Ryuk, a ransomware with worm functionality
The first appearance of Ryuk dates back to August 2018. After more than two years it is still active and the most recent version can increase the number of targets, using the LAN. The basic functionalities are those of a traditional ransomware, ie the application of encryption to make files inaccessible and the request for a ransom.Ryuk stops over 40 processes and 180 services, especially those of antivirus and backup software, to prevent its detection and restoring copies of the operating system. Browser files are not encrypted to allow the victim to read the ransom note and make the payment in cryptocurrency.
The new variant has self-replication capabilities across the local network. First, it reads the IP addresses in the ARP table and sends a WOL (Wake-On-LAN) packet to each host to “wake up” the computers that are turned off. It then mounts all shared resources, copies itself to other computers, and sets a task (via the scheduler) to run at a specific time.
Ryuk is part of a ransomware family, known such as RaaS (Ransomware-as-a-Service), which cybercriminals have been using for several years, including Emotet, TrickBot, and BazarLoader.
Source: Bleeping Computer