FBI Flash: Ryuk Ransomware Continues to Attack U.S. Businesses
Thursday, May 16, 2019
ransomware ryuk threat

Related Practices & Jurisdictions
Print Mail Download i

According to a recent FBI Flash, Ryuk ransomware has hit more than 100 U.S. companies since August 2018, with a “disproportionate impact on logistics companies, technology companies, and small municipalities.”

The Flash, “provided in order to help cyber security professionals and system administrators to guard against the persistent malicious actions of cyber criminals,” seeks information from companies regarding Ryuk, which retains Hermes code. According to the Flash, once Ryuk is in the system, it deletes all files related to the intrusion, so it is impossible to identify the infection vector. It is able to steal credentials, and “in one case, the ransomware appears to have used unsecured or brute forced Remote Desktop Protocols (RDPs) to gain access. After the attacker has gained access to the victim network, additional network exploitation tools may be downloaded…” and “once executed, Ryuk establishes persistence in the registry, injects into running processes, looks for network connected file systems, and begins encrypting files.”

The attackers in the newest version of Ryuk provide email addresses to contact them to pay the ransomware and do not tell the victim how much ransomware is needed until the victim contacts them via email. Only then do they say how much bitcoin is necessary and provide a specific Bitcoin wallet where the payment is to be made and provides a sample decryption of two files to verify the files still exist.

The FBI says that it “does not encourage paying a ransom to criminal actors.” Instead, the FBI encourages all companies affected by ransomware to contact their local field office to report the event. The FBI is specifically seeking information on Ryuk, including:

  • Recovered executable file

  • Copies of the “read me” file—DO NOT REMOVE the file or decryption may not be possible

  • Live memory (RAM) capture

  • Images of infected systems

  • Malware samples

  • Log files

  • E-mail addresses of the attackers

  • A copy of the ransom note

  • Ransom amount and whether or not the ransom was paid

  • Bitcoin wallets used by the attackers

  • Bitcoin wallets used to pay the ransom (if applicable)

  • Names of any other malware identified on your system

  • Copies of any communications with attackers

If you are a victim of a cyber-attack or ransomware, the FBI can be contacted through its 24/7 Cyber Watch at www.fbi.gov/contact-us/field or CyWatch@fbi.gov or (855)292-3937.

Copyright © 2024 Robinson & Cole LLP. All rights reserved.

Current Legal Analysis

More from Robinson & Cole LLP

Privacy Tip #394 – Colorado Amends Privacy Law to Include Neurodata
by: Linn F. Freedman
New Threat: Scattered Spider International Coalition of Hackers
by: Linn F. Freedman
Joint Guidance Published by Five Eyes on Deploying AI Systems Securely
by: Linn F. Freedman
U.S. Government Intervenes in Case Alleging Unauthorized Disclosure of CUI
by: Data Privacy & Cybersecurity Robinson Cole
DoorDash Settles with California Attorney General for Alleged Violations of the CCPA
by: Kathryn M. Rattigan
The State of AI Governance and Diversity: Takeaways from the AI Index Report
by: Blair V. Robinson
Weight Loss, Miracle Medications & the Workplace
by: Abby M. Warren
Additional States Implement Notice Requirements for Healthcare Transactions
by: Leslie J. Levinson , Danielle H. Tangorre
Privacy Tip #393 – Phishing, Smishing, Vishing and Qrishing Schemes Continue to Dupe Users
by: Linn F. Freedman
Congress Introduces Promising Bipartisan Privacy Bill
by: Blair V. Robinson

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins