CybersafetyConnections June 2021 Vol#19

Be In The Know 

  • Test subject is the Ryuk Ransomware on the loose since 2018. 
  • Victims so far and how it worked then and now. 
  • Guidance on ransomware prevention. 

Microsoft 365 Stock Images

Ryuk Ransomware  

Since 2018, a particular ransomware, Ryuk ransomware was spotted and it happens to be an extract from the Hermes ransomware.  

Victims  

Last year there was an attack on a large health care organization with operations in U.K and U.S. This caused the shut down of computers and systems at all of its U.S. health care centers, and caused the group to send patients to other hospitals.  

By early October, the health care provider reported that it was restoring its main IT network and reconnecting applications. Also, it had recovered its servers at the corporate data center and linked U.S. inpatient facilities back to the data center.  

 Other Ryuk ransomware victims include a U.S. agency, a large engineering and construction services firm, city and county government, a financial software provider, a food and drink manufacturer, and a newspaper.  

 FBI Alert  

The FBI issued an alert in June 2020 warning that Ryuk ransomware operators were targeting K-12 educational institutions. In the alert, the agency reported an increased number of Ryuk ransomware attacks were misusing remote desktop protocol (RDP) a proprietary protocol developed by Microsoft that provides users a graphical interface to connect to another computer over a network connection to carry out the attacks.  

How IT Works 

Initially, the actors were manually hacking the systems to gain access and use tools to move through the network to then gain administrative access to as many systems as possible before encrypting the files.With this strategy the unauthorized presence could be detected.   

Now there is a shift in strategy which involves sending an encoded command that will download the initial code to disable the security, stop data back up and scan the network after gaining unauthorized access to system/resources. The bad actors also take advantage of Windows Management Instrumentation (WMIC) and BitsAdmin to install the ransomware.  

This shift in strategy was to help the Ryuk ransomware go undetected and remain much longer in the infected network.  

Guidance on Ransomware Prevention

A lot of ransomware is distributed by the means of phishing attacks in which users are tricked into clicking a link on an email that gives the hackers wide access to their system.  

How then do you protect your network from Ryuk and other ransomware? To help companies fight the threat, the U.S. federal government has issued guidance on ransomware prevention.  

The guidance is a recommended set of questions to ask your organizations to help prevent ransomware attacks and keep your network safe. 

Backups: Do we back up critical information? Are backups stored offline? Have we tested our capacity to recover backups during an attack? 

Risk Analysis: Have we carried out a risk analysis of the organization? 

Staff Training: Have we conducted staff training on cybersecurity best practices? 

Vulnerability Patching: Have we implemented comprehensive patching of system vulnerabilities? 

Application Whitelisting: Do we allow only approved applications on our networks? 

Incident Response: Have we written an incident response plan? Have we practiced it? 

Business Continuity: Are we able to continue business operations without access to critical systems? For how long? Have we tested this? 

Penetration Testing: Have we tried to hack into our own systems to test their security and our ability to defend against attacks? 

In conclusion our best offense is a commitment to cyber hygiene and best practices to keep our networks secure .

1.Ryuk Ransomware 

2.Guidance 

3.FBI Alert 

4.Shift In Strategy 

Please subscribe to get the latest update.