In early 2021, researchers security spotted a new variant of the known Ryuk ransomware, which has type capabilities worm, which allow it "lateral movement" within the infected networks.
Ryuk ransomware has been active since at least 2018 and many experts have linked it to Russian cyber criminals. It ransomware has been used in many attacks on large organizations and researchers estimate that hackers have won at least $ 150 million from businesses their.
Additionally, Ryuk ransomware is associated with malware TrickBot, allegedly operated by the same gang. Nevertheless, the attacks ransomware continued even after an attempt to remove TrickBot.
Ransomware has also been associated with Emotet and BazarLoader.
In a recent report, the French National Agency for Information Systems Security (ANSSI) stated that it has identified one new variant of Ryuk that spreads automatically in infected networks, such as worms.
So far, the ransomware relied mainly on the use of other malware for initial development and showed no signs of worm-like capabilities (although it could encrypt data on network shares and removable drives).
Ryuk uses a combination of symmetric (AES) and asymmetric (RSA) algorithms for encryption, stops processes on the infected system, appends the .RYK extension to encrypted archives, activates workstations using the Wake-on-LAN feature and destroys all shadow copies so that the victims cannot recover them data their.
The new version of Ryuk has all the features and functions that one finds in a typical ransomware, but it also has the ability to spread within the network, in the same way that a worm does.
To spread to other machines, ransomware copies the executable to recognized network shares with rep.exe or lan.exe suffix and then creates a scheduled task on the remote machine.
"Through the use of scheduled tasks, the malicious software spreads - from machine to machine - within it Windows domain. Once started, it will spread to any accessible machine on which Windows RPC is enabled access", Explains ANSSI.
The French service also noticed that the new worm variant of Ryuk ransomware probably does not include a mechanism to block its execution, which means that the same device could be infected multiple times.
Source: Security Week