New variant of Ryuk ransomware has the features of a network worm

A new variant of Ryuk ransomware spreads over the network by copying an executable file to identified network shares.

Specialists from the French National Computer Incident Response Center (CERT-FR) spoke about an updated version of the Ryuk ransomware program with worm features that allow it automatically spread across the network of its victims.

Previously, Ryuk was downloaded using the TrickBot Trojan, but in September last year, attackers began using BazarBackdoor to gain access to targeted networks. BazarBackdoor is a malware downloader that is also used by the group behind TrickBot.

Ryuk usually spreads through malicious phishing emails disguised as internal business documents with the associated names of employees or positions in the organization.CERT-FR specialists said.

Previous versions of the ransomware could not automatically navigate the network. However, while investigating an incident earlier this year, researchers found a sample of Ryuk with added worm-like properties that allowed it to automatically spread across infected networks.

Propagation is achieved by copying the executable file to identified network shares. Next, Ryuk creates a scheduled task on the remote computer that allows it to spread from computer to Windows computer.

Once launched, the ransomware is distributed to every available machine that provides access via Windows RPC. After performing a recursive scan of disks and network access on the infected network, the malicious payload is deployed in the context of a trusted process.

It is at this stage that the ransomware begins to encrypt all files on the network and ensures its persistence by setting the Ryuk file path value in the registry key.experts noted.

In addition, the latest version of Ryuk does not seem to contain an exclusion mechanism that cannot prevent reinfection on the same machines. It is noteworthy that Ryuk does not encrypt some files on Windows, Mozilla Firefox and Google Chrome. As the experts explained, the core components and browsers are left untouched so that victims can read the ransom demand and pay the hackers.

In some cases, however, Ryuk encrypts the underlying Windows files. As a result, affected organizations may find it difficult or even impossible to recover infected devices.

Let me remind you that Ryuk was also a load of the famous Emotet Trojan, the infrastructure of which was recently eliminated by law enforcement officers as a result of an international operation.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply


This site uses Akismet to reduce spam. Learn how your comment data is processed.