An article published by ZDNet revealed how Ryuk ransomware got a free run into a biomolecular facility in Europe after a student went on a hunt for a free version of a data visualization software.

History of Ryuk Ransomware

As per an article by CSO Online, Ryuk came up to the scene back in 2018. However, it is believed that Ryuk is based on older ransomware called Hermes. In 2017, Hermes was used by the North Korean cyber criminal group Lazarus which infected the Taiwanese Far Eastern International Bank (FEIB)

It was initially believed that Hermes and Ryuk were creations of Lazarus. However, cyber researchers later came to the conclusion that Ryuk was the work of a Russian cyber criminal group, who must have got access to the Hermes ransomware program like Lazarus did.

Take a Moment to Stay Tuned Forever

Subscribe to get weekly cyber security updates!

 

So What Happened in this Recent Case?

  • In this particular case, a student at the biomolecular facility put out a post on a forum asking for the free version of the software as the paid licensed version would have cost hundreds of dollars per year. The student then eventually managed to find a cracked version of the software.

  • As the cracked version of the software had the trial expiration dates and the software license removed, the antivirus software raised red flags. However, the student disabled the Windows Defender and their firewall.

  • As the student attempted to launch the software, the executable file loaded a Trojan that was able to fetch the student’s access credentials into the facility’s network. A point worth mentioning here is that the biomolecular facility allowed students to use their personal devices for work. This is a cyber security blunder if looked at in hindsight.

  • 13 days after the execution of the cracked version of the software by the student, a Remote Desktop Protocol (RDP) connection was registered by the institute. This was done by using the student’s access credentials. This RDP was registered under the name of an anime character from a 1988 film named ‘Totoro’.

  • A Rapid Response investigation team was able to discover the malicious connection after finding a Russian language printer driver that the RDP connection involved. It is being suspected that access to the institute’s network has also been sold by the threat group.

  • The deployment of Ryuk on the institute’s network cost them a week of research data as backups were not up to date. Furthermore, the system and server files had to be built from scratch for the institute to start working normally again.

Turn Your Employees Into A Cyber Threat Shield

Make your employees proactive against prevailing cyber attacks with ThreatCop!

About The Author

Leave a comment

Your email address will not be published. Required fields are marked *