The Fast-growing Ryuk Ransomware
One of the fastest growing cyberthreats this past year is the “Ryuk” ransomware. Variants of this specific malware have become so pervasive and widespread, that the US FBI, the Canadian Centre for Cyber Security and the UK National Cyber Security Centre (NCSC) all released strong Ryuk-targeted security advisories. A new variant seen early this month has been enhanced to employ Wake-on-LAN to target systems in standby or sleep modes!
According to Crowdstrike, Ryuk (thought to be named after a demon character in the Japanese manga/anime “Deathnote”) is operated by GRIM SPIDER, an offshoot cell of the Russian threat group WIZARD SPIDER. Last year, Ryuk globally targeted local/regional governments, healthcare and education, organizations that had incentive to pay ransoms because they could not afford downtime of critical legacy systems. Poster child for this is the city of Baltimore Maryland, US; after being attacked, the city chose not to pay a bitcoin ransom equivalent to US$76,000. This decision will ultimately cost the city over US$18.2 million to recover from the attack. Much of that includes loss of revenue due to crippled city offices and inability to provide services like the successful completion of real estate transactions.
There has been much written on the origin and technical analysis of Ryuk. ZScaler published a blogpost that includes lists of services and processes (including some NGAV products) disabled by the ransomware. More interesting is the cultural and financial impact of Ryuk.
Ryuk Ransomware and Cyber Insurance
It can be argued that Ryuk has quickly altered how enterprises and cyber insurance companies deal with ransomware.
This year has seen a shift in cyber-attack tactics, aptly named “big game hunting,” or attacking commercial organizations (typically with an annual revenue between $500 million - $1 billion) who also have a strong incentive to pay ransoms, not because of impact to systems, but because the impact to revenue and ancillary costs would be exponentially higher (as seen by the city of Baltimore). Worldwide, over 100 companies to date have been infected by Ryuk, with more each week. eCriminals have developed a business model that calculates ransom requests based on the size and value of the business, the ability of the business to pay, and whether the business has cyber insurance.
At the end of 2018, the average ransom was US$6700. During 1Q 2019, ransoms increased 90%, and tripled from there by the end of 2Q 2019. For Ryuk ransomware, Crowdstrike reports “the lowest observed ransom was for 1.7 BTC and the highest was for 99 BTC,” with projections that the total haul, as of this writing, is was US$3.7 million.
Cyber-insurance companies are seeing an increase in payouts to companies hit by Ryuk, with costs ranging from $200,000 for smaller or mid-sized businesses and $2 million for larger organizations – and the ransom business has been ramping up since Q2 of 2019, with claims being submitted to insurance companies doubling, and sometimes tripling.
“We’ve seen an unprecedented amount of ransomware attacks in 2019,” said University of Cambridge Centre for Risk Studies Sr. Researcher, Eireanne Leverett. Malwarebytes reported a 365% increase in the number of ransomware attacks they saw in 2018 – and the trend has continued into 2019, with Ryuk just the latest strain to hit hard.
Statistics show that not only is the cyber insurance industry growing, it is very lucrative. In 2018, cyber insurers collected US$2.03 billion in premiums, up 10% from 2017. But what is more significant is that the loss ratio (or percentage returned in claims) was 35.4%. So, for every dollar collected in premiums, the insurer paid back 35 cents in claims. That sound like a lot, but the loss ratio for the entire insurance industry is 62%, almost twice as high. Even with the increase in cyber insurance ransom claims, the industry continues to be very profitable.
Cyber insurers have accepted that it is easier and less expensive to pay the ransom and retain business continuity, than to let the organization try and repair the damage internally. But this has created a vicious cycle that incentivizes more ransomware attacks.
Attackers know insurance companies will pay, and pay a lot. Since an upper limit has not been reached, ransom amounts keep increasing. Worse, companies often disclose that they have cyber insurance, guaranteeing they will become targets. To further compound matters, some regulatory bodies may require public companies to disclose when breaches occur, further identifying potential or repeat targets.
As payouts increase, insurance companies are taking steps to better qualify payouts by including very specific exclusions to the policies they issue. These exclusions will limit or forgo payment if the insured is found to have not done due diligence such as:
- A properly documented incident response policy covering ransomware attacks
- Security protections to identify phishing or malware attachments in emails
- A properly deployed and managed anti-virus/anti-malware solution
- Security operations to detect and alert on Advanced Persistent Threats (APT) or malware breach
These and other exclusions will become more prevalent as the insurer’s cyber loss ratio increases.
How Sangfor can help
It’s very important to have the right security strategies and technologies in place to prevent intrusion from Ryuk and other APTs. Sangfor has long been a leader in developing technologies and processes for combating zero-day malware, new and unknown APTs, and other cyber-attacks. Sangfor’s Next Generation Firewall, Endpoint Secure and AI-powered anti-malware engine, are key elements in the fight against ransomware, powers combined to create a powerful security solution which lets you easily manage & protect your enterprise assets & endpoints. Sangfor Far Sight Labs develops and provides global threat intelligence to apprise customers of global cyber threats as they surface. And Sangfor’s Global Incident Response Team has helped customers recover from ransomware attacks with a very high success rate.
About Sangfor
Founded in 2000 and a publicly traded company as of 2018 (SANGFOR STOCK CODE: 300454 (CH)), Sangfor Technologies is an APAC-based, global leading vendor of IT infrastructure solutions specializing in Network Security and Cloud Computing. Visit us at www.sangfor.com to learn more about your internet security options, benefits and functions, and make your IT simpler, more secure and more valuable.