Increase in Ryuk ransomware attacks
CERT NZ is aware of a spike in Ryuk ransomware attacks in the United States. The attacks are encrypting the systems of numerous organisations in the health care sector, and demanding ransoms, averaging over USD$100,000 to be paid in bitcoin for the decryption of information.
While this campaign is currently affecting United States based organisations, CERT NZ is encouraging New Zealand organisations to make sure they have the protections in place to help protect against an attack.
Computers, networks and servers that have been infected with Emotet or Trickbot.
What this means
CERT NZ understands that there are three ways the majority of Ryuk ransomware attacks occur:
- Through a previous Emotet or Trickbot infection.
- Through email attachments that deploy Ryuk ransomware directly.
- Through RDP access, an attacker can install and execute Ryuk directly on the target machine or wider network.
What to look for
How to tell if you're at risk
Currently Ryuk is affecting international organisations in the health care sector, however anyone can be targeted by Ryuk, including individuals, businesses and large organisations.
How to tell if you're affected
The impacts of Ryuk are immediate. If you are affected:
You will not be able to access any of the files on your computer.
There will be a new file on your desktop titled ‘RyukReadMe.txt’ or similar, containing the ransom demands.
What to do
As there are multiple ways a Ryuk ransomware infection can occur, CERT NZ recommends you take the following measures:
- Make sure you have an anti-virus solution installed and kept up to date with detection signatures.
- Run an email-filtering solution to quarantine or reject suspicious attachments.
- Mandate the use of strong, unique passwords.
- Implement multi-factor authentication for account access where possible.
- Implement application whitelisting.
- Keep systems up-to-date with patches.
- Disable any unnecessary remote access capabilities (such as RDP).
If your system has been affected by the Ryuk, we recommend that you:
- Isolate the infected computer as soon as possible.
- Check for any other infected computers in your environment
- Re-image and patch the computer(s).
- Change all credentials, especially local admin and domain admin passwords.
- Notify everyone in your contact list and advise them not to open any attachments in emails that appear to have come from you.
- Review your mail and web filtering solutions.
- Review your antivirus solution.
- Enable PowerShell command logging to let you detect infected computers.
- Maintain an offline backup of your systems.
- Network segregation.
You can read the US alert here: https://us-cert.cisa.gov/ncas/alerts/aa20-302a External Link
If you think you might have been affected by Emotet please refer to CERT NZ’s Emotet advisory for further information.
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.
For media enquiries, email our media desk at firstname.lastname@example.org or call the MBIE media team on 027 442 2141.