Site navigation

Old Ransomware, New Tricks | Minor Hackers Pose Threat After Ryuk Attack

Michael Behr


ransomware cybersecurity malware Ryuk
While major cyber-threats may abandon their old malware, the hacker ecosystem means that these programs can be picked up and used by smaller groups.

The use of outdated malware by small-scale hacker groups is creating a new potential cybersecurity threat for organisations.

According to new research from cybersecurity experts Darktrace, a resurgence in Ryuk ransomware is a sign of a worrying new trend in cyberattacks.

Ryuk has been a popular piece of ransomware for many years, having wracked up millions of dollars of ransoms. It encrypts files, disables Window’s restore feature before demanding a ransom in Bitcoin.

Unlike more modern and advanced threats, it tends to be used in small-scale, tailored attacks. These see selected assets and resources encrypted manually during attacks.

As such, an attack requires a great deal of groundwork, including stealing credentials and performing reconnaissance on the network.

Ryuk has been linked to the Wizard Spider ransomware group, which has operated with alleged support from the Russian Government. However, it has also been connected to another piece of malware, Hermes, which has been attributed to North Korea-linked APT Lazarus Group.

Wizard Spider abandoned Ryuk in recent years, switching to a more advanced successor program, Conti. Although it is out of date now, it has been used to attack large targets like city councils and major enterprises, including Germany’s Justus Liebig University, which was caught up in a major botnet infection in Frankfurt.


According to Darktrace, it detected a new instance of Ryuk targeting a business in the APAC region. It soon became clear that Wizard Spider were not behind the attack, but that the malware had been picked up by small-scale threat actors.

The victim had files downloaded onto one of their devices from an unknown Russian IP address, giving the first hint that an attack was being attempted.

These files allowed the malware to spread further into the network, and within two days the cybercriminals had brute-forced administrative credentials, allowing them to penetrate further into the network.

Within an hour, the ransomware files were downloaded on the victim’s network. Ryuk encrypted the organisation’s files.

This points to it being available to purchase somewhere on the Dark Web, with cyberattackers able to tailor the program to their needs.

Amid massive increases in both the volume and scale of ransomware attacks, headlines have focused the major attacks of the last two years.

However, Darktrace warned that the resurgence of Ryuk shows that the tools are out there for players on limited budgets with relatively poor skills to pose a threat to many organisations.

Get the latest news from DIGIT direct to your inbox

Our newsletter covers the latest technology and IT news from Scotland and beyond, as well as in-depth features and exclusive interviews with leading figures and rising stars.

We will keep you up to date on the pivotal issues impacting the sector and let you know about key upcoming events to ensure that you don’t miss out on what’s going on across the Scottish tech community.

Click here to subscribe.

Michael Behr

Senior Staff Writer

Latest News

%d bloggers like this: