Need More Help? Give us a call on + 44 28 900 800 30 or email info@nimbuscs.com
    Company Logo
    Call Now
    • Services
        Services -
        Support & Managed IT
        Nimbus provides the support you need to ensure your IT consistently delivers and drives your business success.
        Cloud Solutions
        We provide expert guidance on your cloud migration journey to maximise your investment from day one.
        Cyber Security
        When it comes to Cyber Security and how it could impact your business, there’s a lot to consider.
        Project Services
        Strategic Guidance for Future Success Providing analysis, guidance and expertise to maximise your IT investment.
    • Success Stories
    • About
      • Why Nimbus
      • Meet The Team
      • Partners
      • News & Insights
      • Careers
    • Contact
    Get Support
    Close menu icon
    • Services
    • Success Stories
    • About
    • Contact
    • Careers
    • News and Insights
    Contact Us Help My Business

    What is Ryuk Ransomware and How Does it Work?

    • Home
    • News & Insights
    SHOW
    Make an appointment
    Contact us

    Ryuk is a type of ransomware that encrypts files on an infected system, with the ransom typically demanded in bitcoin or other types of cryptocurrency. Ryuk has targeted many large organisations using Microsoft Windows and related systems.

     

     

    First spotted in August 2018, it was initially thought to be a group that operates out of North Korea, but now is believed to have been developed by Russian hackers. With rising ransomware and phishing attacks becoming significant threats, 66% of SMBs report that they are concerned or extremely concerned — as we all should be.

     

     

    What is unique about Ryuk Ransomware and why is it so successful?

     

     

     

    Ryuk is unique in that it is, as Microsoft defines it, a human-operated ransomware attack. The attackers use highly sophisticated targeting and stealth tactics to ensure a high rate of success. Being human-operated means that attackers execute multi-level attacks against company networks. It starts with carefully selecting targets rather than adopting an automated, “spray and pray” approach, and requires both broad and specific knowledge of target infrastructure in order to succeed.

     

    This isn’t a quick in-and-out. This is a prolonged, ongoing attack that has real people active inside the network, gathering data.

     

    The attackers generally choose their targets carefully, going for large organisations rather than individuals. This has not only launched the Ryuk ransomware into the headlines but also netted the operators of the ransomware millions of dollars in ransom payments.

     

     

    How is Ryuk delivered?

     

     

    Like many other strains, Ryuk ransomware attacks are primarily delivered via a phishing email. According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Ryuk is spread by phishing campaigns that contain either links to malicious websites that host the malware or attachments with the malware.

     

    In a nutshell, a user would receive a phishing email that looks legitimate at first glance. Attached to the email is a compromised Microsoft Office document. This document might be called “Quarterly Results”, or something similarly innocuous. However, upon opening the document, attackers use the macro function to begin executing code. Once this process is started, attackers use a toolbox of products to move laterally within the organisation and gain ever higher access privileges.

     

     

    Ryuk was identified over two years ago. Why does it still wreak havoc?

     

     

     

    Ransomware attacks change constantly. Attackers are leveraging automation to mutate common threat variants, resulting in a massive increase in previously unseen first-time threats. This is a popular technique allowing attackers to bypass most security solutions – which typically misidentify variants of existing threats even if the original threats already have their signatures registered. This weakness allows attackers to continue to target organisations, bypass their existing security solutions, and deploy their payload on the victim’s network.

     

     

    The old Ryuk vs. the new Ryuk

     

     

    In January 2021, a new Ryuk variant was identified. New variants emerge all the time, but this one had an enormous impact since it has worm-like capabilities allowing it to automatically spread laterally within the infected networks. Previous versions of Ryuk could not automatically move laterally through a network and required a dropper and then manual movement. The new version entails a computer worm spreading copies of itself from device to device without any human intervention required.

     

     

     

    How to protect against the next Ryuk variant – even before you know it’s out there

     

     

     

    As we’ve noted previously, Ryuk, like other common ransomware instances, is primarily deployed using a phishing or spear-phishing email. Phishing is tricky and even the most experienced cyber experts aren’t always able to detect it. Therefore, in addition to educating employees on how to avoid phishing threats, the best defence against such an attack for yourself and your clients is to ensure that you use advanced protection for email and other collaboration tools, one that covers phishing as well as malware.

     

    In addition, since Ryuk looks for the weakest link in the chain, it’s highly recommended to constantly scan your network and systems for security vulnerabilities and patch those as soon as they are detected. If you don’t have the expertise to do that yourself, that is something we do for our clients.

     

     

    How to detect and stop Ryuk infections

     

     

    Ideally, you want to stop Ryuk from ever getting into your network, for example by blocking the phishing attempts often used to spread ransomware through email and collaboration tools.

     

    We use email scanning software that detects phishing attempts and ransomware based on its behaviour, rather than relying on signature-based software that often misses new malware variants. Scanning emails is only one layer of defence though. We take a layered approach to our cyber security. This means if  anything gets past your outer defences, it will be blocked by the next layer of defence, reducing the impact of an attack. By detecting an attack early, systems can be quickly isolated, reducing the impact of an attack.

     

    With sophisticated Remote Monitoring and Management (RMM) tools, we are able to detect and correct problems with every endpoint on our clients’ networks. While this can be used to address routine maintenance issues, it includes native ransomware detection and remediation capabilities. If ransomware is detected, the RMM automatically alerts us to take proactive steps to stop it. That includes terminating the ransomware process and isolating the infected device to prevent the ransomware from spreading. This reduces downtime and allows us to stop threats before you even become aware of them.

     

    Then the challenge is to recover any systems that may have been damaged in the attack to a ransomware-free state. Whether you will be able to do that depends largely on whether you have complete system image backups of important data. That includes cloud-based systems, for example Microsoft 365 and Microsoft Azure. Make sure your backups themselves are protected against ransomware because attackers will try to corrupt those, too. We have invested heavily in a number of advanced backup toolsets that will restore your data in minutes and eliminate downtime for your business.

     

    Contact us today to learn more.

    Share Article
    Next Article

    More News & Insights

    Azure Data Protection: Why Even Cloud Servers Need Backup

    Insight | 2 mins

    Read More

    5 tips to keep you safe online

    News | 2 mins

    Read More

    The Anatomy of a Data Breach: What are They and What to do When You Spot One?

    Insight | 3 mins

    Read More

    Let’s Get Started
    on your IT Solutions

    Call Now Email

    We Are Nimbus

    • E: info@nimbuscs.com
    • T: + 44 28 900 800 30
    • Unit 3C Heron Wharf
    • Heron Road
    • Belfast
    • BT3 9LE

    Our Services

    • Project Services
    • Cyber Security
    • Cloud Solutions
    • Support & Managed IT

    About Us

    • Home
    • Help My Business
    • Services
    • Clients
    • Our Company
    • Contact
    • + 44 28 900 800 30
    • info@nimbuscs.com
    • Services
    • Success Stories
    • About
    • Contact
    Contact Us Help My Business
    • © Nimbus 2023

    • Terms & Conditions
    • Privacy Policy
    • Cookies

    Website by: 3create Web Design Belfast

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
    CookieDurationDescription
    cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
    cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
    cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
    cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
    cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
    viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
    Functional
    Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
    Performance
    Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
    Analytics
    Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
    Advertisement
    Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
    Others
    Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
    SAVE & ACCEPT