NCSC issued an emergency alert for Ryuk Ransomware that attacks globally

Ryuk ransomware attack

The UK National Cyber Security Center (NCSC) issued a warning for the Ryuk ransomware attack that actively aims at global Emotet and TrickBot malware organizations.

The researcher has found this ongoing ransomware infection identified with the Emotet and TrickBot infection in the various networks.

Ryuk Ransomware, initially uncovered in August 2018, has since infected various organizations and compromised them and stealed millions of dollars from victims.

Emotet is one of the world’s famous malware families which infects various victims and serves as a dropper for other Trojans ‘ initial stage infection.

Trickbot is a banking malware that robs applications of login credentials. The threat actors constantly add new capabilities to malware since it was discovered long ago.

Ryuk Ransomware using the malware TrickBot and Emotet targeting major organizations, and Ryuk is thought to be operated by GRIM SPIDER, a sophisticated hacking group.

The functionality of Ryuk Ransomware infection

Ryuk ransomware uses Emotet at the initial infection stage and examines the machine of the victim, whether or not it is vulnerable to the infection.

At the same time, Trickbot uses other post-exploitation tools, including powerful Mimikatz and PowerShell Empire modules, to allow their operations.

For credential collection and remote monitoring of the workstation of a victim, post-exploitation modules are used to infect a further system in the same network.

Emotet infected machines periodically check for command and control server modules (C2). These modules are typically DLLs or EXEs loaded on an infected system for capacity expansion.

All unexecutable file will be encrypted and the demand ransomware notes will be displayed in Bitcoin at the end of the infection process.

“Ryuk’s an ongoing infection. According to NCSC, The Ryuk ransomware itself does not have an ability to move sideways into a network, which is why access depends on a primary infection, but it does have the ability to enumerate and encrypt network shares The malware will attempt to stop certain antimalware software and to install the appropriate version of Ryuk depending on the architecture of the system. This, combined with the anti-forensic recovery use of the ransomware, makes it difficult to recover from backups.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.