MDR Case Study: Ryuk Ransomware

Post by
Net Friends

The Security Operations Center at Net Friends regularly assesses various forms of malicious software and known attack methods. This helps improve their detection skills and improve defensive and response measures. One of our company values is Sharing Knowledge, which is why an explainer like this will help other small and mid-sized businesses design their own strategies to protect against, and respond to, ransomware like Ryuk.

What is Ryuk?

The security vendor Malwarebytes writes that “Ryuk is one of the first ransomware families to include the ability to identify and encrypt network drives and resources, as well as delete shadow copies on the endpoint. This means the attackers can then disable Windows System Restore for users, making it impossible to recover from an attack without external backups.”

The Center for Internet Security notes that “Ryuk is primarily spread via other malware dropping it onto an existing infected system. Finding the ‘dropper’ on a system for analysis is difficult due to the fact that [Ryuk] deletes it after the initial execution… Following the execution of the main payload and the deletion of the dropper, the malware attempts to stop antivirus and antimalware related processes and services.”

Ryuk will make its way into your network via these primary delivery methods:

  • Via email attachment
  • In a Microsoft Word document
  • As a website link
  • Through a compromised workstation management agent (remember the Solarwinds attack?)

How to Prevent Cyber Attacks?

A successful prevention strategy must address all possible known vectors for the malware. Net Friends team of cybersecurity experts recommend a “defense in depth” strategy of multiple overlapping systems to protect against Ryuk.

For example, a defense in depth strategy should include:

  • Email security policy enhancements
  • Security software that scans all attachments and embedded links
  • DNS records, such as DKIM, that enhance email security
  • Regular security training  

Unfortunately, attackers keep innovating and finding new schemes to thwart preventive measures. What’s more, when your preventive measures fail, your organization must be ready to act to contain the malicious code within seconds. As a ransomware attack begins delivering its malicious payload, it will spread faster than humans can react. By the time a security analyst is investigating a suspicious log entry, Ryuk has already compromised multiple systems and is trying to exfiltrate data.

The only effective response strategy is automation. Network administrators must automate the process of detecting suspicious activity, matching it to a known attack pattern, and isolating the compromised systems or applications. This strategy is known as MDR: Managed Detection and Response.

How Can MDR Block Ryuk?

Companies using Managed Detection and Response to block Ryuk should look at four main tactics:

  1. Configure policies on firewalls that watch for IoCs (Indicators of Compromise) that signal when a Ryuk infection is in progress. For example, at the time of writing, Net Friends is tracking more than 29 IoCs related to Ryuk. If the firewall detects an IoC, it should shut the connection down, preventing Ryuk from contacting its “command and control” servers.
  1. Deploy EDR (Endpoint Detection & Response) agents on laptops and desktops. These agents continually look for suspicious patterns of computer activity that are the indirect evidence of infection by a new variant of Ryuk. If such a pattern is detected, isolate that endpoint from the network until your Security Operations Center can investigate.
  1. Coordinate tactics 1 and 2 using SOAR tools (Security Orchestration, Automation, and Response) that integrate into your network. Your SOAR platform should incorporate the latest updates on Ryuk gathered from sources like MITRE ATT&CK, Palo Alto’s Threat Assessment and FireEye’s Threat Research.
  1. Develop “playbooks” for a potential Ryuk attack to improve your response time and effectiveness. Verify your playbooks using Breach and Attack Simulation (BAS) software.

What’s the Next Step?

If you want more information on MDR, or are considering ways to implement MDR as part of your broader security strategy, please contact Net Friends. When you enroll in MDR services with Net Friends, you can trust that no matter how an attack begins on your network, it will be stopped on our watch with unmatched speed and thoroughness. Our team of security analysts and experts, along with our top-tier tools and playbooks, are the most important protection your business needs to keep your data and reputation safe.

- MDR Case Study: Maze Ransomware
- Leakware: The New Ransomware Targeting Hospitals, Law Firms, and... You?
- How Our Passion for Cortex XDR Paid Off

At Net Friends, we believe in the power of human expertise. While we leverage AI to enhance our content and processes, all blog posts are written and edited by our knowledgeable staff. You can trust you are getting insights directly from our team.

Contact our IT
Support Center 24/7

Option 1: Call (919) 680-3763
Option 2: Email -
Option 3: Complete the form below
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

If your support issue requires immediate assistance, please call our office. Email & web form submissions are only reviewed during business hours.