It was recently discovered that a new Ryuk variant lists all the IP addresses in the local ARP cache to propagate itself over the local network, and sends what looks like Wake-on-LAN (WOL) packets to each of the discovered devices, BleepingComputer writes. It then multiplies all sharing resources it finds for each device so that it can encrypt the contents.


As defined in our Cybersecurity glossary,

Ransomware is a type of malware (malicious software) that encrypts all the data on a PC or mobile device, blocking the data owner’s access to it. After the infection happens, the victim receives a message that tells him/her that a certain amount of money must be paid (usually in Bitcoins) in order to get the decryption key. Usually, there is also a time-limit for the ransom to be paid. There is no guarantee that if the victim pays the ransom, he/she will get the decryption key. The most reliable solution is to back up your data in at least 3 different places (for redundancy) and keep those backups up to date, so you don’t lose important progress.

Ryuk is a type of ransomware used in targeted attacks, where the threat actors ensure that important files are encrypted so they can request large ransom amounts. A typical Ryuk ransom demand can amount to a few hundred thousand dollars.

The hackers behind Ryuk have given the new variant worm-like abilities, quite similar to how the Emotet Trojan started earlier. These abilities allow the malware to spread to other devices on the victim’s local network. The spread is concealed through a Windows auxiliary function. In a report on Ryuk, ANSSI notes:

Supported by planned tasks, the malware spreads – from computer to computer – within the Windows domain. Once started, Ryuk spreads itself to every accessible machine on which Windows RPC access is possible.

Back in 2018, Ryuk entered the ransomware scene with a series of attacks on several American news publications as well as North Carolina’s Onslow Water and Sewer Authority. The systems they targeted were first infected with Emotet or TrickBot, two data-stealing Trojans now being used to deliver other forms of malware such as Ryuk. It is speculated that both Emotet and TrickBot are being used to find high-value targets. Immediately after a system is infected and flagged as a good target for ransomware, Emotet/TrickBot re-infects the system with Ryuk.

Heimdal Official Logo
Your perimeter network is vulnerable to sophisticated attacks.

Heimdal® Threat Prevention - Network

Is the next-generation network protection and response solution that will keep your systems safe.
  • No need to deploy it on your endpoints;
  • Protects any entry point into the organization, including BYODs;
  • Stops even hidden threats using AI and your network traffic log;
  • Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

Ryuk’s ability to multiply and encrypt the drives of remote computers was already noted last year. But things have changed in the meantime and Ryuk is now able to copy itself onto other systems. What is more, the TRojan can use scheduled tasks created on a compromised network host to run itself remotely.

According to ANSSI, solutions are still being pursued, but one way to address the problem could be to change the password or disable the user account (depending on the account used), followed by a double KRBTGT domain password change. This would cause a lot of disruption in the domain – and most likely a lot of reboots, but it would also curb the spread immediately.

Ryuk Ransomware: Origins, Operation Mode, Mitigation

Leave a Reply

Your email address will not be published. Required fields are marked *