Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook

evolving targeted ryuk shows ransomware is still samsam

Mohammad.PooryaAfter SamSam, Ryuk Shows Targeted Ransomware is Still Evolving
Quote:Last month the world learned that the FBI thinks it has identified the two people behind the notorious SamSam ransomware attacks.

SamSam, you may recall, gained notoriety for plundering ransoms from vulnerable targets like hospitals, and for devastating attacks like the one that embattled the City of Atlanta in early 2018. As with other targeted attacks, SamSam was deployed manually after its operators had broken into a vulnerable network via a poorly-protected RDP port. The SamSam gang’s methodical and patient attacks put them in a position to extort enormous ransoms, and helped them accrue almost $7 million since December 2015. As you might expect, things have been a bit quiet from SamSam since the FBI’s indictment. The Iranian suspects are beyond the agency’s reach, but they have been identified, their operation has been compromised and, for the time being at least, activities have ceased. The unmasking followed a period of apparently diminishing returns for SamSam attacks. After the publication of extensive research by Sophos in August, SamSam’s monthly earnings began to decline, even while the frequency of attacks seemed to increase. Now SamSam seems to have left the stage, but the brand of destructive, stealthy attacks it exemplified didn’t start with SamSam and they didn’t end with it either. In fact, while SamSam may have gained infamy, other kinds of targeted ransomware, like Dharma and BitPaymer, have been deployed more widely, and demanded higher ransoms. The threat of targeted ransomware is undimmed, and continues to evolve. In August 2018, just as SamSam’s influence begun to diminish, a new strain of targeted ransomware appeared. Ryuk.

Ryuk, named after a character in the manga series Death Note, represents an evolution in ransomware that’s either learning from, building on, stealing from, or paying homage to the targeted malware that’s gone before. Targeted ransomware of all stripes seems to have converged on a method that, sadly, just works and Ryuk follows it too. The attackers:
  1. Enter the victim’s network via a weak RDP (Remote Desktop Protocol) password.
  2. Escalate their privileges until they’re an administrator.
  3. Uses their privileged position to overcome security software.
  4. Spread their ransomware as widely as possible before encrypting the victim’s files.
  5. Leave notes demanding payment in return for decrypting the files.
  6. Waits for the victim to contact them via email.
Hackers using targeted ransomware work hard to achieve administrator access because it allows their software to cause so much damage – enough that many victims have no option but to pay five- or six-figure ransoms.

Possibly Related Threads…
Thread Author Replies Views Last Post
  Ransomware is evolving, but the key to preventing attacks remains the same Imran 0 60 09-22-2020 , 03:25 PM
Last Post: Imran
  ‘Undeletable’ Malware Shows Up - guardian 0 384 07-12-2020 , 12:36 PM
Last Post: guardian
  Update Targeted Cyberattack Logbook - Kaspersky guardian 0 256 04-16-2020 , 08:13 AM
Last Post: guardian
  Firefox now shows what telemetry data it's collecting about you Herran 0 308 02-01-2020 , 02:01 PM
Last Post: Herran
  Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices Mohammad.Poorya 0 394 01-14-2020 , 11:28 AM
Last Post: Mohammad.Poorya

Forum Jump:

Users browsing this thread: 1 Guest(s)