Ryuk ransomware propagates via local network

Ryuk ransomware propagates via local network

Ryuk is one of the most dangerous ransomware ever, as it has been used for several cyber attacks (including against hospitals), allowing its authors to gross over $ 150 million. According to the report published by the French National Security Agency, a newer version of Ryuk can spread over the local network.

Ryuk, a ransomware with worm functionality

The first appearance of Ryuk dates back to August 2018. After more than two years it is still active and the most recent version can increase the number of targets, using the LAN. The basic functionalities are those of a traditional ransomware, ie the application of encryption to make files inaccessible and the request for a ransom.

Ryuk stops over 40 processes and 180 services, especially those of antivirus and backup software, to prevent its detection and restoring copies of the operating system. Browser files are not encrypted to allow the victim to read the ransom note and make the payment in cryptocurrency.

The new variant has self-replication capabilities across the local network. First, it reads the IP addresses in the ARP table and sends a WOL (Wake-On-LAN) packet to each host to “wake up” the computers that are turned off. It then mounts all shared resources, copies itself to other computers, and sets a task (via the scheduler) to run at a specific time.

Ryuk is part of a ransomware family, known such as RaaS (Ransomware-as-a-Service), which cybercriminals have been using for several years, including Emotet, TrickBot, and BazarLoader.

Source: Bleeping Computer
Powered by Blogger.