{"id":11343,"date":"2019-01-23T11:05:31","date_gmt":"2019-01-23T00:05:31","guid":{"rendered":"https:\/\/www.backupassist.com\/blog\/?p=11343"},"modified":"2019-01-23T11:05:31","modified_gmt":"2019-01-23T00:05:31","slug":"ransomware-ryuk-steals-4-million","status":"publish","type":"post","link":"https:\/\/www.backupassist.com\/blog\/ransomware-ryuk-steals-4-million","title":{"rendered":"New Ransomware &#8220;Ryuk&#8221; Steals $4 Mil from Big Fish"},"content":{"rendered":"<p>A new ransomware is out in the wild, and in an unusual move, it&#8217;s being picky with its targets. Unlike most ransomware strains, it&#8217;s attacking only targets with cash to spare, instead of indiscriminately spreading to all targets.<\/p>\n<p>But the cyber-crim&#8217;s tactics seem to have worked, netting almost $4 million since August. The ransomware is known as Ryuk &#8211; potentially named after a &#8220;<a href=\"https:\/\/en.wikipedia.org\/wiki\/Ryuk_(Death_Note)\">grim reaper<\/a>&#8221; in a famous Japanese anime.<\/p>\n<p>This reaping ransomware infects large enterprises days, weeks, or even years after they were initially infected by a separate malware. This malware in most cases is a powerful trogan known as Trickbot.<\/p>\n<p>But small organizations who have been hit by Trickbot don&#8217;t get a visit from Ryuk. Instead, Ryuk engages in big game hunting. Perhaps the second-most unusual thing about Ryuk is the unusually long &#8220;dwell time&#8221; &#8211; the period between the initial infection and the ransomware demand.<\/p>\n<p>Why is this the case? It is believed this delay allows attackers to conduct valuable reconnaissance of the enterprise network, and hit the critical systems once they have the best avenue to infect them.<\/p>\n<p>CrowdStrike researcher <a href=\"https:\/\/www.crowdstrike.com\/blog\/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware\/\">Alexander Hanel wrote<\/a>:<\/p>\n<p><em>&#8220;Some of TrickBot\u2019s modules (such as pwgrab) could aid in recovering the credentials needed to compromise environments\u2014the SOCKS module in particular has been observed tunneling PowerShell Empire traffic to perform reconnaissance and lateral movement. Through CrowdStrike IR engagements, GRIM SPIDER has been observed performing the following events on the victim\u2019s network, with the end goal of pushing out the Ryuk binary:<\/em><\/p>\n<ul>\n<li><em>An obfuscated PowerShell script is executed and connects to a remote IP address.<\/em><\/li>\n<li><em>A reverse shell is downloaded and executed on the compromised host.<\/em><\/li>\n<li><em>PowerShell anti-logging scripts are executed on the host.<\/em><\/li>\n<li><em>Reconnaissance of the network is conducted using standard Windows command-line tools along with external uploaded tools.<\/em><\/li>\n<li><em>Lateral movement throughout the network is enabled using Remote Desktop Protocol (RDP).<\/em><\/li>\n<li><em>Service User Accounts are created.<\/em><\/li>\n<li><em>PowerShell Empire is downloaded and installed as a service.<\/em><\/li>\n<li><em>Lateral movement is continued until privileges are recovered to obtain access to a domain controller.<\/em><\/li>\n<li><em>PSEXEC is used to push out the Ryuk binary to individual hosts.<\/em><\/li>\n<li><em>Batch scripts are executed to terminate processes\/services and remove backups, followed by the Ryuk binary.&#8221;<\/em><\/li>\n<\/ul>\n<h4>Ransomware Protection: Make Sure You&#8217;re Prepared!<\/h4>\n<p>Backups aren&#8217;t enough; you need multi-tiered ransomware protection to truly keep your data safe. On top of anti-malware and firewall solutions, a dedicated ransomware protection tool like BackupAssist&#8217;s CryptoSafeGuard can help ransomware at bay. <a href=\"https:\/\/www.backupassist.com\/backupassist\/features\/cryptosafeguard.php\">Learn more about it here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The latest ransomware to hit the scene, &#8220;Ryuk&#8221;, has already raked in $4 million from victims. And unlike other ransomware, it only goes after wealthy victims.<\/p>\n","protected":false},"author":3,"featured_media":11353,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[23],"tags":[634,507,311,725],"class_list":["post-11343","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","tag-featured","tag-phishing","tag-ransomware","tag-ryuk"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>New Ransomware &quot;Ryuk&quot; Steals $4 Million from Big Fish<\/title>\n<meta name=\"description\" content=\"The latest ransomware to hit the scene, &quot;Ryuk&quot;, has already raked in $4 million from victims. Unlike other ransomware, it only goes after wealthy victims.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.backupassist.com\/blog\/ransomware-ryuk-steals-4-million\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"New Ransomware &quot;Ryuk&quot; Steals $4 Million from Big Fish\" \/>\n<meta property=\"og:description\" content=\"The latest ransomware to hit the scene, &quot;Ryuk&quot;, has already raked in $4 million from victims. Unlike other ransomware, it only goes after wealthy victims.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.backupassist.com\/blog\/ransomware-ryuk-steals-4-million\" \/>\n<meta property=\"og:site_name\" content=\"Cyber Resilience Blog\" \/>\n<meta property=\"article:published_time\" content=\"2019-01-23T00:05:31+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.backupassist.com\/app\/uploads\/sites\/3\/2019\/01\/whales-1575967_960_720.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"960\" \/>\n\t<meta property=\"og:image:height\" content=\"640\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Adam Ipsen\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Adam Ipsen\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.backupassist.com\/blog\/ransomware-ryuk-steals-4-million#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.backupassist.com\/blog\/ransomware-ryuk-steals-4-million\"},\"author\":{\"name\":\"Adam Ipsen\",\"@id\":\"https:\/\/www.backupassist.com\/blog\/#\/schema\/person\/7a3a759eceffd2e597d435c34ed3519d\"},\"headline\":\"New Ransomware &#8220;Ryuk&#8221; Steals $4 Mil from Big Fish\",\"datePublished\":\"2019-01-23T00:05:31+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.backupassist.com\/blog\/ransomware-ryuk-steals-4-million\"},\"wordCount\":420,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.backupassist.com\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.backupassist.com\/blog\/ransomware-ryuk-steals-4-million#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.backupassist.com\/app\/uploads\/sites\/3\/2019\/01\/whales-1575967_960_720.jpg\",\"keywords\":[\"featured\",\"Phishing\",\"ransomware\",\"ryuk\"],\"articleSection\":[\"News\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.backupassist.com\/blog\/ransomware-ryuk-steals-4-million#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.backupassist.com\/blog\/ransomware-ryuk-steals-4-million\",\"url\":\"https:\/\/www.backupassist.com\/blog\/ransomware-ryuk-steals-4-million\",\"name\":\"New Ransomware \\\"Ryuk\\\" Steals $4 Million from Big Fish\",\"isPartOf\":{\"@id\":\"https:\/\/www.backupassist.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.backupassist.com\/blog\/ransomware-ryuk-steals-4-million#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.backupassist.com\/blog\/ransomware-ryuk-steals-4-million#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.backupassist.com\/app\/uploads\/sites\/3\/2019\/01\/whales-1575967_960_720.jpg\",\"datePublished\":\"2019-01-23T00:05:31+00:00\",\"description\":\"The latest ransomware to hit the scene, \\\"Ryuk\\\", has already raked in $4 million from victims. Unlike other ransomware, it only goes after wealthy victims.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.backupassist.com\/blog\/ransomware-ryuk-steals-4-million#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.backupassist.com\/blog\/ransomware-ryuk-steals-4-million\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.backupassist.com\/blog\/ransomware-ryuk-steals-4-million#primaryimage\",\"url\":\"https:\/\/www.backupassist.com\/app\/uploads\/sites\/3\/2019\/01\/whales-1575967_960_720.jpg\",\"contentUrl\":\"https:\/\/www.backupassist.com\/app\/uploads\/sites\/3\/2019\/01\/whales-1575967_960_720.jpg\",\"width\":960,\"height\":640},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.backupassist.com\/blog\/ransomware-ryuk-steals-4-million#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.backupassist.com\/blog\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"New Ransomware &#8220;Ryuk&#8221; Steals $4 Mil from Big Fish\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.backupassist.com\/blog\/#website\",\"url\":\"https:\/\/www.backupassist.com\/blog\/\",\"name\":\"Cyber Resilience Blog\",\"description\":\"Protect Your Cloud Data with BackupAssist\",\"publisher\":{\"@id\":\"https:\/\/www.backupassist.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.backupassist.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.backupassist.com\/blog\/#organization\",\"name\":\"Cyber Resilience Blog\",\"url\":\"https:\/\/www.backupassist.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.backupassist.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.backupassist.com\/app\/uploads\/sites\/3\/2019\/09\/BA-Logo-Full-Logo.svg\",\"contentUrl\":\"https:\/\/www.backupassist.com\/app\/uploads\/sites\/3\/2019\/09\/BA-Logo-Full-Logo.svg\",\"caption\":\"Cyber Resilience Blog\"},\"image\":{\"@id\":\"https:\/\/www.backupassist.com\/blog\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.backupassist.com\/blog\/#\/schema\/person\/7a3a759eceffd2e597d435c34ed3519d\",\"name\":\"Adam Ipsen\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.backupassist.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d1cb7aaf3e3a12c73b037ce2cd62192517634d57a26edc34ff6b01f40fce1a50?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d1cb7aaf3e3a12c73b037ce2cd62192517634d57a26edc34ff6b01f40fce1a50?s=96&d=mm&r=g\",\"caption\":\"Adam Ipsen\"},\"url\":\"https:\/\/www.backupassist.com\/blog\/author\/adam-ipsen\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"New Ransomware \"Ryuk\" Steals $4 Million from Big Fish","description":"The latest ransomware to hit the scene, \"Ryuk\", has already raked in $4 million from victims. Unlike other ransomware, it only goes after wealthy victims.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.backupassist.com\/blog\/ransomware-ryuk-steals-4-million","og_locale":"en_US","og_type":"article","og_title":"New Ransomware \"Ryuk\" Steals $4 Million from Big Fish","og_description":"The latest ransomware to hit the scene, \"Ryuk\", has already raked in $4 million from victims. Unlike other ransomware, it only goes after wealthy victims.","og_url":"https:\/\/www.backupassist.com\/blog\/ransomware-ryuk-steals-4-million","og_site_name":"Cyber Resilience Blog","article_published_time":"2019-01-23T00:05:31+00:00","og_image":[{"width":960,"height":640,"url":"https:\/\/www.backupassist.com\/app\/uploads\/sites\/3\/2019\/01\/whales-1575967_960_720.jpg","type":"image\/jpeg"}],"author":"Adam Ipsen","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Adam Ipsen","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.backupassist.com\/blog\/ransomware-ryuk-steals-4-million#article","isPartOf":{"@id":"https:\/\/www.backupassist.com\/blog\/ransomware-ryuk-steals-4-million"},"author":{"name":"Adam Ipsen","@id":"https:\/\/www.backupassist.com\/blog\/#\/schema\/person\/7a3a759eceffd2e597d435c34ed3519d"},"headline":"New Ransomware &#8220;Ryuk&#8221; Steals $4 Mil from Big Fish","datePublished":"2019-01-23T00:05:31+00:00","mainEntityOfPage":{"@id":"https:\/\/www.backupassist.com\/blog\/ransomware-ryuk-steals-4-million"},"wordCount":420,"commentCount":0,"publisher":{"@id":"https:\/\/www.backupassist.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.backupassist.com\/blog\/ransomware-ryuk-steals-4-million#primaryimage"},"thumbnailUrl":"https:\/\/www.backupassist.com\/app\/uploads\/sites\/3\/2019\/01\/whales-1575967_960_720.jpg","keywords":["featured","Phishing","ransomware","ryuk"],"articleSection":["News"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.backupassist.com\/blog\/ransomware-ryuk-steals-4-million#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.backupassist.com\/blog\/ransomware-ryuk-steals-4-million","url":"https:\/\/www.backupassist.com\/blog\/ransomware-ryuk-steals-4-million","name":"New Ransomware \"Ryuk\" Steals $4 Million from Big Fish","isPartOf":{"@id":"https:\/\/www.backupassist.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.backupassist.com\/blog\/ransomware-ryuk-steals-4-million#primaryimage"},"image":{"@id":"https:\/\/www.backupassist.com\/blog\/ransomware-ryuk-steals-4-million#primaryimage"},"thumbnailUrl":"https:\/\/www.backupassist.com\/app\/uploads\/sites\/3\/2019\/01\/whales-1575967_960_720.jpg","datePublished":"2019-01-23T00:05:31+00:00","description":"The latest ransomware to hit the scene, \"Ryuk\", has already raked in $4 million from victims. Unlike other ransomware, it only goes after wealthy victims.","breadcrumb":{"@id":"https:\/\/www.backupassist.com\/blog\/ransomware-ryuk-steals-4-million#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.backupassist.com\/blog\/ransomware-ryuk-steals-4-million"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.backupassist.com\/blog\/ransomware-ryuk-steals-4-million#primaryimage","url":"https:\/\/www.backupassist.com\/app\/uploads\/sites\/3\/2019\/01\/whales-1575967_960_720.jpg","contentUrl":"https:\/\/www.backupassist.com\/app\/uploads\/sites\/3\/2019\/01\/whales-1575967_960_720.jpg","width":960,"height":640},{"@type":"BreadcrumbList","@id":"https:\/\/www.backupassist.com\/blog\/ransomware-ryuk-steals-4-million#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.backupassist.com\/blog"},{"@type":"ListItem","position":2,"name":"New Ransomware &#8220;Ryuk&#8221; Steals $4 Mil from Big Fish"}]},{"@type":"WebSite","@id":"https:\/\/www.backupassist.com\/blog\/#website","url":"https:\/\/www.backupassist.com\/blog\/","name":"Cyber Resilience Blog","description":"Protect Your Cloud Data with BackupAssist","publisher":{"@id":"https:\/\/www.backupassist.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.backupassist.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.backupassist.com\/blog\/#organization","name":"Cyber Resilience Blog","url":"https:\/\/www.backupassist.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.backupassist.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.backupassist.com\/app\/uploads\/sites\/3\/2019\/09\/BA-Logo-Full-Logo.svg","contentUrl":"https:\/\/www.backupassist.com\/app\/uploads\/sites\/3\/2019\/09\/BA-Logo-Full-Logo.svg","caption":"Cyber Resilience Blog"},"image":{"@id":"https:\/\/www.backupassist.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.backupassist.com\/blog\/#\/schema\/person\/7a3a759eceffd2e597d435c34ed3519d","name":"Adam Ipsen","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.backupassist.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d1cb7aaf3e3a12c73b037ce2cd62192517634d57a26edc34ff6b01f40fce1a50?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d1cb7aaf3e3a12c73b037ce2cd62192517634d57a26edc34ff6b01f40fce1a50?s=96&d=mm&r=g","caption":"Adam Ipsen"},"url":"https:\/\/www.backupassist.com\/blog\/author\/adam-ipsen"}]}},"_links":{"self":[{"href":"https:\/\/www.backupassist.com\/blog\/wp-json\/wp\/v2\/posts\/11343","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.backupassist.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.backupassist.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.backupassist.com\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.backupassist.com\/blog\/wp-json\/wp\/v2\/comments?post=11343"}],"version-history":[{"count":0,"href":"https:\/\/www.backupassist.com\/blog\/wp-json\/wp\/v2\/posts\/11343\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.backupassist.com\/blog\/wp-json\/wp\/v2\/media\/11353"}],"wp:attachment":[{"href":"https:\/\/www.backupassist.com\/blog\/wp-json\/wp\/v2\/media?parent=11343"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.backupassist.com\/blog\/wp-json\/wp\/v2\/categories?post=11343"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.backupassist.com\/blog\/wp-json\/wp\/v2\/tags?post=11343"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}