Ryuk Ransomware and Cyber Hygiene – The Monitor, February 2019

During the February reporting period, Kroll’s cyber team responded to a large volume of ransomware attacks. The most common ransomware reported was Ryuk, followed by Dharma, Hermes, Nozelesn and Gandcrab.

Kroll identified 15 ransomware cases via its cyber intake process in February 2019. Ransomware most commonly targets the medical sector; however, Ryuk ransomware frequently targets the retail industry. Two of Ryuk’s victims were associated with retail electronics and media solutions.

According to multiple sources, Ryuk ransomware was deployed in 2018 and is more customized than most ransomware families. Ryuk is particularly effective, as it leverages infrastructure tied to banking trojans to deploy ransomware on targets that are most likely to pay ransomware demands. Recent reporting attributes Ryuk to crimeware hackers based in Russia, who likely altered Hermes ransomware for their own uses.

According to the New Jersey Cybercrime Communications and Integration Cell (NJCCIC), Ryuk is now believed to have been developed by profit-motivated cyber criminals and is being delivered subsequent to an initial TrickBot or Emotet infection.

Ryuk differs from other ransomware families based on its delivery mechanism. While most types of ransomware rely on phishing attacks or open Remote Desktop Protocol (RDP) connections, Ryuk leverages established command and control servers associated with Trickbot and Emotet banking trojans. This allows the Ryuk attackers to access a large swath of victims, and then cherry-pick the best targets, and tailor ransom demands to each organization.

According to one ransom note Kroll reviewed, victims receive a standard Ryuk ransom note with directions to contact a Swiss-based ProtonMail email address. This is followed by varying demands for bitcoin payment.

While the Ryuk attackers profit off their Trickbot and Emotet connections, this connection also provides a tripwire that can alert victim organizations to a potential ransomware attack following Emotet or Trickbot infections.

The Trickbot Connection

Recent reporting from multiple sources suggests cyber actors are using Ryuk in tandem with Trickbot trojan infrastructure. Trickbot is a banking trojan, which is a malware used to obtain credentials for sensitive accounts. Ryuk actors likely use Trickbot command and control servers to gain access to many networks, and then launch Ryuk ransomware against the highest priority targets. The crime group using Ryuk is known for tailored attack campaigns focusing on espionage, data theft and financially-motivated attacks.


Cyber Hygiene: Best Practices and Recommendations For Securing Your Network Against Ryuk Ransomware1

  • Conduct routine security risk assessments.
  • Perform ongoing vulnerability and penetration testing.
  • Implement endpoint monitoring and protections, such as Kroll’s CyberDetectER® Endpoint, to respond swiftly to credible threats on your network.
  • Utilize a firewall to prevent all public access to the Service Message Block (SMB/port 445) and the Remote Desktop Protocol Protocol (RDP/port 3389). Remote access should be restricted to a dedicated server that requires multifactor authentication (MFA), ensures sufficient privilege access restriction and logging capability.
  • File Integrity Monitoring should also be configured to monitor file creations in trusted locations, like the System32 directory. This can also be used to monitor deletes, with an alert configured to fire on excessive deletes in a row.
    • Windows event logs should be monitored to detect any scheduled task creation events, while registry auditing should be enabled to capture any additions to HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  • Practice incident response scenarios, which include complex attacks combining disruption through ransomware, DDoS, network downtime, etc.

Follow These Best Practices When Responding to a Ransomware Attack2

  • Take a snapshot of your system. Prior to shutting down your system, if it is at all possible, try to capture a snapshot of the system memory.
  • Shut down your system. To prevent the further spread of the ransomware and inevitable damage to data, shut down the system believed to be infected.
  • Identify the attack vector. Recall all emails suspected of carrying the ransomware attack to prevent further spread of the attack.
  • Block network access to any identified command-and-control servers used by ransomware. Ransomware is often blocked from encrypting data without access to these servers.
  • Notify authorities. Consider informing authorities so they can help with the investigation.

This article was extracted from the Monitor newsletter, a monthly digest of Kroll’s global cyber risk case intake. The newsletter also includes an analysis of the month’s most popular threat types investigated by our cyber experts. Subscribe now.


1 Healthcare IT News; “HHS HCCIC cybersecurity alert: New Ryuk ransomware quickly racking up damage”; https://www.healthcareitnews.com/news/hhs-hccic-cybersecurity-alert-new-ryuk-ransomware-quickly-racking-damage.
2 Carnegie Mellon Software Engineering Institute; “Ransomware: Best Practices for Prevention and Response”; https://insights.sei.cmu.edu/sei_blog/2017/05/ransomware-best-practices-for-prevention-and-response.html 

Ryuk Ransomware and Cyber Hygiene – The Monitor, February 2019 2019-03-01T00:00:00.0000000 /en/insights/publications/cyber/monitor/ryuk-ransomware-cyber-hygiene /-/media/kroll/images/publications/featured-images/2019/ransomware.ashx publication {A7C7FD4E-7E16-41C7-B6F3-A0F8961B33ED} {3C7B541B-9C46-4B7C-B32F-5171B3FA949B} {ABED7C58-9FE4-4040-81ED-C6B1B2FB182B} {BFB3FCA2-C3BE-42CF-8A4B-F761BFAEC095} {78D3F940-BF08-40FB-A7F6-B55FB2D9165B}

Sign up for The Monitor

Related Services

Cyber Risk

Kroll CyberDetectER®

Proactively monitor, detect, and respond to threats on endpoints and across the surface, deep, and dark web.

Kroll CyberDetectER®
Cyber Risk

Cyber Litigation Support

Expert witnesses on any cyber topic including forensic data collection and analysis.

Cyber Litigation Support
Cyber Risk

Cyber Risk

End-to-end cyber security services provided by unrivaled experts.

Cyber Risk