FBI Reports More Than 100 Organizations Suffered Ryuk Ransomware Attacks in the Last Year

The FBI released a Flash report, which contains unclassified information collected for use by private sector partners, warning of the threat of Ryuk ransomware. The announcement by the FBI informed partners that more than 100 organizations have suffered Ryuk ransomware attacks in the US since it started appearing in August of 2018. The FBI reported in the Flash report that organizations with high annual revenues are being targeted due to the hackers trying to gain as much profit as possible. 

In the Flash report, the FBI stated that it appeared to "disproportionately target logistics companies, technology companies, and small municipalities". The FBI informed those who received the Flash that Ryuk ransomware works by entering the system often through an employee falling victim to a phishing email, and then deleting any files that would signal it intruded on the system. While it is silently harboring on the system, it then steals login credentials when employees enter them. It might also download other tools to exploit the network. After it establishes itself in the registry, it "injects itself into running processes, looks for network connected file systems and begins encrypting files." Ryuk ransomware is especially threatening due to it dropping a ".bat file to delete all backup files and Volume Shadow Copies". Once the files are encrypted, the ransom note appears and that's when most businesses become aware that they have been infected with Ryuk ransomware. 

The Ransom Note

The ransom note for Ryuk ransomware looks similar on all systems that it infects. The ransom notes contain email addresses to contact that end in @protonmail.com or @tutanota.com. The note instructs users to email one of the included email addresses to find out how much the hackers expect them to pay in order to unencrypt their files. All ransoms are paid using Bitcoin. The hackers provide a Bitcoin wallet where the ransom needs to be paid when business owners email the provided email address. The hackers also decrypt sample files for the user to prove they will decrypt the files once the ransom is retrieved. 

The FBI encourages users to not pay the ransom and to report the ransomware attack to the FBI. They state that "paying a ransom may embolden adversaries to target additional organizations". It is unknown if files can be recovered from Ryuk ransomware attacks without paying the ransom, as many businesses who recover from these attacks do not disclose if they paid the ransom or not. 

If you are looking to increase your business's security measures, contact us.