The infamous Ryuk ransomware has received an important update, equipping it with a new work-like capability. The capability allows the ransomware to spread across compromised networks, making it even more dangerous.
Ryuk ransomware updated with new worm-like capability
The Ryuk ransomware operation is one of the most successful campaigns in terms of financial success. The cybercriminals behind it have made more than $150 million in Bitcoin from ransom payments, mostly made by organizations worldwide.
The new malicious capability in the ransomware was unearthed by ANSSI. “A Ryuk sample with worm-like capabilities allowing it to spread automatically within networks it infects,was discovered during an incident response handled by the ANSSI in early 2021,” the researchers share.
The report also warns that the ransomware remains active, targeting hospitals during the pandemic. Ryuk has been known to target other organizations as well, such as Georgia’s court system.
Ryuk’s ransomware capabilities
The ransomware contains a dropper that drops one of the two versions of a data encryption module (32- or 64-bit) on the targeted system. Then, the dropper executes the payload. After a short pause, the ransomware stops more than 40 processes and 180 services, especially such related to antivirus software, databases, and backups, ANSSI warns. Persistence is achieved through the creation of a registry key.
In terms of encryption, Ryuk uses a combination of the symmetric (AES) and asymmetric (RSA) encryption algorithms. This combination not only encrypts the files but it also protects the encryption key, making it impossible for a third party to decrypt the data.
Ryuk ransomware in past campaigns
One of the Ryuk’s previous updates included the addition of an IP-blacklisting capability. This ability enabled it to check the output of the “arp –a” parameter for specific IP address strings.
In case these strings were found, the ransomware would not encrypt the files on that computer. Files received the .RYK extension as a secondary one, without any changes made to the original name of an encrypted file.