Increase in Ryuk ransomware attacks

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates to be notified as soon as we publish an advisory.

5:10pm, 29 October 2020

TLP Rating: Clear

Increase in Ryuk ransomware attacks

CERT NZ is aware of a spike in Ryuk ransomware attacks in the United States. The attacks are encrypting the systems of numerous organisations in the health care sector, and demanding ransoms, averaging over USD$100,000 to be paid in bitcoin for the decryption of information.

While this campaign is currently affecting United States based organisations, CERT NZ is encouraging New Zealand organisations to make sure they have the protections in place to help protect against an attack.

What's happening

Systems affected

Computers, networks and servers that have been infected with Emotet or Trickbot.

What this means

CERT NZ understands that there are three ways the majority of Ryuk ransomware attacks occur:

  • Through a previous Emotet or Trickbot infection.
  • Through email attachments that deploy Ryuk ransomware directly.
  • Through RDP access, an attacker can install and execute Ryuk directly on the target machine or wider network.

What to look for

How to tell if you're at risk

Currently Ryuk is affecting international organisations in the health care sector, however anyone can be targeted by Ryuk, including individuals, businesses and large organisations.

How to tell if you're affected

The impacts of Ryuk are immediate. If you are affected:

You will not be able to access any of the files on your computer.

There will be a new file on your desktop titled ‘RyukReadMe.txt’ or similar, containing the ransom demands.

What to do

Prevention

As there are multiple ways a Ryuk ransomware infection can occur, CERT NZ recommends you take the following measures:

  • Make sure you have an anti-virus solution installed and kept up to date with detection signatures.
  • Run an email-filtering solution to quarantine or reject suspicious attachments.
  • Mandate the use of strong, unique passwords.
  • Implement multi-factor authentication for account access where possible.
  • Implement application whitelisting.
  • Keep systems up-to-date with patches.
  • Disable any unnecessary remote access capabilities (such as RDP).

Maintain an offline backup of your systems. 

Mitigation

If your system has been affected by the Ryuk, we recommend that you:

  • Isolate the infected computer as soon as possible.
  • Check for any other infected computers in your environment
  • Re-image and patch the computer(s).
  • Change all credentials, especially local admin and domain admin passwords.
  • Notify everyone in your contact list and advise them not to open any attachments in emails that appear to have come from you.
  • Review your mail and web filtering solutions.
  • Review your antivirus solution.
  • Enable PowerShell command logging to let you detect infected computers.
  • Maintain an offline backup of your systems. 
  • Network segregation.

More information

You can read the US alert here: https://us-cert.cisa.gov/ncas/alerts/aa20-302a External Link

If you think you might have been affected by Emotet please refer to CERT NZ’s Emotet advisory for further information.

If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.

Report an incident to CERT NZ External Link

For media enquiries, email our media desk at media@mbie.govt.nz or call the MBIE media team on 027 442 2141.