Ryuk advocates for a departure from the conventional approach of spotting flaws and their subsequent correction
In the ever-evolving landscape of cybersecurity, a new threat has emerged as a significant concern for security researchers - the Ryuk ransomware. First appearing in 2018, Typhoon UNC1878, associated with the spread of Ryuk, has been causing havoc, particularly targeting healthcare organisations.
Recent alerts issued by federal agencies highlight this threat, with UNC1878 using phishing and spearphishing as initial access methods. One of the tactics employed by the group is impersonating legitimate company information to obtain code signing certificates, which they share with Cobalt Strike, another tool used for mapping out environments and obtaining passwords.
Ryuk's modus operandi involves bypassing detection mechanisms. Emails with Google Doc links or attachments with a double extension can slip through filters, leading to the dumping of BazarLoader or BazarBackdoor into a system, serving as the central infiltration for UNC1878.
The group's tactics underscore the importance of thinking like adversaries as a form of defense. Security organisations emphasise this approach, moving beyond the traditional "find a flaw, fix a flaw" mindset, and focusing on security controls rather than IT controls.
Organisations have a high number of unpatched vulnerabilities and are not likely to reach zero vulnerabilities soon. Therefore, it's crucial for them to move beyond penetration testing and threat intelligence testing, and into red team testing, simulating cyberattack scenarios to better prepare for them.
Simulated phishing campaigns for employee awareness and deterrence fall short in ransomware prevention. The DHS's CISA recommends the "3-2-1" rule for backups: three copies of all critical data on at least two different types of media, one stored offline. This ensures that in the event of a ransomware attack, organisations can restore their data without succumbing to the ransom demand.
Ransomware has evolved to data exfiltration, changing how companies respond to an attack. Now, not only is the immediate threat of data encryption a concern, but the potential for data theft adds an additional layer of complexity.
The dwell time for Ryuk is reducing, with about 20 organisations targeted per week, according to IBM. The commodity malware is accessible to anyone, making it a potent weapon in the hands of cybercriminals.
In conclusion, the threat of Ryuk and UNC1878 is a stark reminder for organisations to strengthen their cybersecurity defences and think like adversaries. By doing so, they can better prepare for and respond to these evolving threats.
