Sophos uncovers multi-faceted techniques attackers use in new Ryuk ransomware

Security researchers at Sophos, a cybersecurity solutions firm, deconstructs a recent attack involving Ryuk ransomware and found the versatility of the attackers’ techniques displaying flexibility in various scenarios.

(Ryuk is a character in the manga and anime “Death Note.” He is a Shinigami or God of Death.)

The continued rise in ransomware attacks and how criminals also display adaptability to organizations’ defenses put pressure on IT security teams, as stated in SophosLabs Uncut’s recent article titled “Inside a New Ryuk Ransomware Attack.” The article deconstructs a recent attack involving Ryuk ransomware.

Sophos discovers Emotet malware back in action after brief hiatus

Sophos tracks WannaCry evolution with 4.3M infection attempts

Sophos incident responders found that the Ryuk attackers used updated versions of widely available and legitimate tools to compromise a targeted network and deploy ransomware. Unusually, the attack progressed at great speed — within three and a half hours of an employee opening a malicious phishing email attachment, the attackers were already actively conducting network reconnaissance. Within 24 hours, the attackers had access to a domain controller and were preparing to launch Ryuk.

“Our investigation of the recent Ryuk ransomware attack highlights what defenders are up against,” said Chester Wisniewski, principal research scientist at Sophos. “IT security teams need to be on full alert 24 hours a day, seven days a week, and have a full grasp of the latest threat intelligence on attacker tools and behaviors.”

Security posture

Sophos’ latest global survey saw how organizations are “never the same after being hit by ransomware.”

The confidence of IT managers and their approach to battling cyberattacks differ significantly depending on whether or not their organization has been attacked by ransomware. To illustrate, IT managers at organizations hit by ransomware are nearly three times as likely to feel “significantly behind” when it comes to understanding cyber threats, compared to their peers in organizations that were unaffected (17% vs 6%).

“The survey findings illustrate clearly the impact of these near-impossible demands,” Wisniewski said. “Among other things, those hit by ransomware were found to have severely undermined confidence in their own cyber threat awareness. However, their ransomware experiences also appear to have given them a greater appreciation of the importance of skilled cybersecurity professionals, as well as a sense of urgency about introducing human-led threat hunting to better understand and identify the latest attacker behavior.”

After an attack, organizations are expected to either change or tighten their security posture.

Cybersecurity skills shortage

The survey found that when it comes to security focus, the survey found that ransomware victims spend proportionally less time on threat prevention (42.6%) and more time on response (27%) compared to those who haven’t been hit (49% and 22% respectively), diverting resources towards dealing with incidents rather than stopping them in the first place.

However, skills shortage is also one of the challenges many organizations face on top of the persistent cyberattacks. The survey revealed that more than one third (35%) of ransomware victims said that recruiting and retaining skilled IT security professionals was their single biggest challenge when it comes to cybersecurity, compared with just 19% of those who hadn’t been hit.

The “Cybersecurity: The Human Challenge” survey was conducted by Vanson Bourne, an independent specialist in market research, in January and February 2020. The survey interviewed 5,000 IT decision-makers in 26 countries and all respondents were from organizations with between 100 and 5,000 employees.