Ryuk Revealed: Breaking Down the Latest Ransomware Threat to Healthcare and Beyond
2020-11-19 | 6 min read
Ransomware Never Sleeps
If you’re active in security circles, you’ve probably noticed a recent spate of ransomware which have been particularly troublesome to the healthcare segment. We’ve been getting a lot of questions about it, so I wanted to take a minute to fill you in on what it is, how it works, and what you can do about it.
Here's the good news: we can help you right now. Read on for all the juicy details.
How it Works
The ransomware involved is known as Ryuk. It steals data from an endpoint and then encrypts the drive contents until you pay a ransom in Bitcoin. Ryuk is delivered via several different mechanisms, including first-stage malware such as TrickBot and BazaarLoader, but the attack almost always starts with a phishing email. After clicking on a realistic-looking phishing email, the user is directed to an innocuous-looking (and often work-related) website, which downloads the Ryuk ransomware onto the user’s PC. Once established on an infected PC, it’s all downhill from there as it cripples networks in 3 stages:
- Ryuk steals whatever sensitive data it can find. Among other things, this subjects organizations to compliance violation fines and reputational damage — especially if customer data and intellectual property are compromised.
- Like all ransomware, Ryuk encrypts workstations so that they are unusable until the ransom is paid. Once infected, the workstation is completely bricked — save for a window explaining how to send the attacker money via cryptocurrency.
- Once attackers establish a foothold in the network, the malware spreads like wildfire as they move laterally throughout the network — jeopardizing entire branches and organizations.
(Be sure to check the CISA Advisory if you want all the gory details.)
How Keysight Can Help
Okay, I know what you’re thinking. “This Ryuk thing seems like bad news, but what can I do about it?” Well, you’re in luck! You can use Keysight Threat Simulator, right now, to see if your firewall can detect a Ryuk download — whether you have an active license or not.
Here’s how you do it:
First thing’s first. If you aren’t currently using Threat Simulator, you’ll need to register for our free 2-week trial. That’s right — no purchase required! From there, it just takes a few minutes to get everything set up (like deploying an agent in your network so you can safely simulate attacks on your production environment). Don’t worry, it’s an easy process — we even made a handy YouTube playlist to help you get started — but if you have any problems, feel free to contact our Security Solutions Team for assistance. They are more than happy to help get you up and running in record time!
From there, all you need to do is select the right audit or assessment. Threat Simulator actually has two separate Ryuk audits, both of which are a part of our larger-scale “Top 11 Ransomware 2020” assessment (which tests your network against a host of other popular ransomware attacks.) All you need to do is select the desired audit/assessment and let Threat Simulator do the rest of the work for you.
Seriously, give it a go right now. It only takes a few minutes!
But Threat Simulator isn’t the only security tool that can help you fight Ryuk. Keysight ThreatARMOR, a threat intelligence gateway, blocks inbound and outbound communication between the Command and Control (C2) servers that control both Ryuk and TrickBot — enabling you to quell network infections, stop data theft, and prevent additional malware downloads.
Of course, the bad guys never stop changing tactics. That’s why it’s our job to stay a step ahead of them. We’ll be tracking malware variants as they evolve over time, and we’ll soon be expanding our test coverage — so you can assess the various ways the first stage of the attack can spread in your environment.
Be sure to watch this space for future updates, and don’t hesitate to reach out to our Security Solutions Team if you have any questions — we’re always happy to help you stay protected!
Happy threat hunting!