October 17, 2019

October 16, 2019

Subscribe to Latest Legal News and Analysis

October 15, 2019

Subscribe to Latest Legal News and Analysis

October 14, 2019

Subscribe to Latest Legal News and Analysis

FBI Flash: Ryuk Ransomware Continues to Attack U.S. Businesses

According to a recent FBI Flash, Ryuk ransomware has hit more than 100 U.S. companies since August 2018, with a “disproportionate impact on logistics companies, technology companies, and small municipalities.”

The Flash, “provided in order to help cyber security professionals and system administrators to guard against the persistent malicious actions of cyber criminals,” seeks information from companies regarding Ryuk, which retains Hermes code. According to the Flash, once Ryuk is in the system, it deletes all files related to the intrusion, so it is impossible to identify the infection vector. It is able to steal credentials, and “in one case, the ransomware appears to have used unsecured or brute forced Remote Desktop Protocols (RDPs) to gain access. After the attacker has gained access to the victim network, additional network exploitation tools may be downloaded…” and “once executed, Ryuk establishes persistence in the registry, injects into running processes, looks for network connected file systems, and begins encrypting files.”

The attackers in the newest version of Ryuk provide email addresses to contact them to pay the ransomware and do not tell the victim how much ransomware is needed until the victim contacts them via email. Only then do they say how much bitcoin is necessary and provide a specific Bitcoin wallet where the payment is to be made and provides a sample decryption of two files to verify the files still exist.

The FBI says that it “does not encourage paying a ransom to criminal actors.” Instead, the FBI encourages all companies affected by ransomware to contact their local field office to report the event. The FBI is specifically seeking information on Ryuk, including:

  • Recovered executable file

  • Copies of the “read me” file—DO NOT REMOVE the file or decryption may not be possible

  • Live memory (RAM) capture

  • Images of infected systems

  • Malware samples

  • Log files

  • E-mail addresses of the attackers

  • A copy of the ransom note

  • Ransom amount and whether or not the ransom was paid

  • Bitcoin wallets used by the attackers

  • Bitcoin wallets used to pay the ransom (if applicable)

  • Names of any other malware identified on your system

  • Copies of any communications with attackers

If you are a victim of a cyber-attack or ransomware, the FBI can be contacted through its 24/7 Cyber Watch at www.fbi.gov/contact-us/field or CyWatch@fbi.gov or (855)292-3937.

Copyright © 2019 Robinson & Cole LLP. All rights reserved.

TRENDING LEGAL ANALYSIS


About this Author

Linn F. Freedman, Robinson Cole Law Firm, Cybersecurity and Litigation Law Attorney, Providence
Partner

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She provides guidance on data privacy and cybersecurity compliance to a full range of public and private clients across all industries, such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine, and charitable organizations. Linn is a member of the firm's Business Litigation Group and chairs its Data Privacy + Cybersecurity Team. She is also a member of the Financial Services Cyber-Compliance Team (CyFi ...

401-709-3353