Ryuk Ransomware Hits Canadian Businesses

By Dominic Chorafakis, P.Eng, CISSP – October 22, 2019

The Ryuk ransomware virus is back and it’s targeting Canadian businesses and industries. The virus first appeared in the summer of 2018 and then again in January of this year, its victims largely in the UK and USA. Recently however hackers have set their sights on the Canadian markets hitting three Ontario hospitals and the most recent victim a Toronto dental clinic in which the attacker encrypted the clinic’s files and demanded $165,000 in ransom in order to restore access to the files.

Ryuk is not limited to targeting a specific industry and there is an increase in the number of Canadian businesses that are affected by such cyber attacks.

How Does It Work?

The initial Ryuk infection is most frequently caused by a spam email that contains a malicious attachment. Once the malware manages to install itself on a computer, it is able to bypass anti-virus detection and often remains hidden for months.

During that time, it collects information about the organization and uses Windows vulnerabilities and other tricks to spread to other computers. Once enough systems have been infected, a remote command is given which causes all files to be encrypted and a ransom note is posted. Ryuk then locks files, demanding the network owner pay a sum of money to make them accessible again.

What you need to know

Unlike other modern ransomware like Wannacry, Ryuk itself possesses functionality that goes beyond the ability to identify and encrypt network drives and includes the ability to delete shadow copies on the endpoint. By doing this, the attackers could disable the Windows System Restore option for users, and therefore make it impossible to recover from the attack without external backups.

For individual users or small businesses unaccustomed to backing up their data this time of information loss could be devastating.

Many unsuspecting victims assume that paying the ransom fee will resolve the situation unaware that there is no guarantee of getting back all, or any of the stolen data, often compounding the severity of the situation by adding a financial victimization to the data loss.

So how do you protect your data?

  • Develop cyber smarts – Computer users should be aware of how to spot phishing email and receive cyber awareness training.
  • Get the right tools – Although Ryuk can bypass anti-virus, it is possible to detect its activity on the network by monitored intrusion prevention systems like My Security Console. The right software combined with monitoring by cyber experts can prevent infection or cut it off before it spreads.
  • Have a backup plan – You just learned how paying ransom doesn’t mean that you’re out of the woods, in many cases infected files are damaged and not recoverable. Safe backups are the only reliable way of recovering your data should you become infected – so be sure to routinely backup your data!

Want to learn more about how to stay cyber safe?

Discover how you and your team can develop the skills needed to avoid becoming victims of ransomware attacks like Ryuk – take our free phishing training here.