Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Big Data and Analytics
    • Big Data and Analytics
    • Cybersecurity
    • Database
    • IT Management
    • Networking

    How Enterprises Can Avoid the Ryuk Ransomware With Right Strategy

    By
    Wayne Rash
    -
    January 3, 2019
    Share
    Facebook
    Twitter
    Linkedin
      Ryuk.ransomware

      During the holiday period between Christmas and New Year’s in 2018, workers at a Tribune Co. newspaper location in South Florida found out that they couldn’t upload late-breaking sports scores to the portion of their CMS that handles printing and distribution. Later, other newspapers in the Tribune chain discovered other problems related to the printing and distribution of their papers, as did the Los Angeles Times, which used to be part of the Tribune group but still uses the printing and distribution software.

      As the Tribune IT staff investigated, they found that the Ryuk malware had encrypted critical portions of their operations and that a ransom was being demanded to reverse the attack. Eventually, the newspapers were able to overcome the effects of the attack, but the newspapers were delayed; some went to press without a portion of their advertising.

      At about the same time, security researcher Brian Krebs reported that cloud hosting provider DataResolution.net suffered a similar attack. There the company immediately shut down their network to avoid the further spread of the malware and then worked on a resolution. Since then, both DataResolution and the Tribune companies have moved along in their recovery. Neither has said whether they paid the ransom, but considering the time it took for each to recover, it appears that they did not.

      DataResolution Identifies Hackers as Being From North Korea

      The staff at DataResolution announced that the attackers were from North Korea, and that the attackers were professionals. How they knew who to attribute the attack to is unclear, but perhaps it turned up in the ransom demand.

      The Ryuk malware is different from most malware in that it doesn’t really spread itself across the internet. Instead, according to Stu Sjouwerman, CEO of KnowBe4, the spread of Ryuk takes place slowly and carefully, and it’s usually performed manually by the bad guys once they’ve penetrated a network.

      When they’re in the network, the attackers study it and prepare a “whitelist” of programs and files they don’t want attacked. This allows the victim to have enough control over the compromised server to be able to apply the fix that’s provided by the attackers once the ransom is paid. Once everything is ready, then the attackers unleash the malware.

      Sjouwerman noted that the attackers who use the Ryuk ransomware specifically attack companies that cannot afford downtime and then price their ransom accordingly. He said that one recent victim paid the attackers nearly $400,000 to get the decryption key.

      Normally the attackers make sure to also attack and encrypt any backups or other copies of the data that they’ve encrypted, but they’re not always successful. DataResolution said in a status update that the company was able to retrieve copies of what was encrypted from other production servers that weren’t attacked. Apparently, the decision to shut everything down was an appropriate response in this attack. But no matter how you look at it, a Ryuk attack is going to be expensive, so it’s best to prevent it from happening.

      Nation-State Attackers Have Unlimited Resources

      Unfortunately, keeping a nation-state attacker out of your network is tough. They have essentially unlimited resources, so they can search for compromising information until they find it, and they can pound on your network essentially forever until they find a hole that will allow them to enter.

      Sjouwerman said there are basically two ways that such attackers break into your network. One is through phishing attacks, in which they will use information they’ve found about your organization to get the confidence of your employees so they can use phishing. Good training and careful control over your incoming email can minimize the success of those attacks.

      The other method is an RDP attack. This happens when the remote desktop service on a computer somewhere on your network is vulnerable, then they go in through that RDP connection and effectively are free to move about your network. Because RDP credentials are widely available to attackers, this has become the most common method of attack for Ryuk attacks.

      Steps to Take Now

      There are some steps you can take to reduce the likelihood of a successful attack.

      • Disable Remote Desktop on every computer on your network.
      • Where you can’t remove RDP, replace it with a third-party version that is secure and that can provide two-factor authentication.
      • Require two-factor authentication for any changes to your network devices, including your servers and to your clients. The second factor should be a physical smart card or USB key, not an SMS text message.
      • Impose a password management policy on your network, including a requirement that all passwords be changed immediately. At this point, any passwords that have been in use for a while will have been compromised, so implement a policy that requires new passwords immediately, sets requirements for password age and doesn’t allow password reuse.
      • Make sure your backups don’t use disk letters or any other method that allows access through the operating system. Backups must be managed by backup software that creates protected backups that cannot be otherwise accessed from the network.
      • Make sure you test the ability to recover your files to confirm that you really have a backup you can use. Then store those backups off-site in a cloud location or potentially in a physical vault.

      One reason to suspect North Korea in these attacks is that it’s their government hackers who have perfected the Ryuk ransomware. In addition, these attacks demand very large ransoms, and North Korea is in need of hard currency. A government-sponsored attack would serve multiple purposes.

      That being said, attribution for an attack like this is very difficult. It might not be North Korea, but that hardly matters. If you’re attacked by someone using Ryuk, it’s going to be very expensive.

      Wayne Rash
      https://www.eweek.com/author/wayne-rash/
      Wayne Rash is a freelance writer and editor with a 35-year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He is the author of five books, including his most recent, "Politics on the Nets." Rash is a former Executive Editor of eWEEK and a former analyst in the eWEEK Test Center. He was also an analyst in the InfoWorld Test Center and editor of InternetWeek. He's a retired naval officer, a former principal at American Management Systems and a long-time columnist for Byte Magazine.

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×