If you're on a Galaxy Fold, consider unfolding your phone or viewing it in full screen to best optimize your experience.
The threat of computer viruses and other malware is on the rise. The ransomware called Ryuk is one of the most widely-used among cybercriminals. It accounted for over a third of all ransomware attacks through the first three quarters of 2020.
Ryuk’s use among cybercriminals is only accelerating. This increases the chance computers, servers, and other devices on your IT network (called endpoints by IT professionals) will fall victim to it.
Ryuk’s popularity among criminals makes sense. It’s one of the deadliest, most effective forms of ransomware. Only the best endpoint security software has a chance of stopping it before damage occurs.
Concrete actions exist to protect your business from Ryuk ransomware. Let’s first understand Ryuk and how it operates. Then we’ll examine how to defend against it.
Ryuk malware exists for one purpose: to encrypt your organization’s most important data. It uses an advanced, three-tier encryption process, making it impossible for you to access your data without paying a ransom.
The ransom itself is staggering. A typical ransom amount ranges from $100,000 to $600,000 according to the Center for Internet Security. Criminals demand payment in Bitcoin cryptocurrency.
Ryuk is a particularly nefarious type of ransomware for several reasons.
Understanding Ryuk’s behavior and code points us to the cyber threat actors (CTAs) behind it. Ryuk’s code structure is similar to Hermes ransomware. Cybersecurity experts originally thought Ryuk had ties to the Lazarus Group, the CTAs based in North Korea who developed Hermes.
Cybersecurity professionals now attribute Ryuk’s origin to two Russian CTAs: Wizard Spider and CryptoTech. Wizard Spider operates TrickBot, a Trojan that evolved to support multiple criminal uses including delivery of Ryuk ransomware. CryptoTech claimed to have upgraded Hermes into Ryuk.
Delivery of the Ryuk virus involves other types of malware. It often uses TrickBot, the Emotet Trojan-turned-bot malware, or both, to take control of your computer, disable your antivirus, and download Ryuk.
The attack typically begins with an innocuous email. The email contains an attachment that appears to come from a customer, your bank, or other trusted source.
When the employee opens the attachment, a series of computer commands activates, infecting your machine. Ryuk then immediately infects other endpoints across your IT environment.
In this way, valuable business data undergoes encryption wherever it’s stored on your network. The criminals leave a ransom note alongside the encrypted files detailing their demands. Some even include a video tutorial on how to buy Bitcoin and send the ransom.
Protecting your business from Ryuk and other cyber threats, such as Spider malware, requires a multi-layered security approach. This involves implementing all the items on the list below.
The best way to thwart Ryuk and other ransomware is to maintain up-to-date backups of your data. This should already be happening, but the key is to use a time-tested model that prevents Ryuk from getting to those backups.
A popular approach is the 3-2-1 strategy.
You can modify the 3-2-1 approach to fit the specific needs of your business. Other models can also increase your data protection.
Backing up your data to multiple off-site locations is ideal, making a 3-2-2 strategy a stronger model. This could involve one cloud-based storage option and an off-site space geographically separate from your business location. Or for even stronger security, you could use a 3-2-3 model where you store data with two cloud vendors and in a third, off-site location.
Technology vendors routinely provide updates to their products to patch them against new cyber threats. Reduce your IT network’s susceptibility to Ryuk and other malware by implementing these updates. This includes hardware such as routers and modems.
Most software offers a process that automatically checks for updates online, and it performs the update for you. This may not necessarily be the case for your hardware.
Charter Communications supplies a free modem with my internet service, but they’re not responsible for patching and updating it. In these situations, your business may need to buy your own modem to take control of your security.
Macros are small programs used to automate repetitive tasks. Microsoft Office software uses macros throughout its products.
Criminals exploit these macros to run commands that take over your computer. It’s a common tactic used in Ryuk ransomware attacks.
Most staff don’t require macros to do their jobs. It’s safer to disable these macros by default, and Microsoft provides settings to do so.
Cybercriminals prey on unsuspecting victims. Raise awareness and educate your team on how to avoid dangers such as Ryuk.
These online habits increase your organization’s safety dramatically.
Even in companies with a security operations center (SOC), it’s often assumed people understand how to protect themselves from cyber threats. But many can’t keep up with the constant evolution of criminal tactics, so ongoing education is necessary.
It’s generally accepted that every computing device requires endpoint protection. Whether it’s a laptop, server, or mobile phone, every endpoint is a potential doorway for criminals.
If you’re a freelancer or solo entrepreneur with a home-based business, you can usually get by with the Microsoft antivirus preinstalled on Windows computers. Microsoft dramatically improved its antivirus software to include artificial intelligence and other advanced threat protection capabilities.
Larger companies require more robust endpoint security. Software such as the CrowdStrike Falcon platform can proactively detect Ryuk behavior and stop it before it infects your network.
Endpoint security software is an effective way to ensure all hardware and software across the organization stays updated with the latest patches. It highlights areas of vulnerability to address. Endpoint security also proactively blocks suspicious emails and websites, stopping an attack from reaching unsuspecting staff.
Criminals leave copies of their ransom notes in folders throughout your IT network. The note is usually a text file titled RyukReadMe.txt. A variant involves the ransom note as an HTML file titled RyukReadMe.html.
You’ll also suddenly find several encrypted files with filenames ending with the ".RYK" extension. For instance, a file called "financials.xlsx" will change to "financials.xlsx.RYK" after encryption.
Security experts warn not to pay the ransom, and they’re right. Criminals used Ryuk to target healthcare organizations, particularly hospitals, amidst the coronavirus pandemic. They don’t care if you regain access to your files even after payment.
If you pay and are fortunate enough to receive the decryption key required to recover your data, the process to decrypt files isn’t easy. You’ll need technical expertise.
Also, you may experience data loss anyway. It’s possible your database became corrupted during the initial encryption process, but you won’t know until you’ve paid the ransom and decrypted the data.
No free software tool can decrypt files that fall victim to Ryuk. Even with professional help, depending on the Ryuk variant and sophistication of the criminals launching the attack, it may be impossible to decrypt infected files by any means without the decryption key.
Still, if you’re attacked by Ryuk or other ransomware, it’s worth trying to recover your files without paying the attackers. Check out the No More Ransom Project, developed by law enforcement together with Kaspersky and McAfee, to get help.
You can’t always prevent cyberattacks. Preparation is your best defense against cyber threats. With backups safely stored off-site, if Ryuk strikes, you can focus on clearing the infection rather than worrying about your data.
Be aware that a Ryuk attack can hide additional undetected malware on your system while you focus on Ryuk remediation. Take time to carefully vet your IT network before attempting to restore your data.
Endpoint security software is key. Look for capabilities such as threat hunting to ensure your systems are virus-free.
This holistic approach to IT security ensures your organization is well-positioned to weather the threats lurking in cyberspace.
Our Small Business Expert
We're firm believers in the Golden Rule, which is why editorial opinions are ours alone and have not been previously reviewed, approved, or endorsed by included advertisers. The Ascent does not cover all offers on the market. Editorial content from The Ascent is separate from The Motley Fool editorial content and is created by a different analyst team.