According to a recent FBI Flash, Ryuk ransomware has hit more than 100 U.S. companies since August 2018, with a “disproportionate impact on logistics companies, technology companies, and small municipalities.”
The Flash, “provided in order to help cyber security professionals and system administrators to guard against the persistent malicious actions of cyber criminals,” seeks information from companies regarding Ryuk, which retains Hermes code. According to the Flash, once Ryuk is in the system, it deletes all files related to the intrusion, so it is impossible to identify the infection vector. It is able to steal credentials, and “in one case, the ransomware appears to have used unsecured or brute forced Remote Desktop Protocols (RDPs) to gain access. After the attacker has gained access to the victim network, additional network exploitation tools may be downloaded…” and “once executed, Ryuk establishes persistence in the registry, injects into running processes, looks for network connected file systems, and begins encrypting files.”
The attackers in the newest version of Ryuk provide email addresses to contact them to pay the ransomware and do not tell the victim how much ransomware is needed until the victim contacts them via email. Only then do they say how much bitcoin is necessary and provide a specific Bitcoin wallet where the payment is to be made and provides a sample decryption of two files to verify the files still exist.
The FBI says that it “does not encourage paying a ransom to criminal actors.” Instead, the FBI encourages all companies affected by ransomware to contact their local field office to report the event. The FBI is specifically seeking information on Ryuk, including:
- Recovered executable file
- Copies of the “read me” file—DO NOT REMOVE the file or decryption may not be possible
- Live memory (RAM) capture
- Images of infected systems
- Malware samples
- Log files
- E-mail addresses of the attackers
- A copy of the ransom note
- Ransom amount and whether or not the ransom was paid
- Bitcoin wallets used by the attackers
- Bitcoin wallets used to pay the ransom (if applicable)
- Names of any other malware identified on your system
- Copies of any communications with attackers
If you are a victim of a cyber-attack or ransomware, the FBI can be contacted through its 24/7 Cyber Watch at www.fbi.gov/contact-us/field or CyWatch@fbi.gov or (855)292-3937.