Ryuk Ransomware Trends

Summary

Ryuk ransomware threat actors are constantly evolving their tactics, techniques, and procedures (TTPs) in their campaigns. Security researchers discovered new trends for Ryuk ransomware attacks this year. Threat actors are conducting large-scale brute force and password spraying attacks, compromising exposed RDP connections, and spearphishing to distribute malware. Reconnaissance on the target is performed in two stages to determine valuable resources, find information on the organization’s revenue to set a ransom amount, and scan for security products to learn how to disable them. The latest technique is the use of KeeThief, which is an open-source tool used to extract credentials from KeePass password manager and can bypass security defenses. Additional tools are used to extract admin credentials and move laterally through networks. The exploitation of vulnerabilities also provides a means to elevate permissions on compromised systems.

Recommendations

The NJCCIC recommends users implement a defense-in-depth cybersecurity strategy, keep hardware and software up to date, encrypt sensitive data, and ensure data is backed up and tested regularly as part of a comprehensive data backup plan. Additionally, enable multi-factor authentication (MFA) where available and avoid clicking links and opening attachments from unknown senders and exercise caution with emails from known senders. More information and risk mitigation steps can be found in the Advanced Intelligence post. Further recommendations to reduce the risk of ransomware infections can be found in the NJCCIC Product, Ransomware: The Current Threat Landscape, and the NJCCIC Technical Guide, Ransomware: Risk Mitigation Strategies . Incidents may be reported to the local police department, the FBI, and the NJCCIC.