Ryuk ransomware has become a household name in the field of cyber security, with many large organizations suffering attacks from it. The ransomware targets businesses, hospitals, government institutions and large veterinary practices since August of 2018, when it was first discovered.
Ryuk’s effectiveness comes from the fact that the group behind it uses manual hacking techniques and open source tools to move laterally through private networks, where they look for a vulnerability that can help them gain administrative access to as many systems as possible. Once they are in control of the administrative area and have gained access to the entire network, Ryuk ransomware initiates the attack by encrypting all the files in the computer network.
The cyber criminals ensure that all essential files and systems, including backups and rollback systems, are encrypted before stating their demands. This makes it hard for the victims of the Ryuk ransomware attack to recover their data, giving an edge to the cyber criminals to extort as much money as possible to their victims.
Ryuk ransomware origins and success
When Ryuk first appeared in August 2018, it was believed to be a newer version of Hermes ransomware that had been used earlier by North Korea state-sponsored Lazarus Group in the Taiwanese Far Eastern International Bank attacks of October 2017. This led to many believing that Ryuk was had originated from North Korea.
However, these claims were quickly disputed by cyber security companies, indicating that Ryuk may have originated from Russia or a Russian-speaking cyber criminal groups that had access to Hermes. Some cyber security companies have tracked the origin of the ransomware to be from Wizard Spider or Grim spider Russian cyber criminal gang.
Ryuk attackers mostly target institutions and organizations that have critical data and are more likely to pay. This technique, which is referred to by security experts as “big game hunting” ensures that the cyber criminals behind the ransomware are successful at monetizing their attack campaigns.
According to a report released by two cyber security firms, the cyber criminal gang behind Ryuk ransomware is believed to have made more than $150 million since it first appeared in 2018. The research indicated that they had tracked a total of 61 bitcoin wallets that had been used to extort money around the world by the cyber criminal group.
Ryuk ransomware attacks
The delivery of Ryuk ransomware attacks is mostly through phishing emails and spam emails. These emails are mostly sent through spoofed addresses to hide the identity of attackers, create trust with their victims and to ensure that the sender name does not raise suspicion.
The attack begins when the victims fall for the phished email scam and download attachments, which are mostly in the form of Microsoft Office documents. Once downloaded and opened, a malicious macro is executed on the Windows PowerShell command, which then initiates the downloading of Trojan Emotet. The Trojan Emotet, which has the ability to download additional malware, then downloads Trickbot, which the main payload is spyware.
Trickbot collects admin credentials, allowing attackers to move stealthily through your system as they explore other vulnerable areas on your network. The spyware is able to identify all hardware connected to a network, including critical assets such as backups and databases. Once the spyware has gained control of the entire network, then the final attack is carried out, which concludes with the execution of Ryuk ransomware on each of the assets connected to the network.
Ryuk ransomware in action
In the last few years, since the ransomware came into the limelight, it has been used to carry out some of the most sophisticated attacks that resulted in loss of data and millions in ransom payments. Here are some of the recent Ryuk ransomware attacks and how they were carried out.
National Veterinary Associates (NVA) attack; 400 practices compromised
The most infamous Ryuk attack happened in 2019 and involved over 400 veterinary practices for the California-based company National Veterinary Associates (NVA).
The attack was a result of Ryuk ransomware, which gained access to the NVA system through a supply chain attack. According to reports, it is believed that the ransomware was delivered into the NVA system through third-party associates of NVA. The attack was so severe that weeks after the attack, NVA was still trying to recover their data and some veterinary practices services were still paralyzed from the attack.
European bio-molecular research institute attack
Just this month of May 2021, Ryuk cyber criminals struck again, this time on a European biomolecular research institute.
The attack happened after a student at the institution was allowed to use an expensive data visualization software for research. However, the student needed another version of the software and decided to download one from the internet.
Upon installation, Windows Microsoft Defender flagged the software as having malware, the student ignored the warning, turning off the antivirus and his firewall. It wasn’t long before he connected to the institution’s network by gaining access to the student’s access credentials using keylogger, where it was found out that his personal computer had already been infected by Ryuk ransomware.
Once access was available to the hackers, Ryuk ransomware was deployed and encrypted all of the data is found on the network and most likely demanded payment in cryptocurrency.
Universal Health Services Ryuk ransomware attack
This is one of the biggest Ryuk ransomware attacks that resulted in a loss of over $67 million. The firm, which has over 400 hospitals, and one of the biggest health care service providers in the country indicated that the attack had devastated its operations and the normal running of the firm.
Although little details were leased about how the attack happened, reports indicated that most of their critical infrastructure had been damaged by the Ryuk ransomware and data encrypted. It is also believed that they were asked for payment by the cybercriminals but it is not clear whether they paid.
However, UHS indicated that it did not believe that hackers were able to take their clients’ information from their systems, although they indicated that the data had already been encrypted.
6 Independent veterinary hospitals
In 2021 Lucca has received calls from six independent veterinary hospitals across the country that have fallen victim to the Ryuk ransomware attack. In each of these situations the unsuspecting veterinary staff member downloaded a Microsoft document. Once the document was opened the attack commenced across the network.
From what we could gather from the incident, these documents were masked as veterinary technician resumes that were submitted for open job positions. The other unfortunate fact is that each of these hospitals had their backups compromised as well. In one case leaving the practice with a data set that was over 4 months old! It’s not enough to rely on the cloud backups provided by your practice management system.
How to protect your veterinary hospital
1 – Implement a good layered workstation and server protection
With the Lucca Cyber Security suite we use multiple tools to keep your hospital safe. Let’s look at an example. In the Bio-molecular research example. The Lucca web protection layer would have prevented the user from accessing the download page of the infected software.
Let’s say the user finds a way around the web protection. The local Lucca workstation protection would have immediately flagged and started to remove the infection.
Let’s assume that the local cyber criminals used a brand new exploit to get onto the workstation and for some reason the local workstation protection missed it. The additional Lucca ransomware specific protection on the computer would have seen that Ryuk was being executed, isolated the computer from the rest of the network, preventing the spread of the ransomware across the network and stopped the ransomware process on the machine. Finally alerting our team that the computer had been compromised and needs attention.
2- Have a good business continuity plan in place
When it comes to the practice management software in your veterinary hospital it’s not enough to just have backups. As we have seen from the examples above. You need a good business continuity plan in place. So what is business continuity?
Business continuity means in the event of a disaster your business can continue to function. Generally you should be able to implement your continuity plan within hours not weeks! The Lucca data vault not only makes a complete copy of your server, its ransomware proof and can be turned on within 60 mins to get you back up and running.
Do you want to know how Lucca Veterinary Data Security can help protect your veterinary hospital from Ryuk ransomware?
Schedule a FREE no obligations consultation call HERE