Ryuk ransomware is one of the most evasive ransomware to date, run by a group called Wizard Spider, a Russia based group also known for the Trickbot Banking Malware. Ryuk ransomware was first detected back in August 2018 but recently came into the spotlight again after it successfully completed an attack within just 5 hours! The lightning-fast attack left their target unaware and they didn’t get enough time to do countermeasures.

The name Ryuk came from a ‘soul reaper’ in a famous Japanese anime. The Ryuk group gained popularity in 2019 and recently re-emerged. The actors behind Ryuk used the ZeroLogon privilege escalation bug (CVE-2020-1472) which was discovered in August this year. It’s a bug in Microsoft’s Active Directory Netlogon Remote Protocol that resulted in a vulnerability that allows attackers to gain admin privileges without any credentials.

The Ryuk Ransomware Gang exploited the Zerologon bug to gain heightened privileges over the target domain and within just 5 hours, they were able to completely gain control and shutdown their target, deploying their ransomware not just on the main server and workstations but also to the backup servers, leaving their victim helpless and totally unaware.

What happened?

The attack started with a barrage of phishing emails they sent to the employees.  The phishing attempt contains a version of Bazar loader malware – a malware that runs scripts, commands, binaries, kill processes, and then removes itself from the compromised machine. This allowed attackers to get into the system undetected. Then they exploited the Zerologon bug to gain admin privileges without any admin credentials. This allows them to disable all security alarms. It’s like a Mission Impossible movie thing digital. After disabling the security protocols, they moved to access the workstations and backup servers. Finally, all that’s left to do is to deploy the Ryuk Ransomware executable that encrypted all files that potentially shut down the whole system.

What devastates the target the most is that their backup server was also compromised, which nullifies the sense of having a backup in the first place. This 5-hour lightning-fast and record-breaking ransomware attack opened up a major security concern.

What went wrong?

The Ryuk group was able to pull this off thanks to the Zerologon bug. Well, sad to say, bugs such as this are very common. Every time updates are being rolled out to apps, software, and even operating systems, bugs can be present. Bugs are software flaws or faults in a computer program that can cause incorrect or unexpected results. It can cause certain devices to behave abnormally and can cause some hiccups in the software you run. Bugs aren’t necessarily dangerous but are mostly annoying, or funny at times. However, bugs can be exploited for harm. This is what happened to Zerologon. That is why Microsoft, upon detecting the bug in August, launched a patch to fix the bug on September 2.

What could have been done?

Unfortunately, there are some companies that failed to roll the necessary update to their entire system. The recent Ryuk attack happened in October, a month after the fix was released. That is why it is very important to always update your system because most updates contain bug fixes. Some might think that they should not update to avoid such bugs but not updating your system will do more harm than good. Security patches and new virus definitions are rolled out via updates. How could your antimalware learn of a newly discovered malware if you won’t update it?

Another thing that could be done is to have or hire a dedicated team of security experts that will watch out for these bugs and regularly check the system for suspicious behavior. Also, having an offline backup is one of the best countermeasures against ransomware. Since offline backups are not connected to the rest of the system, attackers won’t have access to it digitally. Also, take note that the attack started with phishing emails. Someone took the bait. It is important that we educate our system users on how to filter suspicious emails from legitimate ones.

The bottom line is, we have to take our cybersecurity seriously and save yourself from greater loss.