Ryuk, one of the most prolific and resilient ransomware (opens in new tab) strains, has taken on new worm-like (opens in new tab) capabilities, according to security researchers.
The ransomware is operated by Russian cybercriminal syndicate Wizard Spider, and has been infecting victims for several years. It's been on the radar of several cybersecurity agencies, especially since its operators were ruthless enough to attack healthcare facilities (opens in new tab) in the middle of the Covid19-pandemic.
Analyzing a new sample of the ransomware at the National Agency for the Security of Information Systems (ANSSI), France’s national cybersecurity agency, researchers discovered that Ryuk can now spread from one machine to another on its own.
- Check out our list of the best endpoint protection (opens in new tab) services out there
- We've built a list of the best antivirus (opens in new tab) services around
- Here's our choice of the best malware removal (opens in new tab) software on the market
Self-propagating ransomware
The ANSSI report notes that Ryuk isn’t known to propagate automatically within the network. Also, while the French researchers haven’t seen Ryuk being offered for sale on the dark web, Deloitte researchers believe the ransomware is sold as a toolkit to attackers, which means there could be several variants in circulation
In the report, ANSSI discusses a sample discovered during an incident response in early 2021, which exhibited previously absent worm-like capabilities. Using its newfound powers, the ransomware was seen to automatically spread and infect other machines in the network.
“Through the use of scheduled tasks, the malware propagates itself - machine to machine - within the Windows domain.Once launched, it will thus spread itself on every reachable machine on which Windows RPC accesses are possible,” explained the researchers.
It’s not known whether the French cybersecurity agencies have shared details about the new strain with their counterparts in other countries.
However, Ryuk has previously been the subject of a joint advisory from CISA, FBI and Department of Health and Human Services, triggered by the attack on US hospitals last year.
- Here's our list of the best business laptops (opens in new tab) right now
Via Cyberscoop (opens in new tab)
