According to the recent incident response trend survey of the Cisco Talos Incident Response (CTIR) team, Ryuk is still the biggest threat, and it has dominated the ransomware threat field for four consecutive quarters.
The survey results show that Ryuk’s operators are changing their strategies to bring greater risks to organizations affected by the coronavirus epidemic.
The general manager of CTIR, Sean Mason said Ryuk has been the biggest ransomware threat to customers in the past year, although the team has also observed other ransomware families, including Phobos and Maze.
Mason explained that in the past few quarters, Ryuk’s way of development shows that its operators are changing their attack strategy. “We do see an emerging trend in Ryuk, where it is not necessarily preceded by a commodity Trojan infection, which may allow it to go undetected for some time and lead to the increased infections we are seeing.”
Ryuk is also “evolving” in other features, such as downloading the initial payload using coded PowerShell commands, disabling antivirus and security tools, stopping backups, and scanning the network to provide a list of online and offline hosts. In addition to PsExec, Ryuk operators also use Windows Management Instrumentation (WMI) and BitsAdmin to deploy Ryuk. CTIR sees ransomware attackers starting to steal sensitive data as a means of forcing victims to pay the ransom, a trend that continues from 2019.