The use of outdated malware by small-scale hacker groups is creating a new potential cybersecurity threat for organisations.
According to new research from cybersecurity experts Darktrace, a resurgence in Ryuk ransomware is a sign of a worrying new trend in cyberattacks.
Ryuk has been a popular piece of ransomware for many years, having wracked up millions of dollars of ransoms. It encrypts files, disables Window’s restore feature before demanding a ransom in Bitcoin.
Unlike more modern and advanced threats, it tends to be used in small-scale, tailored attacks. These see selected assets and resources encrypted manually during attacks.
As such, an attack requires a great deal of groundwork, including stealing credentials and performing reconnaissance on the network.
Ryuk has been linked to the Wizard Spider ransomware group, which has operated with alleged support from the Russian Government. However, it has also been connected to another piece of malware, Hermes, which has been attributed to North Korea-linked APT Lazarus Group.
Wizard Spider abandoned Ryuk in recent years, switching to a more advanced successor program, Conti. Although it is out of date now, it has been used to attack large targets like city councils and major enterprises, including Germany’s Justus Liebig University, which was caught up in a major botnet infection in Frankfurt.
- Contributed | Reimagining data sharing and collaboration
- UK to phase out 2% tax on tech giants after global reforms
- Scottish videogame makers challenged to use tech in obesity fight
According to Darktrace, it detected a new instance of Ryuk targeting a business in the APAC region. It soon became clear that Wizard Spider were not behind the attack, but that the malware had been picked up by small-scale threat actors.
The victim had files downloaded onto one of their devices from an unknown Russian IP address, giving the first hint that an attack was being attempted.
These files allowed the malware to spread further into the network, and within two days the cybercriminals had brute-forced administrative credentials, allowing them to penetrate further into the network.
Within an hour, the ransomware files were downloaded on the victim’s network. Ryuk encrypted the organisation’s files.
This points to it being available to purchase somewhere on the Dark Web, with cyberattackers able to tailor the program to their needs.
Amid massive increases in both the volume and scale of ransomware attacks, headlines have focused the major attacks of the last two years.
However, Darktrace warned that the resurgence of Ryuk shows that the tools are out there for players on limited budgets with relatively poor skills to pose a threat to many organisations.
Get the latest news from DIGIT direct to your inbox
Our newsletter covers the latest technology and IT news from Scotland and beyond, as well as in-depth features and exclusive interviews with leading figures and rising stars.
We will keep you up to date on the pivotal issues impacting the sector and let you know about key upcoming events to ensure that you don’t miss out on what’s going on across the Scottish tech community.
Click here to subscribe.