Ryuk ransomware finds foothold in bio research institute through student who wouldn’t pay for software

Security researchers have provided insight into how a single student unwittingly became the conduit for a ransomware infection that cost a biomolecular institute a weeks’ worth of vital research. 

In a report due to be published on Thursday, Sophos described the case, in which the team was pulled in to neutralize an active cyberattack on a biomolecular facility in Europe. 

Sophos found that Ryuk ransomware had made its way onto the facility’s network, and set out to determine how the infection took place. 

Ryuk is a prolific form of malware that is constantly evolving. The Ryuk family, including new strains equipped with worm-like capabilities and the ability to self-propagate over networks, encrypts networks and files, locking victims out of their systems until a ransom payment is made. 

According to AdvIntel and HYAS, the operators behind Ryuk are estimated to have generated over $150 million in profit from their victims, with payments often made in Bitcoin (BTC). 

While the name of the biomolecular institute has not been disclosed, the European organization is involved in the life sciences and research related to COVID-19. The institute works closely with local universities and collaborates with students in some projects. 

It was a student, unfortunately, that proved to be the unwitting conduit for the Ryuk infection. 

The student was on the hunt for a free version of a data visualization software tool which would have cost them hundreds of dollars per year if licensed. After posting on a forum asking for a free alternative, the student eventually elected to find a cracked version instead. 

As cracked software — modified to remove elements such as trial expiration dates or the need for a license — is deemed suspicious, antivirus software will usually flag and block its execution. 

In this case, Windows Defender triggered, and so the student disabled the software as well as their firewall. 

However, instead of launching the software they wanted, the executable loaded a Trojan which was able to harvest the student’s access credentials to the biomolecular institute’s network.

In hindsight, in what was an unwise decision, the research institute allowed students to use their personal devices to access its network via remote Citrix sessions. 

13 days after the student executed the ‘cracked’ software, a remote desktop protocol (RDP) connection was registered by the institute, using the student’s credentials, under the name “Totoro,” — an anime character from a 1988 film. 

“A feature of RDP is that a connection also triggers the automatic installation of a printer driver, enabling users to print documents remotely,” Sophos says. “This allowed the Rapid Response investigation team to see that the registered RDP connection involved a Russian language printer driver and was likely to be a rogue connection.”

The team believes that access to the institute was sold on in an underground market, and the RDP connection may have been made in order to test access. 

It was 10 days after this connection was made that Ryuk was deployed on the network, costing the institute a week of research data as backups were not fully up-to-date. In addition, system and server files had to be “rebuilt from the ground up,” according to the researchers, before the institute could resume normal working activity. 

“This is a cautionary tale of how an end user’s security misjudgement can leave an organization exposed to attack when there are no solid security policies in place to contain the mistake,” commented Peter Mackenzie, manager of Rapid Response at Sophos. “In this instance, the target was at risk the moment the external user clicked the ‘install’ button for a cracked copy of a software tool that turned out to be pure malware. […] The underground market for previously compromised networks offering attackers easy initial access is thriving, so we believe that the malware operators sold their access on to another attacker.”

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Access the original article
Subscribe
Don't miss the best news ! Subscribe to our free newsletter :