Massive rise in Ryuk ransomware attacks detected worldwide

An astronomical rise in the use of the Ryuk ransomware by hackers to target organisations worldwide has resulted in a 40% surge in global ransomware attacks in the third quarter 2020 compared to the same quarter last year.

According to security firm SonicWall, hackers have taken advantage of the increasing vulnerability of organisations worldwide due to the shift towards remote work as a result of the COVID-19 pandemic by carrying out ransomware attacks, particularly Ryuk ransomware attacks, on an unprecedented scale.

In the third quarter of this year, the firm recorded a 40% surge in global ransomware detections, taking the total number of detections to nearly 200 million worldwide. The Ryuk ransomware was by far the favourite ransomware variant for cyber criminals as Ryuk detections increased from a mere 5,123 in Q3 2019 to 67.3 million in Q3 2020, indicating that Ryuk attacks formed a third of all ransomware attacks in the quarter.

In the same period, hackers reduced their dependence on general malware with SonicWall recording a 39% decline in malware attacks worldwide. Even though the number of malware detections has dropped for third consecutive quarter, the firm still observed over 4.4 billion malware attacks in 2020 alone. This serves as a reminder that organisations should not take their eyes off malware attacks to concentrate on other threats.

Even though ransomware attaks have zoomed worldwide, driven by a major rise in the use of the Ryuk ransomware, a vast majority of ransomware attacks (145.2 million) targeted organisations in the United States. Strangely, ransomware detections fell by 32% in the UK, by 29% in India, and by 86% in Germany in Q3 2020.

“What’s interesting is that Ryuk is a relatively young ransomware family that was discovered in August 2018 and has made significant gains in popularity in 2020. The increase of remote and mobile workforces appears to have increased its prevalence, resulting not only in financial losses, but also impacting healthcare services with attacks on hospitals,” said Dmitriy Ayrapetov, Vice President, Platform Architecture at SonicWall.

“Ryuk is especially dangerous because it is targeted, manual and often leveraged via a multi-stage attack preceded by Emotet and TrickBot malware. Therefore, if an organisation has Ryuk, it’s a pretty good indication that its infested with several types of malware,” he added.

Rise in IoT malware attacks amidst the COVID-19 pandemic

Aside from observing a rise in ransomware attacks, SonicWall also observed a 19% increase in intrusion attempts (3.5 trillion), a 30% rise in IoT malware (32.4 million), 3% growth of encrypted threats (3.2 million), and 2% increase in cryptojacking attacks (57.9 million).

Th firm opined that a major rise in the use of IoT malware by hackers this year is not an unexpected occurrence as COVID-19 led to an unexpected flood of devices on networks, resulting in an increase of potential threats to companies fighting to remain operational during the pandemic.

The fact that most IoT deviices, such as voice-activated smart devices, door chimes, TV cameras and appliances, are not designed with security as a top priority makes them even more succeptible to IoT malware attacks as well as intrusion attempts.

“Consumers need to stop and think if devices such as AC controls, home alarm systems or baby monitors are safely deployed. For optimum protection, professionals using virtual home offices, especially those operating in the C-suite, should consider segmenting home networks,” Ayrapetov said.

It can be said that the National Cyber Security Centre, the UK's cyber security watchdog, anticipated the threat posed by the Ryuk ransomware much in advance. As early as in June last year, NCSC issued a public advisory in which it warned organisations about Ryuk ransomware campaigns, some of which also involved the use of Emotet and TrickBot malware and their variants.

"When a Ryuk infection occurs, Emotet is commonly observed distributing Trickbot as part of the infection chain. Trickbot subsequently deploys additional post-exploitation tooling to enable their operations, including Mimikatz and PowerShell Empire modules.

"These facilitate credential harvesting, remotely monitoring of the victim’s workstation, and performing lateral movement to other machines within a network. This initial infection enables the attacker to assess whether the machine presents a ransomware opportunity, and if so, to deploy Ryuk," NCSC said.

Read More: French IT giant Sopra Steria suffers Ryuk ransomware attack

Copyright Lyonsdown Limited 2020