Hackers are targetting computers with ransomware that scours a previously infected network in order to pinpoint and attack and enterprises with big money. Named “Ryuk,” the ransomware has been around since 2017, but only recently, in mid-2018, has there an uptick in successful attacks, according to research done by the security experts at FireEye.
Upward of $3.7 million in Bitcoin has been acquired by hackers leveraging these attacks, which first infects victims PCs with a “Trickbot” trojan, and then subsequently the “Ryuk” ransomware. As part of the process, after sending a payroll phishing email and tricking victims into opening it, the hacker is able to use the”Trickbot” trojan and scour the victim’s network and files to determine if the target is worth infecting with a subsequent attack via “Ryuk.”
It can lay dormant for a year or longer, and the unique element is that in that time period, the hacker can determine whether to direct another attack from “Ryuk” at a previously infected organization in order to extort large ransom fees.
“Interactive deployment of ransomware, such as this, allows an attacker to perform valuable reconnaissance within the victim network and identify critical systems to maximize their disruption to business operations, ultimately increasing the likelihood an organization will pay the demanded ransom,” explains the team at FireEye.
It is not certain which country is leveraging these attacks, but FireEye does not believe that it is coming from North Korea. Subsequent reports from another security firm CrowdStrike finds that the attacks could be linked to the “Grem Spider Group” in Russia due to IP addresses which are being used in the process. FireEye also believes that these attacks can increase in 2019 “due the success these intrusion operators have had in extorting large sums from victim organizations.”
There have been several high profiles cyberattacks recently, one which targeted newspapers across the United States, and another which leveraged social engineering to target emails accounts. To protect against these types of attacks, it is always best to avoid opening emails from suspicious email addresses. You also could consider never opening Microsoft Office files with macros enabled, which hackers often use to push out viruses via phishing emails. You also should keep both Windows 10 and your antivirus up to date, to ensure that you’re fully guarded.