Why Your AV Won’t Stop Ryuk Ransomware

I have been blogging about ransomware for a long time now, given its devastating impact upon small to mid-sized enterprises. However, there have been some indicators lately that people are finally being forced to pay attention to. For instance, the FBI issued a warning regarding ransomware last month (and again last week), and there is a resurgence of ransomware from last year causing hospitals to turn away patients across the globe. Since organizations are still being afflicted by Ryuk, I have to delve deeper into this particular ransomware attack. I answer common questions such as how companies are infected, and why it’s so difficult to address once they are infected. I separate the common misconceptions about Ryuk from the way it actually works against your defenses, like anti-virus, “next-gen” anti-virus, and more.

If you have been infected by Ryuk or other ransomware, or have paid a ransom in the past as a result of ransomware, IntelliGO can help – reach out to us here.

Cybersecurity Live - Boston

How does RYUK get on my system(s)?

What people think happens: The Ransomware is downloaded from an email attachment or is included in the body of the email itself as an image.

What actually happens: A user clicks on an email, which downloads a Trojan (Trickbot or Emotet), eventually enabling the “command and control” of your machine(s) – this is what enables the actual ransomware to be downloaded later in the process. But first, the malware steals credentials and sends them back to the attacker, spreads internally to other machines over SMBv1 (what Windows uses for file sharing and printing on networks; it’s almost always in use for enterprises who share print resources on a given floor or department). It then gives remote control of the system to the attacker. The problem is getting rid (Read more...)

*** This is a Security Bloggers Network syndicated blog from IntelliGO MDR Blog authored by Adam Mansour. Read the original post at: