Security News > 2021 > March > Ryuk Ransomware: Now with Worming Self-Propagation

A new version of the Ryuk ransomware is capable of worm-like self-propagation within a local network, researchers have found.

The fresh version of Ryuk also reads through infected devices' Address Resolution Protocol tables, which store the IP addresses and MAC addresses of any network devices that the machines communicate with.

As for avoiding infection, Ryuk ransomware is usually loaded by an initial "Dropper" malware that acts as the tip of the spear in any attack; these include Emotet, TrickBot, Qakbot and Zloader, among others.

The Ryuk ransomware was first observed in 2018, as a variant of the Hermes 2.1 ransomware.

"The appearance of Ryuk couldbe a result of the acquisition of the Hermes 2.1 source code by another attacker group, which may have developed Ryuk from this starting point."

Deloitte researchers have theorized that Ryuk is sold as a toolkit to attacker groups, which use it to develop their own "Flavors" of the ransomware.

News URL

https://threatpost.com/ryuk-ransomware-worming-self-propagation/164412/