In one of their latest development, the operators of the malware have configured it to deploy a Trojan named ‘BazarLoader’ which is operated by the same threat group that is behind Trickbot. However, BazarLoader Trojan is equipped with advanced techniques to evade detection; the potential for long term infection in BazarLoader hints towards a change that the operators have brought in Ryuk’s plan of action.
Ryuk is well-planned and targeted ransomware that is being operated since 2018 by WIZARD SPIDER, a Russia-based operator of the TrickBot banking malware, and the criminals behind this ransomware largely focus on big companies in order to acquire an exorbitant amount in ransom.
After gaining access, Ryuk is programmed to permeate network servers as files are exchanged between systems. The malware is circulated via malicious email attachments and once it gathers all the important data from a given network, it lets the authors of Ryuk Ransomware acquire administrator credentials and gain access to the harvested data from the network, the malware does so by opening a shell back to the actors operating the threat.
It takes only 29 hours to successfully carry out a complete attack on the network it is targeting; the process entails the entire series of incidents beginning from the spam mail to the successful encryption of data, as per the findings of DFIR.
Threat actors behind ransomware attacks are rapidly evolving their attack vectors as the count of Ransomware attacks surge up to 365 percent over the past year. Owing to its ever-expanding operations, Ryuk made it to the notorious list of ransomware gangs having their own data leak websites wherein they release the data of companies who refuse to pay the demanded amount.
The malware is continually changing itself to become more and more sophisticated, leaving companies with no option but to pay the extortionate amounts. The threat has expanded its reach beyond just private organizations and has also been recorded to target National services’ computers.