Ryuk is the most prevalent ransomware variant in the state, local, tribal, and territorial (SLTT) government sector. It is the number one reported variant of 2019, accounting for approximately a quarter of incidents reported to the MS-ISAC. Ryuk and ransomware infections in general continue to increase in tandem with their overall impact and monetary demands. Furthermore, Ryuk’s ability to delete shadow copies and backups makes a Ryuk infection extremely costly and almost impossible to remediate. For instance, an SLTT government paid approximately $600,000 after Ryuk encrypted nearly all the files on their network.
Ryuk uses an advanced three tier encryption model to encrypt files until a ransom is paid. It is often dropped on a system by other malware (e.g., TrickBot) or delivered by cyber threat actors (CTAs) after compromising a system via Remote Desktop Services. Once on a system, CTAs deploy Ryuk throughout the network using PowerShell, PsExec, or Group Policy, with the aim of infecting as many systems as possible.
|Website:||Visit Publisher Website|
|Publisher:||Cybersecurity and Infrastructure Security Agency (CISA)|
|Published:||January 24, 2020|
|Copyright:||© The Center for Internet Security, Inc. (CIS®) makes the connected world a safer place for people, businesses, and governments. We are a community-driven nonprofit, responsible for the CIS Controls® and CIS Benchmarks™, globally recognized best practices for securing IT systems and data. We lead a global community of IT professionals to continuously refine these standards to proactively safeguard against emerging threats. Our CIS Hardened Images® provide secure, on-demand, scalable computing environments in the cloud. CIS is home to the Multi-State Information Sharing and Analysis Center® (MS-ISAC®), the trusted resource for cyber threat prevention, protection, response, and recovery for U.S. State, Local, Tribal, and Territorial (SLTT) government entities, and the Elections Infrastructure Information Sharing and Analysis Center® (EI-ISAC®), which supports the cybersecurity needs of U.S. elections offices. To learn more, visit CISecurity.org or follow us on Twitter: @CISecurity.|