Ryuk (ransomware)

[1][2] The criminal group known as Ryuk seeks primarily to extort ransom payments to decrypt the data that its malware has encrypted and as a result rendered useless.

[3] In the UK, the National Cyber Security Centre notes that Ryuk uses Trickbot computer malware to install itself, once access is gained to a network's servers.

Loaders start the infection chain by distributing the payload; they deploy and execute the backdoor from the command and control server and install it on the victim’s machine".

Once Ryuk takes control of a system, it encrypts the stored data, making it impossible for users to access unless a ransom is paid by the victim in untraceable bitcoin.

In many cases, days or weeks may elapse between the time hackers initially gain access to a system before the massive encryption occurs, as the criminals penetrate deeper into the network to inflict maximum damage.

[14] Between 2019 and 2020, U.S. hospitals in California, New York, and Oregon, as well as in the UK and Germany, have been affected by Ryuk malware, resulting in difficulties with accessing patient records and even impairing critical care.

[16][17] In the U.S., a joint statement was issued on October 29, 2020, by three Federal government agencies, the FBI, CISA, and the Department of Health and Human Services, warning that hospitals should anticipate an " 'increased and imminent' wave of ransomware cyberattacks that could compromise patient care and expose personal information", likely from Ryuk attacks.

[16] More than a dozen U.S. hospitals were hit by Ryuk attacks in late 2020, shutting down access to patient records and even disrupting chemotherapy treatments for cancer sufferers.

[20] Online education provider Stride, Inc. was attacked by Ryuk ransomware criminals in November 2020, rendering some of K12's records inaccessible and leading to the threatened release of students' personal information.

[21] The large Baltimore County Public Schools system in Maryland, serving 115,000 students and having a budget of $1.5 billion, had to suspend all classes after problems were experienced with its computer network beginning on November 24, 2020, reportedly due to Ryuk.

[23][24] Avi Rubin, Technical Director of the Information Security Institute at Johns Hopkins University, said the auditors' discovery of "computers that were running on the internal network with no intrusion detection capabilities" was of particular concern.

[26][27] In early 2021, a new strain of the Ryuk ransomware was discovered that features worm-like capabilities that can lead to it self-propagating and being distributed to other devices on the local database it is infiltrating.