{"id":16502,"date":"2019-10-04T09:20:59","date_gmt":"2019-10-04T17:20:59","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2019\/10\/04\/news-10242\/"},"modified":"2019-10-04T09:20:59","modified_gmt":"2019-10-04T17:20:59","slug":"news-10242","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/10\/04\/news-10242\/","title":{"rendered":"Rolling back Ryuk Ransomware"},"content":{"rendered":"<p><strong>Credit to Author: Sally Adam| Date: Fri, 04 Oct 2019 16:05:36 +0000<\/strong><\/p>\n<div class=\"entry-content\" width=\"100%\" height=\"420\">\n<p>In recent weeks SophosLabs has seen a significant spike in Ryuk ransomware. This particularly nasty threat is delivered via a sophisticated, multi-stage attack, paralyzing organizations and leaving them hostage to crippling ransoms.<\/p>\n<p>To understand how to stop Ryuk it\u2019s helpful to know how the attacks unfold.<\/p>\n<p>The actors behind Ryuk are active adversaries who combine advanced attack techniques with interactive, hands-on hacking to increase their rate of success.<\/p>\n<p>They typically target organizations that cannot withstand any downtime, such as newspapers, municipalities, and utilities, to increase the likelihood of payment. And speaking of payments \u2013 they\u2019re big. Often 6-figure sums payable in Bitcoin.<\/p>\n<p>Ryuk attacks are complex. They frequently start with an Emotet or TrickBot attack, delivered via malicious attachments in spam emails, which enables the cybercriminals to get on your network.<\/p>\n<p>Once there, they steal credentials and create a new admin user. With their escalated admin privileges in place, the hackers can move around your network, survey your Active Directory, and delete your backups.<\/p>\n<p>After removing your safety net they attempt to disable your cybersecurity products before finally releasing the Ryuk ransomware, encrypting your files and demanding huge ransom payments.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"60896\" data-permalink=\"https:\/\/news.sophos.com\/en-us\/2019\/10\/04\/rolling-back-ryuk-ransomware\/ryuk-ransomware-flowchart\/\" data-orig-file=\"https:\/\/sophos.files.wordpress.com\/2019\/10\/ryuk-ransomware-flowchart.png\" data-orig-size=\"1080,1080\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Ryuk ransomware flowchart\" data-image-description=\"\" data-medium-file=\"https:\/\/sophos.files.wordpress.com\/2019\/10\/ryuk-ransomware-flowchart.png?w=300\" data-large-file=\"https:\/\/sophos.files.wordpress.com\/2019\/10\/ryuk-ransomware-flowchart.png?w=640\" class=\"aligncenter size-medium wp-image-60896\" src=\"https:\/\/sophos.files.wordpress.com\/2019\/10\/ryuk-ransomware-flowchart.png?w=300&#038;h=300\" alt=\"\" width=\"300\" height=\"300\" srcset=\"https:\/\/sophos.files.wordpress.com\/2019\/10\/ryuk-ransomware-flowchart.png?w=300&amp;h=300 300w, https:\/\/sophos.files.wordpress.com\/2019\/10\/ryuk-ransomware-flowchart.png?w=600&amp;h=600 600w, https:\/\/sophos.files.wordpress.com\/2019\/10\/ryuk-ransomware-flowchart.png?w=150&amp;h=150 150w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/p>\n<h2>Stopping Ryuk with Sophos Intercept X Advanced<\/h2>\n<p>Stopping Ryuk isn&#8217;t just about stopping one piece of software, it&#8217;s about stopping an active adversary and disrupting the attack chain that puts them in a position to run Ryuk. Sophos Intercept X Advanced includes a range of technologies to detect and disrupt different stages of the attack, including:<\/p>\n<ul>\n<li>Detecting and blocking the exploit techniques used to download and install Emotet and Trickbot (often via PowerShell or WMI), preventing the hackers from getting on your network.<\/li>\n<li>Blocking lateral movement across your network by working in real-time with Sophos XG Firewall.<\/li>\n<li>Preventing credential theft, thereby stopping unauthorized access to your systems and the escalation of admin privileges.<\/li>\n<li>Stopping the ransomware from executing by examining its &#8220;DNA\u201d with our deep learning neural network.<\/li>\n<li>Detecting and rolling-back the unauthorized encryption of files via the CryptoGuard capabilities<\/li>\n<\/ul>\n<p>Watch this video to see the CryptoGuard capabilities in Intercept X stop Ryuk dead.<\/p>\n<div class=\"embed-vimeo\"><iframe loading=\"lazy\" title=\"Sophos vs Ryuk\" src=\"https:\/\/player.vimeo.com\/video\/353881709?dnt=1&amp;app_id=122963\" width=\"100%\" height=\"420\" frameborder=\"0\" allow=\"autoplay; fullscreen\" allowfullscreen style=\"\"><\/iframe><\/div>\n<p>Take a <a href=\"https:\/\/secure2.sophos.com\/en-us\/products\/intercept-x\/free-trial.aspx?cmp=35794\">free trial of Intercept X<\/a> and get 30-days free anti-ransomware protection.<\/p>\n<h3>Your dedicated team of threat hunters and response experts<\/h3>\n<p>While many strains of ransomware are distributed via large-scale spam campaigns, Ryuk uses automated means to gain an initial foothold, then employs human ingenuity to evade detection. In other words, there\u2019s a human behind the attack whose goal is to circumvent or manipulate your existing security controls.<\/p>\n<p>For active adversary attacks like these, having a dedicated team of threat hunters and response experts can make all the difference. The Sophos Managed Threat Response team proactively hunt, detect and respond to attacks in real-time to neutralize ransomware and other advanced threats before they can compromise your data. Find out more about <a href=\"https:\/\/www.sophos.com\/en-us\/products\/managed-threat-response.aspx?cmp=35794\">Sophos MTR<\/a> today.<\/p>\n<h3>Best practices to stop ransomware<\/h3>\n<p>Whatever the size of your company and whatever industry you\u2019re in, we recommend you follow these best practices to minimize your risk of falling victim to a ransomware attack:<\/p>\n<ul>\n<li><strong>Educate your users.<\/strong> Teach them about the importance of strong passwords and roll out two-factor authentication wherever you can.<\/li>\n<li><strong>Protect access rights.<\/strong> Give user accounts and administrators only the access rights they need and nothing more.<\/li>\n<li><strong>Make regular backups \u2013 and keep them offsite where attackers can\u2019t find them.<\/strong> They could be your last line of defense against a six-figure ransom demand.<\/li>\n<li><strong>Patch early, patch often.<\/strong> Ransomware like WannaCry and NotPetya relied on unpatched vulnerabilities to spread around the globe.<\/li>\n<li><strong>Lock down your RDP.<\/strong> Turn off RDP if you don\u2019t need it, and use rate limiting, 2FA or a VPN if you do.<\/li>\n<li><strong>Ensure tamper protection is enabled.<\/strong> Ryuk and other ransomware attempt to disable your endpoint protection. Tamper protection is designed to prevent this from happening.<\/li>\n<li><strong>Educate your team on phishing.<\/strong> Phishing is one of the main delivery mechanisms for ransomware.<\/li>\n<li><strong>Use anti-ransomware protection.<\/strong> Sophos Intercept X and XG Firewall are designed to work hand in hand to combat ransomware and its effects. Sophos Managed Threat Response (MTR) provides a team of threat hunters who proactively hunt, detect and neutralizeattacks that require human intervention.<\/li>\n<\/ul><\/div>\n<p><a href=\"http:\/\/feedproxy.google.com\/~r\/sophos\/dgdY\/~3\/ZjaJQGFRg2A\/\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/sophos.files.wordpress.com\/2019\/10\/shutterstock_597956924.jpg\"\/><\/p>\n<p><strong>Credit to Author: Sally Adam| Date: Fri, 04 Oct 2019 16:05:36 +0000<\/strong><\/p>\n<p>To understand how to stop Ryuk ransomware we look at how the attacks unfold.&lt;img src=&#8221;http:\/\/feeds.feedburner.com\/~r\/sophos\/dgdY\/~4\/ZjaJQGFRg2A&#8221; height=&#8221;1&#8243; width=&#8221;1&#8243; alt=&#8221;&#8221;\/&gt;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[10379,3765,12980,20562],"class_list":["post-16502","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-corporate","tag-ransomware","tag-ransomwares","tag-ryuk-ransomware"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16502","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=16502"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16502\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=16502"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=16502"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=16502"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}