Everything about Ryuk Ransomware

Ryuk Ransomware

What is Ryuk Ransomware Attack?

Ryuk is a type of ransomware used in targeted attacks, where threat actors ensure that the required files are encrypted so that they can demand a large ransom. It was first discovered in August 2018. A ryuk ransom demand can range up to a few hundred thousand dollars. Malwarebytes identifies this as a ransom.

 

How does the Ryuk work?

Ryuk is one of the first ransomware families that includes the ability to identify and encrypt network drives and resources and remove shadow copies at endpoints. This means attackers can then disable Windows System Restore for users, making it impossible to recover from an attack without external backup or rollback techniques.

 

How is Ryuk Delivered?

As is the case with many malware attacks, Ryuk's mode of delivery is the same as a spam email. These emails are often sent from fake addresses, so the sender's name does not raise suspicion. The spoofing attack begins when a victim opens a document related to a phishing email. When you open links that link to phishing emails, malware will enter your system and encrypt your files.

 

How to Prevent from Ryuk Ransomware?

1. The first step to protecting against any ransomware attack is to invest in anti-malware/antivirus protection.

2. Update software and operating systems with the latest patches. Most of the targets of attacks are older applications and operating systems.

3. Never click on links or open attachments in unsolicited emails.

4. Back up your data on a regular basis and keep it on a separate device and store it offline.

5. Follow safe practices when browsing the Internet.

6. Be suspicious of unexpected emails. The phishing email is currently one of the most prevalent risks to the average user. Phishing attack aim to gain information about you, steal money from you, or install malware on your device. Be suspicious of all unexpected emails.

7. Buy a USB or external hard drive where you can save new or updated files. Just make sure to physically disconnect the devices from your computer after backing up, otherwise, they might get infected with ransomware as well.

 

How can I Remove Ryuk Ransomware?

The first step in incident response is containment and eradication.

 

Containment consists of mitigations that prevent the spread of threats, and eradication means removing the malware from the affected system.

 

If you have been targeted by this ransomware, the following steps will help you mitigate it. The first four steps are related to the prevention phase and it is important to perform them as soon as you come to know about the infection. Please note, a specialist digital forensics and incident response company may need to ensure that you have completely removed this threat from your environment to prevent further attacks.

 

Containment

1. Disconnect the computer from the Internet. This ransomware spreads rapidly all over the internet. Thus, complete isolation of infected machines from both wireless and a cable connection is imperative to prevent new infections on the network.

2. If you are sure it is Ryuk, immediately disconnect your AD domain controllers from the network.

3. Unplug all external storage devices. Do not connect any additional external storage as it may also be encrypted.

4. Do not give a ransom to the attacker. You have less chance of recovering your data even if you pay, and this will only encourage attackers to run more campaigns.

 

Eradication

1. Contact an expert for assistance.

2. If possible, image the system so that you can provide it to security personnel to investigate the point of compromise.

3. Reinstall your operating system.

4. Before connecting it back to the main network, scan the computer with an antivirus solution and remove any detected infections. It is not recommended to rely on automated tools to simply remove this sophisticated malware manually. Automated tools are a good option in combination with manual checking and additional removal of registry entries, etc.

5. Make sure the infection is not present on your backup, restore your data from a clean backup afterwards.

Leave a Reply

Also Read


Join GraspHack Family!

We will never spam you.

Be a part of our ever growing community.