Ryuk Ransomware: Mitigation and Defense Action Items

The FBI, DHS, and HHS are warning of imminent Ryuk ransomware attacks targeting hospitals in the US. The story is being covered broadly by the industry media, including  Krebs and various media outlets.

Cybereason Blocks Ryuk

Cybereason recommends that all customers activate their prevention stack to be set on “Prevent” mode (AV, NGAV, Powershell, AntiRW). All Ryuk samples obtained to date have been confirmed to be blocked with Cybereason NGAV on “Moderate” or by Cybereason Anti-Ransomware with Canary files set to “Visible” on product versions 19.2 and 20.1.

Ryuk also has other behavioral indicators that trigger detection by the Cybereason Defense Platform which include process injection for defense evasion, stopping the Windows VSS service for backup removal, creation of registry autoruns for persistence, and more.

Maintain Interim High Alert/Response Diligence Process

In order to keep critical systems secure and avoid any disruptions to the delivery of life-saving healthcare services, Cybereason recommends that organizations maintain a high degree of vigilance and detection sensitivity during this time period, including:

Spear-Phishing Awareness: 

The threat actors may attempt to use their knowledge of an organization’s people, business jargon, and enterprise systems to craft an effective social engineering campaign. Such tactics may be extremely hard to detect until it’s too late, magnifying the importance of diligence regarding any suspicious external communications.

Second-Order Password Attacks: 

Armed with the stolen credentials of an organization’s users and services, the threat actor may attempt to employ techniques such as password spraying against the organization's email service or VPN gateways. Alternatively, it is also common for users to re-use passwords across multiple sites/services where the threat actor could attempt to compromise other services by leveraging a collection of email addresses and cracked passwords.

Exploitation of Vulnerable Services:

With knowledge of the products and tools in use within an organization’s IT environment, the threat actor may attempt to identify vulnerable or unpatched software that could be exploited to regain access to the network.

Regular Security Reviews:

At least for the near future, organizations should implement a regular security review intended to highlight any escalated or suspected security concerns that may be linked to an ongoing campaign of targeting by the threat actor. Ultimately, this should be supplanted by a formal security operations process and proactive monitoring and threat hunting program for the long-term.

Implement/Review a Phishing Resiliency Action Plan

Phishing is a perennial favorite of attackers and is a difficult security threat to address, particularly when the attack vector is via personal or out-of-band email services. However, a unified, multi-layered strategy can be effective at minimizing the risk to enterprises:

Invest in Regular Employee Training and Awareness Campaigns:

Targeted phishing campaigns (otherwise known as spear-phishing) can be extremely sophisticated and difficult for victims to spot; however, the majority of phishing attacks are opportunistic and low quality. 

Training employees on the common hallmarks of malicious, suspicious, and inauthentic messages can reduce the chance that they will fall victim to phishing campaigns and put the enterprise at risk. This guidance should be reinforced regularly, including reminders of the process to report and escalate concerns to the security team.

Implement a Robust and Low-Friction Reporting Mechanism: 

To increase the chances of detecting possible spear-phishing campaigns, and to give users a clear alerting path for reporting security concerns, organizations should consider implementing a reporting mechanism such as a dedicated internal mailbox for phishing and other social engineering activity.

Implement an Email Protection Solution:

Email protection services, particularly those that provide URL/attachment protection and threat actor campaign tracking, can be effective at combating potential phishing attacks. Notably, they can significantly reduce the time to triage phishing-based compromises by providing an additional layer of security telemetry, such as details of all users who clicked a malicious link embedded in an email, alongside host and network-based tools. 

Enforce Personal Email and Chat Service Use Policy on Enterprise Devices:   

To  maximize the effectiveness of the in-band solutions proposed above, any out-of-band email and communications should be restricted to untrusted networks and personal devices. Where possible, requiring employees to use a “guest network” to access their personal email and block unofficial mail providers via a web proxy, ideally by categorization is recommended.

Harden Remote Access Infrastructure

Any remote access infrastructure and services should be reviewed from the perspective of hardening them against second-order attacks. This review should include:

Implementing Multi-Factor Authentication (MFA):

This step significantly reduces the likelihood of stolen credentials being used to gain entry through legitimate access gateways. Note that this includes all forms of credential theft, not just those resulting from the Active Directory compromise. Phishing, credential stuffing and other attacks against username/password authentication become much less likely to succeed with robust MFA.

Audit and Monitoring of Access Logs:

Implementing an access gateway monitoring process, ideally as part of a larger security monitoring and centralization effort, will increase the likelihood of detecting unauthorized access attempts, both successful and failed. This capability can also improve resiliency of business continuity in potential future Incidents.

Regular Audits of Accounts and Access Requirements:

Remote access via VPN, VDI, and other access gateways should be strictly limited to those who require it. This requirement should be regularly reviewed to minimize the likelihood that vulnerable or unnecessary accounts could be used by an attacker to access the network. This review should include IT partners and suppliers who require access to an organization’sIT infrastructure.

Ensure Endpoint Visibility & Coverage

Cybereason recommends establishing the highest possible deployment saturation of endpoint visibility to all enterprise assets, coupled with compensating controls and defensible system architecture where endpoint agent installation is not possible.

Cybereason is Here to Help

For more information on steps to take to reduce the risk of a Ryuk ransomware infection, or the numerous ways Cybereason detects and blocks Ryuk ransomware attacks, you can reach out to a Cybereason Defender here.


Maranda Cigna
About the Author

Maranda Cigna

Maranda Cigna, Vice President of Product Marketing, is a cybersecurity practitioner turned product marketer with 15+ years of experience in the global security and technology businesses spanning marketing, consulting, business operations, and product development.

All Posts by Maranda Cigna