A new variant of Ryuk ransomware spreads over the network by copying an executable file to identified network shares.Specialists from the French National Computer Incident Response Center (CERT-FR) spoke about an updated version of the Ryuk ransomware program with worm features that allow it automatically spread across the network of its victims.
Previously, Ryuk was downloaded using the TrickBot Trojan, but in September last year, attackers began using BazarBackdoor to gain access to targeted networks. BazarBackdoor is a malware downloader that is also used by the group behind TrickBot.
Previous versions of the ransomware could not automatically navigate the network. However, while investigating an incident earlier this year, researchers found a sample of Ryuk with added worm-like properties that allowed it to automatically spread across infected networks.
Propagation is achieved by copying the executable file to identified network shares. Next, Ryuk creates a scheduled task on the remote computer that allows it to spread from computer to Windows computer.
Once launched, the ransomware is distributed to every available machine that provides access via Windows RPC. After performing a recursive scan of disks and network access on the infected network, the malicious payload is deployed in the context of a trusted process.
In addition, the latest version of Ryuk does not seem to contain an exclusion mechanism that cannot prevent reinfection on the same machines. It is noteworthy that Ryuk does not encrypt some files on Windows, Mozilla Firefox and Google Chrome. As the experts explained, the core components and browsers are left untouched so that victims can read the ransom demand and pay the hackers.
In some cases, however, Ryuk encrypts the underlying Windows files. As a result, affected organizations may find it difficult or even impossible to recover infected devices.
User Review( votes)