A US Coast Guard facility was earlier hit by a Ryuk ransomware, shutting down its systems for around 30 hours. Brief research disclosed that Ryuk ransomware is mainly operated by a North Korean hacker group called Lazarus.
The same ransomware has also been linked to a Russian hacker group called the Wizard Spider. In most of its operation, threat actors target the vulnerable employee, and launch an attack through a phishing campaign to infect the computer system with a malware to cause more damage. Ryuk ransomware mostly encrypts files to deny the owner access.
Image source: www.bleepingcomputer.com
According to the report, the US Coast Guard located in an unnamed base experienced a sudden shut down of its system. Thinking it was just a minor incident, it turned out to be an attack launched by a sophisticated hacker group. The report revealed that the shutdown system could only be recovered after 30 hours of the attack.
A forensic analysis conducted by the US Coast Guard revealed that the Ryuk ransomware possibly made its way into the Maritime Transportation Security Act “MTSA” facility through a phishing campaign using an employee’s email as the gateway.
The report did not mention whether this was a broadcast phishing campaign, but it was reported that once the US Coast Guard employee clicked on the malicious link embedded in the email, the malware spread into the system making it possible for the hackers to access a number of the enterprise Technology Information network.
After propagating through the network, it encrypted the files to lock out officials from accessing them. The only way such files can be retrieved is by entering a decryption key which mostly comes after a ransom is paid. The management of the US Coast Guard facility did not state whether a ransom was made, neither did they disclose when the attack was launched. They just stated that the encrypted files have been retrieved.
Cybercrime happened consistently in 2019 with most of the incidents affecting companies that had not back up their data, invest in proper cybersecurity tools or did not offer any cybersecurity training to their staff. Companies that have a full backup of their data can decide to reject any request for ransom payment. Most hackers sometimes threaten the affected companies of sending the stolen files to their competitors if the ransom is not paid.
Image Source: www.cnet.com
The hackers behind this attack are usually not interested in demanding a small amount as ransom. Millions of dollars have been made by hackers using Ryuk ransomware since being in active operation from 2018. Interestingly, many notable attacks have been linked to this ransomware. An attack on the Virtual Care Provider in November 2019 heavily affected services and shut down its servers.
As claimed by reports, 110 nursing facilities were denied access to patients’ records, internet, and other data as hackers demanded a total of $14 million to provide the decryption key. It was not stated whether they paid the stated amount.
The Rise of Ryuk Ransomware
The Ryuk ransomware is mostly linked to the operation of the Lazarus hacker group but has since August 2018 been associated with many attacks by the Russian hacker group. Hackers behind this ransomware demand high ransom amount from multimillion companies.
According to some reports, the FBI has revealed that the Russian based hackers have struck over 100 organizations with the Ryuk ransomware since August 2018. Their targets range from companies operating in different industries. However, their primary targets have been the Logistics, technology and small municipal.
It was reported that identifying a Ryuk ransomware infection vector is very difficult as it has been designed to delete all evidence of its droppers. Ryuk ransomware has a common behavior of bypassing antivirus products, terminating processes, stopping services, maintaining persistence in the targeted machine and operating as a legitimate process by injecting to windows process. It has a disabling usage capability, file encryption, and information theft.
Some of its impact on affected organizations is data loss and financial loss. The data loss comes as important files and documents are encrypted by the ransomware. It brings a huge financial loss to the targets because hackers mostly demand a huge amount of money to decrypt the files.
Since Ryuk ransomware has a special capability of bypassing antivirus products, it is very difficult to deal with. To stand a chance against the hackers behind this attack, backup your data and make sure backups don’t have disk letters or any other way of accessing them through the operating system. Test to confirm whether the backup has been done properly, then store the backup in a cloud location or any physical vault.
Disclaimer: Darkweblink.com does not promote or endorse claims that have been made by any parties in this article. The information provided here is for the general purpose only and unintended to promote or support purchasing and/or selling of any products and services or serve as a recommendation in the involvement of doing so. Neither Darkweblink.com nor any member is responsible directly or indirectly for any loss or damage caused or alleged to be caused by or in relation to the reliance on or usage of any content, goods or services mentioned in this article.