A Ryuk ransomware attack accidentally caused by a student who was only trying to save money by buying unlicensed software led to a European biomolecular research institute losing seven days’ worth of research data.

According to cybersecurity specialists, the student who had access to a European research institute’s network exposed his login record after installing pirated software that turned out to be password-stealing malware.

Ryuk ransomware, very dangerous ransomware that is constantly evolving, has been targeting hospital and healthcare providers over the last year, but we don’t know for sure how it gets into networks in the first place, varying from attack to attack.

In this case, security specialists determined that the initial point-of-entry for hackers was an RDP session using a student’s credentials.

It is well known that software cracks are illegal and a very common source of malware infections. Hackers create false software crack download websites, torrents to spread malware, and online videos all the time.

Fake crack site distributing ransomware


The affected research institute is involved in COVID-19 related research together with other scientific activities. The unknown institute had close partnerships with local universities, enabling students to connect to the facility’s internal network via remote access.

The unnamed student was looking for an expensive data visualization software that would have cost hundreds of dollars every year if licensed. After asking on a forum for a free option, the student accidentally picked a cracked version.

As cracked software, altered to remove elements such as trial expiration dates, is considered dubious, antivirus software will usually indicate and block its execution.

In this case, Windows Defender activated, and so the student deactivated the software as well as their firewall.

Nevertheless, instead of launching the software they wanted, the executable loaded a Trojan which collected the student’s access credentials to the biomolecular institute’s network.

Two weeks after the incident, a remote desktop protocol (RDP) connection was noticed by the institute, utilizing the student’s information, using the name “Totoro,” — an anime character from a 1988 film.

It is unlikely that the operators behind the ‘pirated software’ malware are the same as the ones who launched the Ryuk attack. The underground market for previously compromised networks offering attackers easy initial access is thriving, so we believe that the malware operators sold their access on to another attacker. The RDP connection could have been the access brokers testing their access.


If Ryuk ransomware has been deployed on a network, protection at the storage level is essential to make sure data remains safe and available.

Enterprises can prevent threat actors from encrypting or deleting files by keeping a permanent backup copy of data. This way, they have an unencrypted copy for restore in case of a ransomware attack, enabling them to access their data without having to pay a ransom.

Ryuk Ransomware: Origins, Operation Mode, Mitigation

New Ryuk Ransomware Hacking Techniques Revealed

Ryuk Ransomware Hits 700 Spanish Government Labor Agency Offices

Leave a Reply

Your email address will not be published. Required fields are marked *