The people behind Ryuk have given him worm-like abilities, similar to how the Emotet Trojan started earlier. The ability allows the malware to spread to other devices on the victim’s local network. The French cybersecurity agency ANSSI investigated such a case in early 2021.
The spread is veiled via a Windows auxiliary function: “By using planned tasks, the malware spreads itself – from computer to computer – within the Windows domain,” says ANSSI (short for Agence Nationale de la Sécurité des Systèmes d’Information) in a report on Ryuk. “Once started, Ryuk spreads itself to every accessible machine on which Windows RPC access is possible.”
Self-replication to other network devices
In order to spread itself over the local network, the new Ryuk variant lists all IP addresses in the local ARP cache and sends something like a Wake-on-LAN (WOL) packet to each of the detected devices. Then he starts all released resources found for each device and then starts his actual “work” and encrypts the contents of the computers.
Ryuk’s ability to mount and encrypt the drives of remote computers was already observed last year. But now Ryuk also manages to copy himself onto other systems. In addition, the TRojan can run itself remotely using scheduled tasks created on a compromised network host using the legitimate Windows tool schtasks.exe.
Solutions are still being sought
“One way to address the problem could be to change the password or disable the user account (depending on the account used) and then do a double KRBTGT domain password change,” said ANSSI. But we are still in the process of finding a solution. “This would cause a lot of disruption in the domain – and most likely a lot of reboots, but it would also curb the spread immediately.”
Ryuk belongs to a so-called ransomware-as-a-service (RaaS) group that was first discovered in August 2018 and has left a long list of victims. Ryuk, for example, was behind a massive wave of attacks on the US healthcare system that began in November 2020. They typically ask for hefty ransom payments, stealing $ 34 million from a single victim in the past year.
Manager at Research Snipers, RS-NEWS, Digital marketing enthusiast and industry professional in Digital Marketing, Social Media, Business News, and Technology News, with vast experience in the media industry, I have a keen interest in business technology, News breaking.