The new ransomware has terrified less than a year of society, especially the US. It is called "Ryuk," a malware that hackers use to attack strategic network resources. This maximizes ransom. The campaign was simultaneously analyzed by Crowdstrike and FireEye researchers who estimated that the pirates had been able to reap the 3.2 million euro by February 2017 through 52 transactions, a total ransom of around € 60,000 per victim.
To catch up with companies, this group of pirates called researchers Grim Spider – First use the already known Trojan, namely "TrickBot". It is usually embedded in an Excel spreadsheet that is sent by email to a targeted person. If this message is captured by the message and unlocks the active content of the document, malware is installed on the system and allows contact with command servers and hackers. They then use various techniques to step-by-step computers on the network: password theft modules, Windows Remote Desktop Protocol connections, PowerShell backpack, and so on.
Kill two birds with one stone
This recognition phase allows hackers to identify the company's strategic resources before it enters the encryption phase. The attackers, by the way, sometimes occupy themselves. This may take several weeks, even months, before Ryu ransomware is stored on machines. Why? On the one hand, because this manual recognition takes a lot of time, and on the other hand, because hackers could use these approaches for the first time. "Accelerate in a different way", says FireEye. For example, with theft of sensitive data.
Then, when D-Day arrives, hackers install ransomware and block all machines. Malware will encrypt system data as well as all the disks to which it is connected. Conversely, it will carefully delete all backup files that are on the way, including shadows copy Made in Windows. It is a very careful job that she assumes "Deeper knowledge of enterprise backup systems", Crowdstrike believes.
Who's hiding behind Ryuk? According to Crowdstrike, pirates should "Probably if not the most likely" which is located in Russia. In fact, ransomware integrates " kill the switch Which is activated if the victim is marked as Russian, Belarusian or Ukrainian. Behavior that is completely classical in the world of computer crime. Pirates are thus avoiding cutting on the branch they are sitting on. In addition, Crowdstrike identified some elements of Russian language in the code as well as suspicious downloads from Moscow.