A new sample of the ransomware has shown gain-of-function targeting web servers, and new ways to pressure victims into paying.

In Q1 2021, cybersecurity firm McAfee saw cybercrimes move from low-return, mass-spread ransomware campaigns, to fewer and more customized Ransomware-as-a-Service (RaaS) campaigns that targeted larger organizations for a more lucrative return.

According to its data, the firm continued to see the numbers of massive ransomware attacks increasing, with the recent ones centered on IT firm Kaseya and JBS. That has led researchers to share some new findings into the strategic operations of RaaS group Ryuk, and also about a newly-discovered sample of Ryuk now exclusively targeting web servers.

Ryuk ransomware is a variant of the older Hermes ransomware that has topped the list of the most dangerous ransomware attacks. First observed in August 2018 during a campaign that targeted several enterprises, the malware was previously known to encrypt victims’ files and request payment in cryptocurrency in return for the release of keys to decrypt the stolen data.

The new sample that McAfee researchers recently discovered has new functionalities added to the malware, which are being used to increase the damage on the organizations it targets. 

Key findings

The new Ryuk sample has shifted its attention to web servers since it no longer encrypts the index file but replaces it with the ransom note instead. Also,

  • Because of the targeted nature of Ryuk infections, the initial infection vectors are tailored to the victim. Often-spotted initial vectors are spear-phishing emails, exploitation of compromised credentials to remote access systems, and the use of previous commodity malware infections. 
  • A newly rewritten ransom note prompts victims to install a program to facilitate contact with the actors. After file encryption, the ransomware will print 50 copies of the ransom note on the user’s default printer. This new functionality was included to pressure victims into paying the ransom. 

The firm advises organizations to defend against ransomware by updating and upgrading endpoint protection, as well as implementing solutions for tamper protection and rollback.